EU Tightens Fraud Rules and Fintech Licensing in Open Banking Overhaul

The EU’s push to replace PSD2 with PSD3 and the Payment Services Regulation reflects a broader effort to modernise a fragmented payments market that has struggled to keep pace with rapid digitalisation. PSD2 introduced open banking but left gaps in supervision and fraud safeguards, prompting regulators to craft a more cohesive framework. By consolidating licensing rules under PSD3 and operational conduct under the PSR, the bloc aims to eliminate the patchwork of national interpretations that have hindered cross‑border innovation.

A central pillar of the new legislation is enhanced fraud protection. Real‑time transaction monitoring will become mandatory for instant payments, while providers must verify that a recipient’s name matches the account identifier before funds are transferred. The regulations also clarify when step‑up authentication is required, tightening customer verification across the ecosystem. These measures respond to the surge in cyber‑crime targeting faster payment rails, and they place a heavier compliance burden on fintechs that previously relied on looser standards.

Beyond security, PSD3’s licensing regime forces all third‑party providers to obtain appropriate authorisations, ensuring that APIs are both secure and overseen by competent supervisors. The separation of licensing (PSD3) from conduct rules (PSR) is designed to reduce inconsistencies that emerged under PSD2, delivering a more predictable environment for pan‑EU services. Companies will have roughly 27 months after the rules take effect to align systems, a timeline that will drive a wave of investment in compliance technology and may accelerate consolidation among smaller fintechs seeking scale to meet the new thresholds.