PSD3 and PSR: What Payment Institutions and EMIs Should Prepare For
PSD3 and PSR will reshape how payment institutions and EMIs approach authorisation, safeguarding, fraud prevention, customer journeys and regulatory governance.

TLDR: PSD3 and PSR
- PSD3 and PSR are the next major EU payments reform package, with important implications for payment institutions and electronic money institutions.
- PSD3 is expected to focus on the institution itself, including authorisation, supervision, prudential requirements, governance and reauthorisation.
- PSR is expected to focus on payment rules and customer protection, including transparency, open banking, strong customer authentication, fraud prevention and verification of payee.
- For Malta-authorised PIs and EMIs, the key issue is readiness. Firms should assess whether their current licence file, product classification, safeguarding model, governance and controls still match the business they operate today.
- EMIs should review whether products are correctly classified as e-money, payment services or payment accounts, especially where wallets, cards, IBANs, merchant flows or platform balances are involved.
- Fraud prevention, verification of payee and customer journeys are likely to become more important, affecting payment screens, warnings, monitoring, complaints and liability processes.
- Safeguarding and winding-up planning should be reviewed early, especially where customer funds, reconciliation processes, safeguarding accounts and operational dependencies are complex.
- The practical next step is a documented PSD2-to-PSD3 gap analysis, followed by a Board-owned implementation plan and monitoring of MFSA and EBA developments.
PSD3 and PSR are the next EU payments reset and a business-model test PSD3 and the new Payment Services Regulation are often described as the next version of PSD2. For payment institutions and electronic money institutions, they are more than that.
The more important question is whether a firm’s licence, product classification, safeguarding model, fraud controls and operating arrangements still match the business it actually conducts today.
That is where many PIs and EMIs may feel the impact most sharply.
The EU reform package is expected to replace PSD2 and repeal the Second Electronic Money Directive. The future framework is expected to be split between:
- PSD3, dealing mainly with authorisation, supervision, prudential requirements and the institutional framework; and
- PSR, a directly applicable regulation covering conduct of business, transparency, rights and obligations, open banking, strong customer authentication and fraud-related rules.

PSD3 and PSR should also be viewed as part of the EU’s wider digital finance architecture. Together with eIDAS 2.0, DORA, the Data Act and the proposed FiDA framework, the direction of travel is clear: more trusted digital identity, more structured data access, stronger operational resilience and more harmonised cross-border financial services.
For PIs and EMIs, the opportunity is not only to comply with a new rulebook, but to design products around trust, portability and interoperability.
The final PSD3/PSR regime is not yet applicable. MFSA notes that the final text of the proposals is expected to be published in the EU Official Journal towards the end of 2026. However, Malta-authorised PIs and EMIs should not wait. MFSA has already set out minimum PSD3 preparedness expectations, and the approach resembles the pre-DORA preparatory phase: the framework is still evolving, but firms are expected to educate stakeholders, assess gaps and build a roadmap early.
EMIs will move closer to the PI framework
One of the most important structural changes is the expected integration of EMIs into the broader payment institution framework. E-money will not disappear, but EMIs are expected to become a sub-category of payment institutions, with the Second Electronic Money Directive repealed.
MFSA’s Dear CEO letter establishes that PSD3 is expected to integrate the e-money framework into the payments services framework, and repeal the Second Electronic Money Directive. It also notes that issuing electronic money will become a payment service under Annex I of PSD3.
This matters because many EMI models are already payment-service heavy. Wallets, cards, IBANs, merchant settlement, platform balances and embedded finance products often combine e-money features with ordinary payment services.
The incremental PSD3 point is not that e-money classification becomes irrelevant. It is the opposite: EMIs should use the transition to test whether each product flow genuinely involves issuance of electronic money or whether it is better characterised as a payment service.
A wallet balance, prepaid card or platform account should not automatically be described as e-money. The analysis should identify the separate monetary asset, the customer’s claim on the issuer, user consent, redemption rights and third-party acceptance.
