PSD3: what's changing and how to prepare (2026)

PSD3 is the European Union's updated payment services directive, proposed to replace PSD2. It is expected to come into force in 2027 after a transition period. It introduces stricter open banking rules, revised liability frameworks, and a significantly expanded commercial agent exemption that directly affects how marketplaces handle payments. For UK businesses, PSD3 does not apply directly, but it sets the regulatory direction that FCA policy is likely to follow.

‍

What is PSD3 and why does it matter now?

PSD3 is the third iteration of the EU's Payment Services Directive. The European Commission published its proposal in June 2023. A provisional political agreement was reached in November 2025, with the final text expected to be published in the Official Journal in H1 2026. Member states must transpose PSD3 within 21 months of entry into force, placing full applicability in late 2027 to early 2028. It updates the rules governing who can process payments, who needs a licence, and how liability is allocated when things go wrong.

The directive matters now because the transition period creates compliance decisions that cannot wait. Businesses that structure their payment flows incorrectly under the current PSD2 regulations may find themselves exposed once PSD3 is transposed into national law. The time to audit payment architecture is before the new rules apply, not after.

These are the 27 EU Member States, all of which must transpose PSD3 into national law:

‍

‍

The commercial agent exemption: the change that matters most to marketplaces

Under PSD2, the commercial agent exemption allowed platforms to collect and disburse payments on behalf of buyers and sellers without holding a payment institution licence, provided the platform acted as a genuine commercial agent for one party to the transaction. In practice, this exemption was applied inconsistently across EU member states, and many marketplaces operated in a grey area.

PSD3 clarifies and narrows this exemption further. Under PSD2, platforms could already only rely on the exemption if they acted on behalf of either the buyer or the seller, not both. PSD3 adds two further conditions: The agent must be genuinely authorised to negotiate or conclude transactions on behalf of one party, and that party must have a real margin to negotiate. Platforms that impose standard terms on both buyers and sellers, leaving neither party with genuine negotiating room, will not satisfy the revised test. 

This is the most commercially significant change in the directive for marketplace operators. A platform that currently relies on the commercial agent exemption to avoid licensing obligations needs to assess whether its payment flows meet the revised test. If the platform collects from buyers and pays sellers, it is almost certainly outside the exemption under PSD3.

The practical consequence is that marketplaces which are not already working with a regulated payment institution will need to either obtain their own licence or partner with an authorised provider to remain compliant.

‍

What PSD3 changes beyond the commercial agent exemption

PSD3 introduces several other material changes. Open banking access rights are strengthened: banks must provide more reliable API access to third-party providers, and the penalties for non-compliance are increased. This is relevant for marketplaces that use account-to-account payment methods or offer bank transfer options at checkout. The penalties for non-compliance are significant: under the agreed political text, member state competent authorities will be required to impose fines linked to annual turnover for serious breaches. For platforms that depend on bank transfer infrastructure, ensuring your payment provider meets the new API performance standards is a direct compliance obligation, not an optional upgrade. 

Strong Customer Authentication rules are updated under PSD3. The EBA will issue new regulatory technical standards on SCA exemptions, including the transaction risk analysis exemption, aiming for more consistent application across EU member states. Platforms should expect their payment providers to apply updated authentication standards once the PSR enters into force. 

The PSR applies directly across all EU member states 18 months after publication in the Official Journal, which is anticipated in H1 2026. That places the compliance deadline in late 2027 for most SCA obligations, with payee name and identifier verification requirements applying at 24 months. Platforms operating in the EU should treat 2026 as the year to audit and update their payment flows, not wait for the transposition deadline. 

Liability rules are also revised. Under PSD3, the liability framework for unauthorised transactions shifts further towards payment institutions and away from consumers. For marketplace operators, this means the authorised payment institution processing payments on their platform carries greater responsibility for fraud losses. Choosing a regulated, well-established provider becomes more consequential.

Finally, PSD3 introduces a new category of payment institution licence. The distinction between small payment institutions and authorised payment institutions is restructured, with updated capital requirements and reporting obligations for each category. Authorised payment institutions are required to align their ICT and governance frameworks with DORA, the EU's Digital Operational Resilience Act, which is already in force. This means incident reporting, ICT risk management, and operational resilience standards apply to your payment provider now, not at PSD3 transposition. For marketplaces, this is a due diligence point: confirm your provider has DORA-compliant infrastructure before the PSD3 deadline makes it a formal requirement.

‍

Payment institution licence categories under PSD3

‍

Does PSD3 apply to UK marketplaces?

PSD3 is an EU directive. It applies to businesses operating in EU member states. UK businesses operating solely in the UK are governed by the Payment Services Regulations 2017, which implemented PSD2 into UK law, and by FCA supervision under those regulations.

The UK has not announced plans to adopt PSD3 directly. However, the FCA has signalled its intention to update the Payment Services Regulations to reflect evolving market conditions, and PSD3 provides a strong indication of the direction of travel. UK marketplaces with EU operations, EU sellers, or EU customers are subject to PSD3 requirements in those jurisdictions regardless of where the platform is incorporated.

In practice, UK marketplace operators should treat PSD3 as a planning horizon. Businesses that build compliant payment architecture now, working with FCA-authorised providers and structuring payment flows correctly, will be well-positioned if the UK follows the EU's lead on the commercial agent exemption and open banking access rules.

What marketplace operators should do before PSD3 comes into force

The first step is to map your current payment flows and identify whether you rely on the commercial agent exemption. If your platform collects from buyers and disburses to sellers, you should obtain legal advice on whether your current structure will satisfy the revised PSD3 exemption test.

The second step is to confirm that your payment provider holds the appropriate authorisations. In the EU, this means an authorised payment institution licence issued by a national competent authority. 

The third step is to review your seller onboarding and KYC processes. PSD3 tightens requirements around seller verification, particularly for platforms that hold funds on behalf of third parties. Automated KYC checks, identity verification, and AML screening should be part of your standard onboarding flow.

Finally, review your contracts with your payment provider. Liability for unauthorised transactions is shifting under PSD3, and your commercial agreements should reflect where responsibility sits between the platform and the payment institution. Ryft holds an FCA Licence as an Authorised Payment Institution and is built specifically for marketplaces, including split payments to multiple sellers and compliant seller onboarding.

‍