PSD3 and Open Finance: What Awaits FinTech Companies in the EU

The European Union’s financial landscape is on the cusp of its most significant regulatory overhaul since the introduction of the Second Payment Services Directive (PSD2) in 2018. The European Commission has tabled a new legislative package aimed at modernizing payment services and expanding data sharing beyond traditional payment accounts: the Third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR), alongside a new framework for Financial Data Access (FiDA).

This regulatory package is more than just an update; it is a fundamental shift designed to harmonize rules, enhance consumer protection, combat fraud, and finally unlock the long-promised potential of Open Finance.

For FinTech companies—the lifeblood of digital financial innovation—PSD3 and the PSR present a dual reality: increased regulatory scrutiny and an unparalleled opportunity to access a wider pool of customer data, driving the next generation of personalized financial services.

This article provides an in-depth analysis of the transition from PSD2 to PSD3, examining the key changes, the evolution of Open Banking into Open Finance, and the strategic implications for Payment Institutions (PIs), Electronic Money Institutions (EMIs), and technology providers operating within the EU.

The Regulatory Evolution: From PSD2 to the PSD3/PSR Package

The PSD2 established the foundation for Open Banking by mandating that traditional banks (Account Servicing Payment Service Providers, or ASPSPs) grant regulated third-party providers (TPPs)—Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs)—access to customer account data, provided the customer consents.

While revolutionary, PSD2 suffered from fragmentation, inconsistencies in technical implementation (the RTS, or Regulatory Technical Standards), and vulnerability to new types of fraud. PSD3 and the PSR aim to fix these structural issues by splitting the legal framework:

  1. Payment Services Regulation (PSR): This will take the place of many core articles previously in the Directive. As a Regulation, it will be directly applicable across all EU member states, eliminating the national differences and fragmentation that plagued PSD2 implementation. This uniformity is a major win for FinTechs seeking to scale pan-European operations.
  2. Third Payment Services Directive (PSD3): This will focus on the administrative and licensing aspects, such as the conditions for authorization and supervision of payment institutions. It will maintain the passporting rights established under PSD2, allowing PIs and EMIs to operate across the EU single market.

PSD3 and PSR: Five Key Changes Affecting FinTechs

The core changes introduced by the new package are designed to create a level playing field, solidify security, and empower consumers.

1. Enhanced Fraud Prevention and Consumer Protection

Fraud, particularly “spoofing” and “Authorised Push Payment (APP) fraud,” has surged under PSD2. The PSR introduces mandatory measures to mitigate this:

  • Mandatory Confirmation of Payee (CoP): Payment Service Providers (PSPs) will be required to verify whether the recipient’s account name matches the account number provided by the payer. This measure, already successful in some national markets (like the UK), is designed to prevent misdirected funds due to invoice manipulation or human error.
  • Stronger Requirements for PISPs: PISPs (Payment Initiation Service Providers) will be specifically mandated to implement stronger fraud detection mechanisms during the initiation of payments.
  • Liability Clarification: The regulatory text seeks to clarify liability across the payment chain, particularly where fraud occurs despite the use of Strong Customer Authentication (SCA). This increased accountability forces FinTechs to invest heavily in machine learning and real-time fraud monitoring tools.

2. Streamlining Strong Customer Authentication (SCA)

While PSD2 introduced SCA—a two-factor authentication requirement for most digital payments—its implementation often created friction, leading to abandoned transactions. PSD3 aims to optimize SCA without sacrificing security:

  • SCA Waivers Review: The RTS governing SCA will be reviewed to make waivers more flexible and risk-based, potentially allowing low-value or recurring transactions to bypass SCA if they fall under strict fraud limits.
  • Interface Accessibility: The package explicitly addresses issues where ASPSPs (banks) created poor or inefficient interfaces (APIs) for TPPs. The focus shifts towards ensuring banks provide seamless, dedicated interfaces that enable TPPs to deliver high-quality, frictionless services.
  • Clarification of ‘Possession’ Element: There are proposals to clarify the “possession” element in SCA—for instance, how biometric data or tokens stored on a device qualify—to accommodate rapidly evolving technologies like facial recognition or advanced mobile apps.

3. Direct Access to Payment Systems

Under the existing framework, many payment institutions rely on traditional banks to hold their funds (safeguarding accounts) and access critical payment systems like TARGET2 or SEPA.

  • Non-Discriminatory Access: The new package reinforces the requirement for banks to grant PIs and EMIs non-discriminatory access to all technical payment infrastructure. This reduces the risk of banks freezing or delaying access to essential services, a significant historical barrier for new FinTech entrants.
  • Safeguarding Clarification: PSD3 clarifies the rules concerning the safeguarding of customer funds, aiming to protect users’ money better should a PI or EMI fail.

4. Direct Authorization for Information Service Providers (AISPs)

Currently, some AISPs (Account Information Service Providers) operate under simplified registration. PSD3 proposes to bring AISPs fully into the authorization regime:

  • Full Authorization: AISPs will be subject to the full regulatory authorization process, requiring capital, governance structures, and stringent security measures comparable to PISPs and PIs.
  • Benefit for FinTechs: While this increases the immediate administrative burden, it provides AISPs with greater regulatory clarity, trust, and a higher public profile, essential for consumer adoption of data-driven services.

5. Open Finance: The Next Frontier (FiDA Regulation)

Perhaps the most transformative element is the accompanying Financial Data Access (FiDA) Regulation. FiDA proposes to expand the mandatory data sharing principles of Open Banking (limited to payment accounts) to a much wider array of financial data, ushering in the era of Open Finance.