This is particularly important following recent EU interpretation on the boundary between e-money issuance and payment services, including the CJEU’s Lithuanian ABC Projektai judgment and EBA Q&A 2022_6336. Those developments do not rewrite the e-money definition, but they sharpen the need to evidence why a balance or payment flow is genuinely e-money rather than a payment account or payment-service flow.
Existing licences will need to be revisited
PSD3 is expected to include transitional arrangements for existing PIs and EMIs. Existing authorisations should not simply fall away overnight. However, firms should expect to demonstrate that they meet the new framework within the relevant transition period.
That makes old authorisation files important again.
Many institutions were licensed under business plans, outsourcing models, safeguarding arrangements and governance structures that have since evolved. A firm originally authorised for a narrow product may now be running cards, virtual IBANs, merchant flows, platform accounts, agents, distributors or cross-border services.
The practical question is simple: if the regulator reviewed the licence file today, would it still accurately describe the business?
For Malta-authorised PIs and EMIs, this is now an explicit supervisory issue. MFSA highlights that the EBA is expected to develop an RTS on authorisation and registration within 12 months from PSD3 publication in the EU Official Journal, and that authorised persons must obtain the necessary reauthorisation from MFSA within 27 months from publication in order to continue providing services.
This makes PSD3 readiness a live authorisation and governance issue, not a future legal housekeeping exercise.
The eight MFSA expectations may appear straightforward: Board awareness, alignment work, monitoring of EBA RTS, gap analysis, implementation planning and engagement with advisers where appropriate. The challenge is that each of these actions must be supported by evidence. A gap analysis that merely lists legislative changes will not be enough. Firms will need to show how PSD3 affects their own licence perimeter, safeguarding model, governance arrangements, DORA alignment, winding-up planning and operational dependencies.
Fraud prevention and liability will be strengthened
Fraud prevention is one of the clearest incremental themes in the PSD3/PSR package.
Fraud monitoring already exists under the current regime, but the reforms are expected to go further. The political direction is towards stronger cooperation between PSPs, better customer protection, verification controls, fraud-related information sharing and liability consequences where PSPs fail to apply required preventive measures.
For PIs and EMIs, the practical implication is that fraud can no longer sit only inside operations or transaction monitoring. It needs to be governed across the full customer and payment lifecycle:
- onboarding;
- customer warnings and communications;
- payment screening;
- transaction monitoring;
- fraud alerts;
- complaints and disputes;
- reimbursement decisions;
- outsourcing oversight; and
- Board reporting.
The incremental point is not that firms need a fraud policy. They already do. The incremental point is that PSD3/PSR will make fraud prevention more operationally specific, more customer-facing and more directly linked to liability outcomes.
IBAN / name verification will affect customer journeys
Verification of payee mechanisms are expected to become a major operational change. In practice, this means checking whether the payee name matches the IBAN or account identifier before a payment is executed.
The objective is to reduce misdirected payments and authorised push payment fraud.
For PIs and EMIs, this is not just a compliance issue. It affects payment screens, customer warnings, execution flows, exception handling, complaints and liability analysis.
Firms should already be asking whether their systems, processors, banking partners and customer interfaces can support verification of payee functionality. They should also assess what happens when there is no match, a partial match or conflicting customer instructions.
Transparency and customer information will become more detailed
Transparency obligations already exist under PSD2. PSD3/PSR will not introduce the concept of customer information requirements from scratch.
The incremental point is that the new framework is expected to make certain transparency obligations more specific and more harmonised, particularly around fees, currency conversion, ATM withdrawals, payment charges and how payment information appears to customers.
For PIs and EMIs, this may affect customer terms, pricing pages, payment screens, transaction confirmations, statements, merchant descriptors and complaints handling.
This is a practical product and UX issue, not only a legal disclosure issue. Firms should check whether customers can clearly understand what they are paying, who they are paying, which entity provides the service, and what charges or exchange rates apply.
Open banking will be strengthened, not introduced
PSD2 created the legal basis for account information and payment initiation services. PSD3 and PSR should therefore not be described as introducing open banking.
The incremental change is that open banking is expected to become more structured, more harmonised and less dependent on inconsistent national or bank-level implementation.
