This article provides PSD3 explained in practical terms, including how payment verification will change through confirmation of payee, how refund expectations may evolve through APP scam refund protections, how strong customer authentication remains part of the fraud-prevention framework, how Payment Services Regulation EU reforms affect fintech apps and platforms, and how open banking EU access will change for consumers and financial service providers.

• Intro & context
• Payee checks
• Provider liability
• Platforms & merchants
• Fee transparency
• Open banking access
• What to do now
• Summary

For most readers, Payment Service Directive 3 (hereinafter referred to as “PSD3”) matters for one reason: it is part of a broader reset in how payments are checked, how fraud losses are handled, and how financial service providers and online platforms are expected to protect users before money leaves consumer’s account. PSD3 is the third European Union directive regulating payment services and payment providers across the EU financial system. The intent of this PSD3 is to ensure safer payment transfer journeys, tighter payee verification, clearer fee disclosure, better control over data permissions, and more pressure on providers to build fraud prevention into the product itself instead of treating it as a back-office issue. The current package is not yet fully in force, but the political direction is already clear after the European Parliament and Council reached a provisional deal in late November 2025, following the Commission’s June 2023 proposals.

At the center of the reform is the Payment Services Regulation EU institutions are shaping as the more directly applicable rulebook for modern payments, while the directive side focuses more on authorisation, supervision, and market access. That matters because this is not just another technical compliance update. It is the practical EU payment regulation 2026 shift that consumers, merchants, and fintech teams are likely to notice in the way transfer screens, warnings, disputes, and support processes begin to change over the coming year.

The most visible change for ordinary users is likely to happen at the moment they make a transfer. Under the provisional deal, payment service providers will be required to check that the payee’s name and unique identifier match. If there is a discrepancy, the provider must refuse the payment and inform the customer. That is a major practical shift because it turns the payment interface into an active safety checkpoint rather than a passive instruction box.

That one change could reduce two very common problems. The first is simple human error: a user enters the wrong account details, copies old bank information from a saved template, or pastes instructions from the wrong invoice. The second is social-engineering fraud: fake supplier emails, spoofed “urgent” messages, and last-minute requests to change payment details. In both situations, the system is being pushed to do more work before the money is gone, which is exactly where prevention is most valuable.

In real life, that may not stop every scam. A determined fraudster can still manipulate a victim, and some scams will keep evolving. But the key commercial difference is that providers will be under more pressure to show they used the tools available to them. The stronger the warning layer before a transfer is sent, the harder it becomes to argue later that the entire loss should remain the customer’s problem.

A useful comparison for UK-facing businesses is confirmation of payee, the UK name-checking service introduced in 2020. Pay.UK says it is now used by more than 320 organisations and covers more than 99% of organisations initiating Faster Payments in the UK. The EU’s approach is not identical, but the policy direction is similar: add a visible verification step before first-time or risky transfers go through.

The real force of the reform is not just the warning on screen. It is what happens if a provider fails to use the tools it should have used. The European Parliament says that if a payment service provider does not implement appropriate fraud-prevention mechanisms, it will be liable for the customer’s loss. Parliament also says that if a fraudster initiates or alters a transaction, that payment is to be treated as unauthorised, with the provider liable for the full fraudulent amount.

That matters because many payment disputes do not turn on whether money was technically “authorised.” They turn on whether the customer was manipulated into acting, and whether the provider had enough signals to detect something was wrong. In practice, the hardest cases are often the ones where the consumer did click “approve,” but only after being pushed through a carefully staged fraud journey that looked legitimate.

This is where the phrase APP scam refund becomes more relevant. The EU is not copying the UK reimbursement model line for line, but it is clearly moving toward stronger protection in cases where fraud controls were weak or where the user was tricked through impersonation. Parliament also says that where a scammer pretends to be a provider’s employee and persuades the customer to approve a payment, the provider must refund the full amount, as long as the customer reports the fraud to police and informs the provider.

The package also reinforces strong customer authentication as part of the fraud framework, alongside risk assessment, spending limits, and blocking tools. That is important because the reform treats security as a layered process. It is no longer enough to have a login step and then assume the system has done its job. Providers are being pushed toward a broader fraud stack: verification, transaction monitoring, user controls, and faster response when something looks suspicious.

