The Road to PSD3/PSR1 Compliance and the Role of Identity

• PSD3 represents the most significant overhaul of Europe’s payments regime since PSD2, with fraud prevention and identity assurance now central regulatory pillars.

• Enforcement begins from 2026–2028, meaning 2026–2027 is the critical window for architectural decisions and capability consolidation.

• Compliance scope widens substantially: stronger SCA, real-time fraud monitoring, API hardening, recovery assurance, delegated entitlements, and alignment with eIDAS 2.0.

• Converged, identity-centric IAM is essential to achieving PSD3/PSR1 readiness at speed and scale.

• Financial institutions that treat PSD3 as an innovation catalyst, not a box-ticking exercise, will gain lasting competitive advantage.

Europe’s first Payment Services Directive (PSD1) established a single market for payments, improving transparency and enabling cross-border digital commerce. PSD2, arriving a decade later, accelerated competition through open banking, introduced Strong Customer Authentication (SCA), and created the regulatory foundation for third-party access to payments accounts.

However, by the end of the PSD2 cycle, two truths had become unavoidable. First, industrialised fraud had decisively outpaced legacy controls, particularly SMS OTP, passwords, knowledge-based recovery journeys and unmonitored device changes. Second, the original PSD2 implementation experience revealed ambiguity, fragmentation and inconsistent supervisory interpretation across the EU.

The ensuing European Commission PSD2 Review process identified clear gaps: SCA that remained highly phishable; recovery processes easily manipulated; TPP journeys with weaker assurance than bank-direct experiences; and open-banking APIs implemented inconsistently from one jurisdiction to another.

PSD3 and its companion Payment Services Regulation (PSR1) directly respond to these realities. Together they modernise authentication expectations, strengthen fraud controls, harmonise open-banking security, and define a more coherent regulatory environment designed for today’s digital-first payments landscape.

A political agreement on PSD3 and PSR1 was reached on 27 November 2025, signalling the end of substantive policy debate and the near-finalisation of legislative text. Formal adoption and publication will follow in early–mid 2026, placing the PSR directly into the EU’s statute book and initiating an 18–24-month transposition period for PSD3.

This means:

• Late 2026–early 2027: First wave of PSR enforcement, including most fraud, SCA and operational obligations.

• 2027–2028: Member states complete PSD3 transposition; national rules take effect accordingly.

• Industry planning assumption: Full compliance across all relevant EU markets by 2027–2028, with system-readiness and architectural decisions completed in 2026–2027.

The next 18 months therefore represent a decisive readiness window for banks and PSPs to modernise authentication, consolidate identity and fraud systems, strengthen API security, and adopt risk-adaptive SCA capabilities.

The regulatory shift from PSD2 to PSD3 is pragmatic rather than philosophical. Fraud has become industrialised; attackers exploit OTP fatigue, deepfakes, coercion, mobile malware, device spoofing and weaknesses in onboarding and recovery journeys. Many payment service providers (PSPs) continue to rely on fragmented stacks, separate onboarding tools, legacy multi-factor authentication (MFA), siloed fraud engines and inconsistent open-banking architectures.

PSD3 elevates identity, authentication, authorisation, and fraud prevention from operational controls to explicit regulatory obligations. Expectation levels rise significantly across biometric quality, device assurance, dynamic linking, real-time risk scoring, social-engineering detection and secure recovery journeys. Consumer rights are broadened, transparency is strengthened, and user-configurable controls, such as spending limits and delegated authorities, become mandatory.

Critically, PSP liability expands, particularly around authorised push payment (APP) fraud. Providers must now demonstrate that adequate controls were in place at the moment the customer authorised a transaction. This makes identity assurance and risk-aligned policy enforcement primary compliance levers.

PSD3 and PSR1 broaden regulatory coverage in several material ways:

• Stronger, more universal SCA across login, payments, mandate setup, beneficiary management, spending-limit changes, device recovery and high-risk actions.

• Mandatory fraud-prevention measures, including name-to-IBAN checks, real-time behavioural and device monitoring, and inbound-transaction screening by receiving PSPs.

• Open-banking and API hardening aligned with FAPI security profiles (mTLS, PAR, signed requests/responses, OAuth/OIDC hardening).

• Enhanced consumer empowerment, including configurable limits, block/restrict functions, recovery protections and access to human support.

• Alignment with eIDAS 2.0 and the future EUDI Wallet, with expectations around verifiable credentials, selective disclosure and higher identity assurance levels.

This expansion brings PSPs, electronic money institutions (EMIs), account information service providers (AISPs), payment information service providers (PISPs), processors and digital-only banks firmly into scope for more sophisticated identity and security requirements.

1. Modernised Strong Customer Authentication

Biometrics with liveness, device-bound possession, passkeys, adaptive-risk decisioning and strong identity binding throughout the customer lifecycle become de facto expectations. Static factors or phishable credentials will no longer satisfy proportionality obligations.

2. Fraud Prevention and APP Fraud Mitigation

Real-time monitoring of user behaviour, transaction anomalies, mule indicators, session/device integrity and social-engineering signals becomes mandatory. PSPs must also integrate inbound-payment screening and freezing capabilities.

3. Consumer Protections and Entitlement Controls

Customers will manage spend limits, delegated permissions, allowed payees and block settings. These must be enforced at the transaction-decision layer.

4. Secure Open Banking and API-Level Compliance

FAPI-aligned OAuth/OIDC, hardened API endpoints, consistent SCA across third-party providers (TPP) and direct channels, granular consent enforcement and data minimisation become standard.

5. Privacy, Data Minimisation and eIDAS/EUDI Alignment

PSD3 expects PSPs to adopt privacy-enhancing technologies, avoid centralised biometric stores and support verifiable credentials using trust-framework-aligned identity assurance.