The reforms are expected to improve access to payment account data, reduce obstacles, strengthen API expectations and introduce clearer user control tools, including permission dashboards.
For account servicing PSPs, open banking interfaces should be treated as regulated infrastructure. API availability, performance, consent management, contingency arrangements and access controls will need to be robust and monitored.
For AISPs and PISPs, the reforms may improve access and reduce friction. But they will also increase expectations around consent, data protection, operational resilience, complaints handling and third-party dependencies.
The commercial opportunity is that stronger open banking infrastructure may reduce integration friction and support more scalable account-to-account payment, data-driven financial management and embedded finance models. For non-bank PSPs, improved access rights may also reduce dependency on a small number of banking partners or sponsors, although the practical effect will depend on final implementation and market behaviour.
Strong customer authentication will be refined, with eIDAS 2.0 becoming relevant
Strong customer authentication is already a core PSD2 requirement. PSD3 and PSR are expected to refine the SCA framework rather than replace it.
The incremental focus is likely to be on clearer SCA application, exemptions, transaction risk analysis, accessibility and customer inclusion. One important direction of travel is that customers should not be excluded simply because they do not rely on a smartphone.
This is where eIDAS 2.0 and the European Digital Identity Wallet become relevant. eIDAS is not a payment services regime and should not be presented as replacing PSD3, PSR, AML/CFT or SCA requirements. However, trusted digital identity tools may increasingly support digital onboarding, customer authentication, consent management, electronic signatures, corporate verification and fraud prevention.
For PIs and EMIs, the practical point is that payment regulation and digital identity are moving in the same direction: stronger customer control, more reliable authentication, better fraud prevention and more harmonised cross-border digital trust.
Firms that rely heavily on app-based authentication, remote onboarding, electronic mandates or cross-border customer journeys should monitor eIDAS 2.0 developments as part of their wider PSD3/PSR readiness work.
Safeguarding remains existing law, but PSD3 will test the detail
Safeguarding is already one of the most important obligations for PIs and EMIs. PSD3 will not introduce safeguarding as a new concept.
The incremental issue is that PSD3 is expected to make certain safeguarding requirements more specific, and MFSA has already highlighted safeguarding as part of its PSD3 preparedness expectations.
For Malta-authorised PIs and EMIs, this means reviewing whether safeguarding arrangements clearly address:
- when safeguarding applies;
- what amount must be safeguarded;
- how the payment service user’s claim is calculated;
- how safeguarding applies in acquiring, card scheme and intermediary PSP flows;
- how users are informed about safeguarding and the insolvency position;
- whether concentration risk exists in safeguarding accounts or counterparties;
- how safeguarding records reconcile to customer liabilities; and
- how safeguarded funds would be returned in a disorderly wind-up.
MFSA also highlights that PSD3 requirements on security incidents and business continuity are being updated to take account of DORA, including ICT-related incident notification, ICT business continuity plans, ICT response and recovery plans, and regular testing and review of those arrangements.
This is particularly important for hybrid EMI models. If a firm cannot clearly explain what type of funds it holds, why it holds them, where they are safeguarded and how they are reconciled, it will struggle under the new framework.
Winding-up planning becomes part of PSD3 readiness
One of the clearest new requirements highlighted by MFSA is the need for a proportionate winding-up plan.
This should not be confused with a generic business continuity plan. A winding-up plan should explain how the institution would manage failure in an orderly way, including how safeguarded funds would be identified, reconciled and returned to payment service users.
MFSA describes this as a new requirement compared with PSD2, requiring payment institutions to prepare a proportionate winding-up plan, including arrangements for the return of safeguarded funds in the event of failure.
For PIs and EMIs, this will require coordination between compliance, finance, operations, safeguarding banks, legal, risk, outsourcing providers and the Board. It is also likely to expose weaknesses in product classification, safeguarding records, reconciliation processes and customer communications.
Outsourcing and operational dependency should be reviewed alongside PSD3/PSR
Outsourcing control is already required under the current regime, and ICT third-party risk is now more directly addressed under DORA. PSD3/PSR should not be presented as creating outsourcing governance from scratch.