  • Data Scope: FiDA will encompass data related to:
    • Mortgages, loans, and credit agreements.
    • Savings, investment, and pension products.
    • Insurance (life and non-life).
    • Non-payment account data (e.g., electronic money accounts).
  • New Players: It introduces a new category of regulated entities, Financial Data Users (FDUs), who will be authorized to access this broader data set with customer consent.
  • Opportunity: This is a massive opportunity for FinTechs to build sophisticated services: holistic personal financial management, faster and more accurate credit scoring, automated investment advice based on a complete view of a user’s wealth, and integrated insurance products.

Strategic Implications for FinTech Companies

The transition to PSD3/PSR and FiDA demands a proactive and multi-faceted strategy from every FinTech company operating in the EU.

I. Compliance and Operational Excellence

1. Investment in Fraud Stack: FinTechs must immediately assess and upgrade their fraud management tools to comply with the mandatory CoP and the expected higher standards for APP fraud mitigation. Reliance on basic rule-based systems will no longer be sufficient; advanced machine learning models are necessary.

2. Uniformity and Pan-European Scaling: The PSR’s move to a single Regulation eliminates the need to adapt APIs and compliance procedures for 27 different national interpretations. This drastically lowers the compliance cost for scaling across the single market, making passporting more effective and encouraging FinTechs to pursue EU-wide operations from the start.

3. AISP Transition Planning: Existing AISPs must prepare for the transition to full authorization, budgeting for increased capital requirements, appointing key governance roles (Compliance Officer, MLRO), and overhauling security protocols to meet the stringent licensing criteria.

II. The Open Finance Advantage: Data Strategy

FiDA is the true growth catalyst, but successfully leveraging it requires a strategic shift from accessing data to interpreting data.

1. Holistic Product Development: FinTechs should start designing products that require cross-sectoral data access. Examples include: * Automated Wealth Optimization: Using investment and pension data (FiDA) alongside payment behavior (PSD3) to suggest optimal savings or tax strategies. * Instant Mortgage Pre-Approval: Leveraging salary history, credit agreements, and savings data to provide real-time, highly accurate lending offers.

2. Data Security and Consumer Trust: Access to sensitive data (investments, health insurance) elevates the importance of data protection. FinTechs must make GDPR compliance and transparency central to their proposition. Consumer trust—built through clear consent mechanisms and demonstrably secure data handling—will be the competitive differentiator in the Open Finance era.

3. API Standardization: The success of FiDA relies on creating common standards (like the RTS for PSD2) for APIs across banking, insurance, and investment sectors. FinTechs must actively engage in industry working groups to influence these standards, ensuring technical feasibility and interoperability.

III. Collaboration and Competition

The new regulatory framework sharpens the competitive dynamics in the financial market:

1. Bank-FinTech Collaboration: Traditional banks that struggled with PSD2 implementation will likely view FiDA as an opportunity to partner with specialized FDUs (FinTechs) rather than build all capabilities in-house. FinTechs with superior data aggregation and analytics tools will become attractive partners.

2. Increased Competition from Big Tech: The clear, mandatory frameworks of PSD3/PSR and FiDA make the EU market more predictable and appealing to Big Tech companies (e.g., Google, Amazon) who possess unparalleled resources for compliance and data infrastructure. FinTechs must innovate rapidly to maintain their niche advantage against these larger players.

3. Consolidation Pressure: The rising compliance costs, particularly the full authorization requirement for AISPs and the need for significant investment in fraud systems, are likely to accelerate consolidation. Smaller FinTechs may find themselves unable to meet the higher capital and operational standards and will seek acquisition by larger, more established players.

Technical Challenges and the Path Forward

Implementing PSD3 and FiDA is not simply a legal challenge; it is a massive technical undertaking.

1. The API Quality Dilemma

The primary technical bottleneck under PSD2 was the inconsistent quality and reliability of bank APIs. While the PSR mandates dedicated interfaces, the technical interpretation and performance will remain a point of contention. FinTechs must invest in robust, resilient API aggregation layers capable of handling varying bank response times and data formats.

2. Standardizing the Data Model

Open Finance data (FiDA) is vastly more complex than payment account data. Investment portfolios, insurance policies, and pension fund statements vary widely in structure. Industry efforts will be required to define common data models and standards that allow FDUs to ingest, normalize, and interpret information across disparate financial institutions.

3. The Sunset of National Regulation

The shift to the PSR as a Regulation means that national laws governing payment services will be superseded. FinTechs must conduct a full review of their compliance stack to ensure their operational procedures strictly follow the PSR text, rather than relying on historical national interpretations.

4. Consent Management

As the scope of data widens to include highly sensitive financial data, the mechanism for managing, revoking, and demonstrating consumer consent becomes paramount. FinTechs must develop state-of-the-art Consent Management Platforms (CMPs) that provide consumers with granular, real-time control over who accesses which specific pieces of their financial data.

Conclusion: PSD3 as the Launchpad for Open Finance

The EU’s new regulatory package—PSD3, the PSR, and FiDA—marks a definitive end to the exploratory phase of Open Banking and the beginning of the institutionalized era of Open Finance.

For FinTech companies, the path forward is clear: it requires a blend of defensive and offensive strategy. Defensively, meeting the stringent, harmonized compliance standards of the PSR—especially around fraud and security—is non-negotiable for survival. Offensively, FinTechs must pivot their business models to leverage the unprecedented access to consumer wealth, investment, and insurance data provided by FiDA.

The winners in this new landscape will be those who view compliance not as a burden, but as a foundation for trust, enabling them to build truly holistic, intelligent, and secure financial products that deliver on the ultimate promise of Open Finance: a consumer-centric, integrated financial ecosystem. The European FinTech race is entering its most ambitious and challenging stage yet.