PSR, being directly binding EU law, harmonises conduct rules for SCA, fraud prevention and open-banking access. PSD3, as a directive, governs authorisation, licensing and institutional requirements. Together they remove ambiguity, reduce member-state divergence and raise the compliance floor across all regulated entities.

For financial institutions, the practical implication is clear: authentication strength, API security, fraud controls, customer protections and identity assurance must be consistently delivered across every channel, every market and every use case.

While not formally part of PSD3, the direction of travel is unmistakable. Regulators expect authentication and identity verification in payments to align with wider EU trust frameworks:

• Verifiable credentials

• Selective disclosure

• High-assurance identity binding

• Cryptographic consent and transaction signing

The EUDI Wallet will increasingly interact with payment journeys, and PSD3 lays the groundwork by strengthening SCA, consent transparency and interoperability expectations. Institutions modernising now will be better placed for future wallet-based flows.

The PSD3 technical obligations cut across authentication, onboarding, fraud detection, API security, consent capture, authorisation policy and recovery assurance. Fragmented stacks cannot meet the requirement for continuous, contextual and explainable identity assurance.

A converged IAM platform provides:

• A unified identity model across onboarding, SCA, entitlements and recovery

• Real-time risk and behavioural insights for dynamic step-up

• Centralised policy enforcement for limits, beneficiaries, payees and TPP access

• Resilient cross-channel authentication aligned with FAPI and eIDAS 2.0

• End-to-end auditability and explainability for regulators

This identity-first approach is the only sustainable path to PSD3/PSR1 compliance at enterprise scale.

Preparing for PSD3 requires capabilities that enable continuous trust, real-time risk evaluation and secure, standards-aligned interactions across the entire customer journey. The framework is clear: financial institutions must demonstrate stronger identity assurance, more effective fraud controls, hardened API security, greater consumer empowerment and full lifecycle governance. Meeting these obligations demands a unified identity architecture rather than incremental upgrades.

Ping Identity supports this shift by enabling the foundational capabilities that PSD3 is built upon.

1. Strong, Modernised Authentication Aligned to PSD3’s Higher SCA Bar

PSD3 expands where SCA must apply and raises expectations for authentication quality. Institutions therefore need authentication journeys that are resistant to phishing and manipulation, anchored by proven user presence, device integrity and contextual risk.

Ping Identity enables this through capabilities that combine biometric assurance, device trust and adaptive risk evaluation, ensuring authentication becomes dynamic and responsive. This directly supports the PSD3 tightening of exemptions, expanded SCA coverage and strengthened dynamic linking requirements.

2. Identity-Centric Fraud Prevention That Meets PSD3’s Real-Time Obligations

Fraud prevention becomes a regulatory duty under PSD3, especially around APP fraud. Ping Identity enables organisations to interpret identity signals continuously, behavioural patterns, device health, environmental context and session anomalies, to detect manipulation before it results in financial loss.

By tying risk assessment directly to identity assurance, institutions can adapt journeys in real time: escalating to step-up authentication, issuing contextual warnings or halting suspicious transactions. These capabilities map directly to the PSD3 requirements for real-time monitoring, inbound payment screening and demonstrable control at the point of authorisation.

3. High-Assurance Onboarding as the Foundation for PSD3 Compliance

PSD3 recognises that many fraud vectors originate at onboarding. Synthetic identities, mule accounts and impersonation attempts cannot be mitigated by strong SCA alone. Institutions must confidently establish identity from the outset.

Ping Identity supports this by enabling high-assurance identity verification, biometric checks with liveness and contextual analysis that identifies anomalies early. Verified identities are then bound to authentication and authorisation flows, creating the continuous chain of trust PSD3 expects across the lifecycle.

4. Hardened Open-Banking and API Security, Fully Aligned with PSR1 and FAPI

PSD3 and PSR1 significantly advance the security expectations for open banking. API interactions must be standardised, tamper-resistant and enforce consistent authentication strength whether initiated by the bank or a TPP.

Ping Identity enables institutions to meet these requirements through capabilities that enforce strong OAuth/OIDC security, protect client authentication, govern consent and support data minimisation, ensuring access is precise, purpose-bound and auditable.

5. User Empowerment and Delegated Controls Embedded into Authorisation

PSD3 places significant emphasis on customer empowerment: spend limits, delegated authorities, payee restrictions, block settings and secure recovery must all be enforceable with high assurance.

Ping Identity supports this through a policy-driven authorisation layer that interprets identity attributes, contextual risk and customer-defined rules in real time. This ensures that user protections are enforced consistently across all journeys, aligning with the PSD3 strengthened focus consumer-rights and entitlement requirements.

Together, these capabilities create a unified identity fabric that aligns with the expanded PSD3 control landscape across authentication, fraud prevention, open banking, customer protection and data privacy.

Leading institutions will recognise PSD3 not simply as a regulatory hurdle, but as a catalyst for strategic differentiation. Modernised identity and SCA unlock frictionless digital experiences, reduce fraud refunds, enhance customer trust and create a foundation for new value propositions, from wallet-enabled payments to premium APIs and embedded finance models.

By consolidating identity, authentication, risk, authorisation, privacy controls, and FAPI conformance into one platform, financial institutions can accelerate compliance while transforming customer experience and strengthening long-term digital resilience.

Ping Identity is uniquely positioned to support this journey, delivering a PSD3-aligned identity architecture that protects customers, reduces fraud and prepares organisations for the next decade of digital payments innovation.

Learn more about Ping Identity solutions for the financial services industry. Learn more about the role of identity in financial services regulations.