For consumers, the lesson is still practical: if something feels off, stop, verify through a separate channel, and report immediately. For providers, the lesson is less comfortable: anti-fraud promises in policy documents will matter far less than what the payment journey actually does when risk appears in real time.

If something looks suspicious before or after a payment:

• Treat any last-minute request to change payment details as a red flag
• Verify new or revised recipient details through a separate channel — a phone call, not a reply to the same email
• Slow down when a message tries to create urgency or panic
• Keep screenshots, emails, and call records as evidence
• Report the incident to police and inform your payment provider as quickly as possible

One of the more significant aspects of the deal is that responsibility no longer ends with banks and payment institutions. The European Parliament says online platforms can be liable to providers that reimbursed defrauded customers if those platforms were informed of fraudulent content and failed to remove it. The Council also says major online platforms and search engines may advertise financial services in a member state only if the business behind those services is properly regulated and authorised there.

That is a meaningful shift for marketplaces, lead-generation businesses, comparison sites, and any platform that monetises financial traffic. If a scam starts with an ad, a fake listing, or a fraudulent “offer” pushed through a platform, the platform’s own moderation choices can become part of the liability chain. In commercial terms, this means fewer excuses for weak review systems and greater pressure to act quickly when obvious fraud is reported.

There is also a smaller but very practical merchant-side rule that deserves attention. The Council says merchants must make sure their normal trading name matches the name shown on customers’ bank statements. That may sound minor, but in practice it can reduce chargeback confusion, lower the number of “I don’t recognise this payment” complaints, and improve the customer’s ability to distinguish legitimate charges from suspicious ones.

This matters for fintech partners too. Many disputes begin not because the transaction itself was unlawful, but because the customer was confused, could not recognise the charge, or encountered friction at the exact point where clarity mattered most. Better naming, better screening, and faster takedowns all work together as a fraud-control system, even if they sit outside the bank’s own app.

Users rarely remember the name of a regulation, but they remember the ATM withdrawal that cost more than expected or the payment that looked cheap until the final exchange rate appeared. The Council says providers will be legally obliged to show all fees and exchange rates before a transaction is made. Parliament likewise says customers should be informed of all charges before payment initiation, including currency-conversion charges and fixed ATM cash-withdrawal fees.

That is more important than it sounds. A large share of payment complaints do not start with fraud; they start with surprise. When a user feels a charge was buried, obscured, or shown too late, trust drops immediately. Clearer pre-transaction disclosures reduce that friction, and they also make later complaints easier to assess because the provider can point to what was actually shown at the right moment.

For fintech apps, this is not just a legal drafting exercise. Fee disclosure now becomes a product-design question. If the cost exists but is hidden behind extra taps, buried in small print, or shown after the user is psychologically committed, that may increasingly look like weak design rather than acceptable compliance. The better approach is simple: show the total cost clearly before the user confirms.

The package also strengthens access to cash, especially outside major urban centres. The Council says retailers will be able to offer cash withdrawals without requiring a purchase, subject to chip-and-PIN safeguards and a maximum withdrawal limit of €150. For many users, that is a practical reminder that modern payment reform is not only about digital payments. It is also about keeping everyday access workable for people who still rely on cash from time to time.

For fintech product teams, the real open banking EU issue is not whether access exists on paper. It is whether access works cleanly in practice, with fewer artificial barriers and clearer customer control. Parliament says the package reduces market barriers for open-banking services, prevents account-servicing providers from discriminating against authorised firms, and gives users a dashboard to monitor and manage the permissions they have granted for access to their payment data.

That is a meaningful shift because one of the largest frustrations in the current market has been uneven consent and connection experiences. Many services technically work, but the user journey can still be confusing, fragile, or difficult to manage after the initial connection. A permission dashboard makes this much more concrete: users can see who has access, review active connections, and withdraw permissions more deliberately. For consumers, that means more control. For providers, it means weaker consent design will become harder to justify.

The broader lesson is that the next phase of payments regulation is not only about stopping fraud. It is also about making the customer’s relationship with payment data more transparent and easier to manage. That will matter more and more as payment apps become part of broader financial ecosystems and consumers expect the same clarity they already expect in other digital products.

