Why is the shift from directive to regulation significant?

The transition from PSD2 (Payment Services Directive 2) to PSD3 (Payment Services Regulation – PSR) marks a crucial evolution in European financial regulation. The key difference lies in how the law is applied across EU member states.

• PSD2 was a directive, meaning each EU country interpreted and implemented it separately, leading to inconsistencies in enforcement.
• PSD3 will be a regulation (PSR), which means it applies directly to all EU member states without variations, ensuring standardized security, compliance, and consumer protections.

• PSD3 refines Strong Customer Authentication (SCA) rules, ensuring better fraud prevention and fewer exemptions.
• With consistent security standards, payment providers and financial institutions must adhere to phishing-resistant authentication methods, such as passkeys.

• PSD3 promotes fairer competition by improving access for non-bank financial service providers (PSPs).
• It encourages innovation in authentication and payment technologies, including biometrics and passkey-based login systems.

• Under PSD2, differences in national laws created uncertainty for financial institutions.
• PSD3 establishes universal rules for security, compliance, and fraud monitoring, reducing legal ambiguity.

• PSD3/PSR aims to align payment security with modern authentication trends by:
  • Expanding SCA requirements to ensure stronger fraud protection.
  • Encouraging the adoption of passwordless authentication, such as passkeys.
  • Reducing reliance on passwords and OTPs, which are prone to phishing attacks.

The shift from PSD2 as a directive to PSD3/PSR as a regulation eliminates inconsistencies, enhances security, and promotes seamless digital payment innovation. For organizations implementing modern authentication solutions like passkeys, PSD3 ensures standardized security requirements across the EU, making compliance simpler and more predictable.