The PSD3/PSR relevance is practical: many of the new or enhanced requirements will depend on third parties, including processors, card programme managers, banking partners, open banking providers, fraud vendors, core platforms and cloud providers.
Firms should therefore review whether third-party arrangements can support the new expectations around fraud controls, verification of payee, open banking interfaces, SCA, incident handling, customer communications, safeguarding data and regulatory reporting.
Outsourcing can support scale. It cannot outsource regulatory responsibility.
Governance and substance expectations will be reinforced
PSD3/PSR will not introduce governance, Board responsibility or effective control as new concepts. These are already part of the current PSD2 framework, the Maltese Financial Institutions Act and MFSA expectations for PIs and EMIs.
The change is one of regulatory focus and scope. MFSA’s Dear CEO letter makes this explicit: Boards, senior management and key function holders are expected to understand PSD3 requirements, assess the implications for their respective areas of responsibility, and take appropriate measures to ensure preparedness for compliance.
For Malta-based PIs and EMIs, PSD3 readiness should therefore include Board awareness, documented PSD2-to-PSD3 gap analysis, a Board-approved implementation plan, monitoring of EBA technical standards and guidelines, review of governance, safeguarding and DORA-related arrangements, engagement with auditors or consultants where appropriate, and preparation for MFSA reauthorisation.
This is not a legal or compliance exercise alone. It is a reauthorisation, governance and operating-model issue.

What PIs and EMIs should do now
For Malta-authorised PIs and EMIs, PSD3 readiness should now move from horizon scanning to structured implementation planning.
A practical readiness review should focus on five priorities.
First, brief the Board and senior management.
MFSA expects the Board, senior management and key function holders to understand the implications of PSD3 and their responsibilities in preparing for compliance.
Second, perform a documented PSD2-to-PSD3 gap analysis.
This should cover not only legal changes, but also the firm’s licence perimeter, product classification, safeguarding model, governance, DORA alignment, winding-up planning and operational dependencies.
Third, review the existing authorisation file against the current business model.
Firms should assess whether their current products, payment services, e-money flows, agents, distributors, outsourcing arrangements and cross-border activities still match the licence file submitted to MFSA.
Fourth, prepare a Board-approved PSD3 implementation plan.
The plan should allocate owners, timelines and evidence requirements, and should be communicated across the business.
Fifth, monitor EBA technical standards and prepare for MFSA reauthorisation.
MFSA notes that the EBA is expected to develop an authorisation and registration RTS within 12 months from PSD3 publication in the EU Official Journal, and that authorised persons must obtain the necessary reauthorisation from MFSA within 27 months from publication in order to continue providing services.
MFSA specifically states that, given the limited timeline between publication of the RTS and the reauthorisation deadline, authorised persons should commence compliance assurance as soon as possible and be able to demonstrate compliance clearly and comprehensively when MFSA assesses reauthorisation.
Conclusion
PSD3 and PSR are not just a regulatory update. They are a strategic reset for EU payments and part of Europe’s wider digital finance architecture.
Some obligations discussed in the PSD3/PSR context already exist under PSD2, EMD2, MFSA rules, AML/CFT requirements or DORA. The real impact of PSD3/PSR is that these obligations will become more harmonised, more operationally specific and more closely connected to customer protection, fraud liability, open banking access, safeguarding, winding-up planning and licence transition.
For Malta-authorised PIs and EMIs, the message is now clearer: PSD3 readiness is not simply a future EU reform topic. MFSA has framed it as a present supervisory preparedness expectation.
The comparison with the pre-DORA preparatory phase is useful. Firms should not wait for every final technical detail before mobilising. Those that start with a structured gap analysis, Board-owned roadmap and evidence-based implementation plan will be better placed when the detailed standards and reauthorisation process arrive.
The firms best placed for transition will be those that start early, review their model honestly and use the new framework to clean up legacy assumptions. The opportunity is not only regulatory readiness, but better product architecture: clearer permissions, stronger trust, more reliable data flows and more scalable cross-border services.
The key question for every PI and EMI is therefore straightforward:
If MFSA reviewed our business today, would our permissions, controls and documentation still stand up?