PSD3 / PSR

Overview

PSD3 and the companion Payment Services Regulation (PSR) modernise the EU payment-services framework, replacing PSD2 + EMD2. The proposed text (COM(2023) 366/367) introduces enhanced SCA exemptions, mandatory IBAN-name verification (Verification of Payee), liability shifts on instant-payment fraud, an Open Finance access framework via the Financial Data Access (FIDA) regulation, and a single regime covering payment institutions and e-money institutions. IOF is built forward-compatible: rail-api exposes VOP attestations on every credit transfer, OBP gateway carries SCA evidence packs aligned to PSD3 RTS drafts, the consent-management rail carries FIDA-aligned scope grants, and the payments rail emits instant-payment fraud-monitoring signals. PSD3 has not yet entered into force (expected 2025–2026 EU adoption); IOF carries this regime as designed-for, not yet certified, until the directive transposes into national law.

Scope

Key Controls

• Enhanced SCA framework with PSD3-aligned exemptions (low-value, trusted-beneficiary, low-risk transaction)
• Mandatory IBAN-name match (VOP) on every credit transfer; mismatch attestations recorded
• Open Finance scope vocabulary aligned to FIDA (savings, investment, pension, mortgage, lending data)
• Instant-payment fraud monitoring rail with PSP-to-PSP fraud-data sharing hooks
• Merged scope: payment institutions and e-money institutions under unified evidence pack
• Cash-withdrawal services scope captured per PSR Title II

Certification & Audit

Evidence Bundle