For consumers, the practical takeaway is straightforward. Treat last-minute payment changes as high risk. Verify new or revised bank details through a separate channel. Slow down when a message creates urgency. Keep records if something looks wrong. If money is sent in suspicious circumstances, report it quickly and preserve screenshots, emails, and call details. The reform is moving in a more protective direction, but timing and evidence will still matter in real complaints.

For fintech teams, the next step is not to wait for final adoption and then scramble. The direction of travel is already clear enough to act now. Review payee-check flows, warning screens, escalation rules, fee-disclosure layouts, permission dashboards, statement descriptors, and customer-support processes. If those parts of the product are weak, they will increasingly look like governance failures rather than minor usability flaws. The firms that prepare early are less likely to face painful redesigns later, and they are also more likely to win customer trust in a market where safety has become part of the product itself.

The most important point about the EU payments reform is that it shifts responsibility to the stage before money moves, not just to the argument after it is lost. Users should expect more visible warnings, clearer pricing, and better control over who can access their payment data. Providers should expect tougher scrutiny if fraud controls are weak or if obvious warning signs are missed. Platforms and merchants should expect less room to treat fraud as somebody else’s issue. The commercial message is explicit: “safer payments will depend more on what the system prevents in advance than on what it apologises for afterward.”

PSD3 is the EU’s third Payment Services Directive, designed as part of a broader reset in how payments are supervised, how fraud controls are built into products, and how users are protected before money leaves their account. A key difference in this reform package is the split between a directive (PSD3, focused more on authorisation, supervision, and market access) and a directly applicable regulation (the proposed Payment Services Regulation or PSR), which is intended to act as the practical “rulebook” for modern payments across the EU.

The package is not fully in force yet. However, the policy direction is already set: the European Parliament and Council reached a provisional deal in late November 2025, building on the Commission’s proposals from June 2023, and the reforms are framed as an EU payments regulation shift in 2026 that users and fintech teams are likely to notice through changes in transfer screens, warnings, disputes, and support flows once the final texts are formally adopted and implementation begins.

PSD3/PSR reform package is pushing fraud prevention upstream – into the payment journey itself. The most visible change is payee verification (confirmation of payee–style checks): providers should verify that the recipient’s name matches the identifier, and a mismatch should should normally trigger a warning or refusal of the payment and an explanation to the customer. It also tightens expectations around provider responsibility when fraud controls are weak, reinforces strong customer authentication as part of a layered fraud stack, and points toward stronger handling of impersonation and manipulation-style scams (often discussed as APP scams), including circumstances where reimbursement may become more likely if providers fail to implement appropriate fraud-prevention mechanisms.

Yes, especially at the interface level. Payment screens are being treated as a real-time fraud-control step, not a passive “send” button: expect more verification prompts, warnings, and escalation rules for risky transfers. Platforms and merchants also get pulled into the fraud chain: online platforms may face liability exposure if they ignore reported fraudulent content, and large platforms/search engines may be restricted from advertising financial services unless the provider is properly authorised in that member state; merchants also face clearer requirements around recognisable statement naming. On top of fraud, fintech product teams should expect fee transparency to become a UX requirement (show all charges/exchange rates before confirmation), not just a legal footnote.

The direction is “more usable, not just more regulated.” The package aims to reduce barriers and prevent account-servicing providers from discriminating against authorised open-banking firms, while giving users clearer control over permissions. A practical shift is the idea of a permission dashboard: users should be able to see who has access to their payment data, review active connections, and withdraw permissions more deliberately – turning consent from a one-time click into an ongoing control surface.

Hamna Zain is a UK-qualified Barrister and corporate counsel with over 14 years of experience advising startups, fintech companies, SaaS platforms, and international businesses on cross-border transactions, regulatory matters, digital payments, fraud risk, compliance, and commercial contracting. She has worked with multinational corporations and high-growth businesses across Europe, the UK, the Middle East, and the US, supporting clients on payment regulation, governance, dispute-risk management, and operational legal strategy. In addition to advisory work, she also conducts corporate training on compliance, risk management, and contract strategy for global teams.