On 27 November 2025, EU legislators reached a provisional political agreement on the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR). The agreement, confirmed by both the European Parliament and the Council of the European Union, represents the most significant overhaul of EU payment rules since PSD2 was adopted in 2015.
What makes this deal genuinely breaking and trend-setting is not simply that it updates payment rules. It redefines who carries responsibility for payment fraud across the digital ecosystem. For the first time, liability is no longer framed as a problem to be absorbed almost exclusively by banks and payment service providers (PSPs). Instead, the agreement explicitly reaches into online platforms, marketplaces, and digital advertising environments that enable fraud to occur. In practical terms, PSD3 and PSR signal a decisive policy shift: fraud is now treated as an ecosystem failure, not a banking failure.
What Was Agreed: PSD3 and PSR in Brief
The agreement covers two separate but tightly linked legal instruments:
- PSD3, a directive, which will replace PSD2 and must be transposed into national law by EU Member States.
- PSR, a regulation, which will apply directly across the EU without national transposition.
This dual structure is intentional. PSD3 governs institutional access, authorisation, and supervision. PSR sets uniform, directly enforceable rules on fraud protection, transparency, and payment execution.
Although the agreement is still described as “provisional”, this is the final political alignment between the Parliament and the Council. At this stage, the direction of travel is locked. Subsequent steps are procedural, not conceptual.
The Biggest Change: Conditional Platform Liability for Fraud Enablement
The most disruptive element of the deal is the introduction of conditional liability for online platforms.
Under the agreed framework, banks and PSPs that reimburse victims of fraud will be able to seek compensation from online platforms where fraud was facilitated through content hosted or distributed by those platforms, but only if specific conditions are met.
Those conditions are critical:
- Fraud must be linked to fraudulent content, such as scam advertisements or impersonation material.
- The platform must have been notified of the fraudulent content.
- The platform must have failed to remove or act on that content.
This is not blanket platform liability. It is a failure-to-act liability model. However, it is still unprecedented in EU payment law.
For years, banks have argued that scam ecosystems are sustained upstream, particularly through paid advertising and social platforms. Until now, that argument had no legal consequence. PSD3 and PSR change that balance. Platforms are no longer passive intermediaries once they are notified. Inaction now carries potential financial consequences.
This alone explains why the news has moved quickly across financial, fintech, and technology sectors.
Spoofing and Bank Impersonation: Refund Obligations Harden
Another central feature of the agreement is the explicit treatment of bank impersonation fraud.
The new rules require PSPs to refund victims of authorised push payment (APP) fraud where the fraud involved impersonation of a bank, payment provider, or trusted institution unless the PSP can prove “gross negligence” on the part of the user.
This matters because impersonation scams have historically occupied a grey zone. Victims authorised the payment, but under false pretences. Refund decisions varied widely by jurisdiction and provider.
By naming impersonation explicitly, the EU removes ambiguity. The default position shifts toward consumer reimbursement, with only a narrow defence available to PSPs.
For banks and PSPs, this is not a theoretical change. It affects:
- Fraud provisioning
- Dispute handling
- Customer communication
- Evidence thresholds for denying refunds
It also reinforces why liability is being extended beyond banks. If PSPs must refund more fraud cases, the economic logic of recovering losses from upstream enablers becomes unavoidable.
IBAN Verification Moves Beyond Instant Payments
The agreement also expands payee name verification well beyond its original scope.
Until now, Verification of Payee (VoP) has been most closely associated with instant payments. Under the new PSR framework, IBAN–name matching becomes the default safety control for credit transfers more broadly, not just instant ones.
This is a structural change. It embeds name verification into the core of European credit transfer processing.
While technical standards and exemptions will still be finalised, the direction is clear: name-matching is no longer a premium or rail-specific feature. It becomes part of the baseline expectation for payment accuracy and fraud prevention.
Operationally, this affects:
- Corporate and treasury payments
- Merchant reconciliation
- Error handling and exception flows
- Data quality requirements across onboarding and account management
Access for Non-Banks: A Long-Promised Reform Materialises
PSD3 also addresses a long-standing structural imbalance in European payments: access to payment systems.
Under PSD2, many payment institutions and e-money institutions relied on commercial banks as intermediaries. The new framework strengthens the principle of direct access for regulated non-bank PSPs.
This reduces dependency on sponsor banks and is intended to:
- Improve resilience
- Increase competition
- Reduce single-point-of-failure risk in payment chains
For fintechs, this is not merely a technical upgrade. It alters bargaining power, continuity planning, and regulatory standing.
Why This Matters Now: A Defensive Regulation
The scale and tone of PSD3 and PSR make clear that this is not innovation-driven regulation. It is defensive.
