PSD2 (Payment Service Directive) came into force in January 2018 to open the door to open banking. It introduced Strong Customer Authentication and created a level playing field for third-party payment providers. More than seven years on, weaknesses such as fragmented implementation across member states, inconsistent API standards and friction caused by Strong Customer Authentication requirements, have emerged. The European Union has reached consensus in November 2025 to fix those weaknesses with an emergent regulation that starts from the PSD2 framework and incorporates recent technological advances in Open Banking and APIs into a more comprehensive framework, PSD3.
While the regulatory proposal covers a wide range of aspects, let's look at the points that are most critical for CFOs and treasury executives to understand and prepare for:
As fraud has become increasingly sophisticated with APP-push fraud, where fraudsters obtain access to the victim’s second factor authentication method like a phone after tricking them to give away their first factor like an online banking password, the proposed PSD3/PSR framework wants to strengthen consumer protections around this type of fraud. The proposal would shift more liability from the end-user to payment service providers when customers are tricked despite following reasonable security guidance.
As a result, PSPs that do not apply SCA or do not follow mandated fraud-monitoring standards could more often be held liable for resulting losses.
Treasury teams should consider documenting their due diligence on PSP selection and may wish to monitor fraud rates and dispute outcomes as key performance indicators.
The proposed PSD3/PSR framework is intended to improve the open banking infrastructure by setting clearer standards for API performance and removing obstacles (like unnecessary re-authentication) that banks previously used to slow third-party access.
In parallel, the proposed Financial Data Access Regulation is intended to extend data sharing beyond payment accounts to a wider set of financial products like investments, insurance, and pensions.
For corporate treasury, this could mean more reliable access to real-time banking data via APIs, improving automated cash visibility, multi-bank connectivity, and real-time reconciliation using regulated data-aggregation providers. Embat's platform already integrates with bank APIs to help deliver real-time treasury visibility and automated cash-flow forecasting, which can help teams move from spreadsheets to a connected, API-driven operating model.
Non-bank payment institutions and non-bank PSPs such as fintech acquirers, wallets, processors and Electronic Money Institutions (EMIs) are expected to face significantly tougher safeguarding and capital rules under PSD3.
Key elements are expected to include stronger client-fund safeguarding, enhanced capital rules, and alignment with frameworks like DORA on ICT risk.
For corporate treasury, this could have two implications. First, any fintech PSPs and embedded-finance partners could face increased rules and scrutiny or even re-licensing, which could disrupt service or change pricing. Second, the strengthened safeguarding rules are intended to reduce the risk that a PSP failure leaves funds trapped, but they would also mean more due diligence on the client’s part.
The below timelines are based on current proposals and political agreements. Final dates are to be confirmed upon official publication and may be subject to change:
PSD3 and PSR regulation proposals are expected to touch and alter a wide range of areas affecting corporate treasury and finance teams. Our table displays the key current status quo under PSD2 and what the proposed PSD3 and PSR requirements change and what it could mean for your business:
The UK is not bound by PSD3 or the PSR. Since Brexit, the UK has retained its on-shored version of PSD2 and is reviewing these rules independently. However, UK authorities appear to be calibrating domestic reforms with an eye on PSD3 to maintain competitiveness and interoperability.
The UK's National Payments Vision emphasises consumer protection, competition, and transparency goals that overlap heavily with PSD3. The UK has already introduced measures that align with PSD3 outcomes such as the mandatory Confirmation of Payee and APP fraud reimbursement became mandatory.
Finance teams managing operations on both sides of the Channel will need to navigate two legal regimes, but the practical standards appear to be converging. The UK is not expected to copy PSD3 text-for-text, but its reforms on fraud liability, SCA flexibility, and fee transparency seem to be heading in a similar direction.
Identify which group entities are EU-licensed PSPs, EMIs, or heavy users of EU accounts and map them against anticipated PSD3/PSR obligations. Use this to build a risk-based roadmap.
Consider leveraging improving APIs to centralise cash visibility, automate reconciliation, and rationalise bank connections. Embat's real-time bank connectivity, for example, connects to over 15,000 financial institutions globally, which can help treasury teams consolidate cash positions and automate data flows.
Stronger SCA and transaction monitoring are expected to be mandated, but they could also help reduce direct fraud write-offs and dispute handling costs. Consider tracking fraud-loss reduction, chargeback rates, and dispute-handling efficiency as key KPIs.
For groups with non-bank PSPs, consider upgrading governance around safeguarding accounts, eligible assets, reconciliation frequencies, and stress-tested wind-down plans. Embat's ISO 27001-certified security framework and cloud-native architecture can help treasury teams work towards meeting evolving regulatory expectations.
The proposed detailed fee and FX disclosure could make it easier to benchmark banks and PSPs. Consider introducing internal policies requiring business units to justify exceptions from preferred, PSD3-compliant providers.
Consider deploying an AI layer on top of bank and PSP data feeds to continuously scan transactions for anomalies versus historical patterns such as amount, counterparties, timing, IBAN/name mismatches, helping to flag potential fraud before funds leave.
Embat's TellMe AI is designed to learn from your organisation's payment history and flag unusual patterns in real time. It aims to help predict late payments, detect intercompany invoice mismatches, and surface potential fraud signals before transactions settle.
The shift from PSD2 to PSD3 represents a fundamental tightening and modernisation of Europe's payments infrastructure. Stricter fraud controls, mandatory name-checking, transparent fees, and reliable open banking APIs are expected to become the new baseline. For CFOs and treasury leaders, this evolution could be an invitation to move beyond compliance and use regulation as a catalyst for operational excellence.
Embat was built for this moment. We work with licenced banking and FinTech partners that power our platform to connect your banks, ERPs, and payment systems in real time. We help automate reconciliation and accounting with AI, and are designed to deliver the transparency and control that a PSD3-ready treasury may require.
Whether you are managing multi-bank liquidity across EU and UK markets, navigating new fraud-liability rules, or preparing for regulatory inspections, Embat aims to provide the infrastructure and intelligence to help you stay ahead.
The future of treasury is connected, intelligent, and resilient. Are you ready to see Embat in action? Book a demo now to see how we can assist your treasury workflows.
