obOpen Banking Lab
GlossarySTETBlogContact
Regulation

DSP3

Payment Services Directive 3 (PSD3)

Successor to DSP2, proposed in June 2023. It strengthens the fight against fraud, raises the expected API quality and clarifies liabilities. Targeted application: 2026–2027.

See also:DSP2PSRFIDASCAVoPAISPPISPASPSP

Definition

DSP3 (Payment Services Directive 3, or PSD3) is the successor to DSP2, proposed by the Commission in June 2023 and accompanied by a PSR regulation (Payment Services Regulation).

It aims to fix DSP2's blind spots — growing fraud, insufficient API quality, fragmentation across Member States — with application estimated for 2026-2027.

DSP2 vs DSP3 + PSR: what changes

  • DSP2 — a directive on its own, transposed into national law with room for interpretation.
  • DSP3 + PSR — a directive (DSP3) and a regulation (PSR). Since a regulation applies directly without transposition, it reduces fragmentation.

In practice, most of the operational rules (consent, APIs, SCA, fraud) move into the PSR, while DSP3 keeps the prudential framework (statuses, licences, supervision).

The major contributions

  • Strengthened anti-fraud: widespread VoP on credit transfers, fraud information sharing between PSPs, an extended right to reimbursement for APP scams.
  • API quality: obligations on performance, availability (> 99%), 24/7 service and capped response times, with explicit penalties.
  • CBPII overhaul: integration into an extended AIS framework and simplification of the status.
  • Removal of the mandatory fallback: the PSD API becomes the single channel, ending the obligation to maintain a backup channel such as screen-scraping.
  • Merger of the EP and EME statuses into a single unified status.
  • Framing of the liability shift: a better allocation of responsibilities between the bank, the PISP and the merchant.

What DSP3 does not do

  • It does not extend the scope to non-payment accounts (savings, credit, insurance): that is FIDA.
  • It governs neither crypto (MiCA) nor IT resilience (DORA).
  • It is not yet in force: DSP2 still applies, and fintechs have 2 to 3 years to prepare.

Indicative timeline

  • June 2023 — Commission proposal.
  • 2024 — Parliament / Council work and first positions.
  • 2025 — trilogue, hoped-for political agreement.
  • 2026 — formal adoption.
  • 2027-2028 — effective application.

A timeline that may slip, as often happens with this type of text.

In the PSD2 ecosystem (which becomes PSD3)

DSP3 does not abruptly replace DSP2: it extends and tightens it, incorporating 6 to 8 years of lessons learned. It is also an industrial opportunity: getting ahead now (anti-fraud, VoP, API quality) provides a head start on compliance.

Concrete examples

  • APP scams: a customer pushed by a fake advisor into transferring €8,000 rarely gets a refund today. With the PSR, the bank will have to reimburse more broadly if it has not put the right safeguards in place, starting with VoP.
  • Merchants: the widespread rollout of VoP (already mandatory for SCT Inst since October 2025) forces every site collecting IBANs to handle name/IBAN matching in its UX.
  • Aggregators: screen-scraping as a fallback is likely to disappear; players still relying on it will have to migrate 100% to the official APIs.
  • Statuses: the EP + EME merger will simplify the formalities for a fintech offering both payments and fund storage.
  • Monitoring: follow the EBA's reports, the EU Council's positions and the ACPR's publications to set your compliance roadmap.

Sources

Back to glossary