EU institutions are responding to:
- Rapid growth in online fraud volumes
- Erosion of consumer trust in digital payments
- Highly visible scam ecosystems operating across platforms
- Inconsistent refund outcomes across Member States
Rather than issuing guidance or best-practice frameworks, lawmakers have chosen liability reallocation as the enforcement mechanism. When incentives change, behaviour follows.
This explains why the deal has immediate relevance far beyond compliance teams. It affects:
- Platform moderation policies
- Advertising review processes
- Fraud intelligence sharing
- Dispute economics across the payment chain
Who Is Now Exposed: The New Liability Map
Under the agreed framework, responsibility is no longer siloed.
- Banks and PSPs carry stronger refund obligations.
- Online platforms face financial exposure if they fail to act on notified fraud.
- Fintechs and payment institutions gain access rights but also clearer accountability.
- Merchants are indirectly affected through tighter controls, more verification, and potentially slower or more conditional payment flows.
This redistribution of responsibility is why the agreement is being described as a watershed moment.
Timeline: When This Becomes Law
The agreement reached in November 2025 now moves to formal adoption.
- PSR will apply directly once in force.
- PSD3 will require national transposition.
Based on standard EU legislative timelines, practical impact is expected between 2027 and 2028. However, the market signal is immediate. Platforms, PSPs, and large merchants are already reassessing exposure.
Why This Is Trending Now
This story is trending because it crosses regulatory silos.
It is not just:
- Payment regulation or
- Consumer protection
It is:
- Platform governance
- Digital advertising accountability
- Fraud economics
- Infrastructure access
- Trust in online commerce
Few EU payment reforms have attempted to rebalance responsibility at this scale. That is why this agreement is being treated as the most consequential payment rule change in a decade.
Conclusion
PSD3 and PSR are not incremental updates. They represent a re-architecture of payment security responsibility in the EU.
By extending liability beyond banks, hard-coding impersonation fraud into refund law, expanding IBAN verification, and opening payment system access, EU lawmakers are sending a clear message: fraud prevention is no longer a banking problem alone.
For payment providers, platforms, and merchants alike, the era of fragmented responsibility is ending. The digital payments ecosystem is being asked to defend itself collectively and this agreement is the legal foundation for that shift.
FAQs
1. What exactly happened on 27 November 2025?
EU negotiators reached a provisional political agreement on the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), as confirmed by the European Parliament and the Council of the European Union.
2. Why is this considered breaking and landmark news?
Because it fundamentally changes fraud liability in EU payments by extending responsibility beyond banks to include online platforms that enable fraud and fail to act after notification.
3. Does this mean platforms are now automatically liable for fraud losses?
No. Liability is conditional, not automatic. Platforms may be required to reimburse banks only if they fail to remove fraudulent content after being notified.
4. What types of platforms are affected?
Online platforms that host or distribute content linked to fraud, such as:
- Online marketplaces
- Digital advertising environments
5. What is “bank impersonation fraud” under the new rules?
It refers to scams where criminals pose as banks or payment providers to convince victims to authorise payments. Under the new framework, refunds become mandatory unless gross negligence can be proven.
6. What does “gross negligence” mean in practice?
The agreement narrows the defence significantly. Ordinary mistakes by consumers are not enough. PSPs must demonstrate clear, serious disregard for obvious warnings.
7. How does PSD3/PSR change refund expectations for consumers?
The default shifts toward consumer reimbursement in impersonation and authorised push payment fraud cases, reducing discretion for PSPs to deny claims.
8. Is Verification of Payee now mandatory for all payments?
The agreement extends IBAN–name matching beyond instant payments to credit transfers more broadly. Technical scope and exemptions will be clarified later.
9. Does this affect non-instant SEPA credit transfers?
Yes. The direction is to make payee verification a standard safety control, not limited to instant payments.
10. What changes for fintechs and payment institutions?
PSD3 strengthens the right of non-bank PSPs to access payment systems directly, reducing reliance on sponsor banks and improving operational resilience.
11. When do these rules become legally binding?
- PSR will apply directly once adopted.
- PSD3 requires national transposition.
Practical impact is expected around 2027–2028, but market behaviour is already adjusting.
12. Do merchants have new legal obligations under PSD3/PSR?
Merchants are not directly regulated, but they are indirectly affected through tighter controls, enhanced verification, and stricter fraud handling by PSPs.
13. Why did the EU choose liability shifts instead of guidance?
Because fraud volumes and consumer harm continued to rise despite existing frameworks. Lawmakers opted to realign incentives by reallocating responsibility.
14. Is this the biggest EU payments reform since PSD2?
Yes. In terms of scope, liability redesign, and ecosystem impact, this is the most significant change since PSD2 in 2015.
15. What should PSPs and platforms do now?
Begin impact assessments, especially around:
- Fraud notification processes
- Content moderation response times
- Refund provisioning
- Inter-party reimbursement logic
Waiting until formal enforcement would be risky.