Payment services monitoring
in a single inbox.
EU payment-services law is mid-transition, and the operative regime is layered. PSD2 (Directive (EU) 2015/2366, applied since 13 January 2018) and its strong-customer-authentication RTS (Commission Delegated Regulation (EU) 2018/389, applicable since 14 September 2019) still govern authentication, open-banking access and third-party-provider rules. The Instant Payments Regulation (EU) 2024/886 has been phasing in on top — euro-area PSPs reachable to receive instant euro transfers since 9 January 2025 and able to send since 9 October 2025, with verification-of-payee and charge-parity duties. And the overhaul is close but not yet law: the Commission's June 2023 package — a PSD3 directive (COM(2023) 366) and a directly-applicable Payment Services Regulation (COM(2023) 367) — reached a provisional political agreement on 27 November 2025 and is close to adoption, but has not been adopted or published in the Official Journal. Horizon Scanner watches every EBA RTS and guideline, the instant-payments rollout, supervisor letters and the PSD3/PSR pipeline — each tagged with an explicit legislative status.
Scope
What PSD2 / PSD3 covers — and what we crawl for it.
PSD2 + the SCA-RTS (Dir. (EU) 2015/2366, Del. Reg. (EU) 2018/389)
The operative authentication regime: strong customer authentication (two of knowledge / possession / inherence), dynamic linking, the SCA exemptions, and the secure-communication rules between banks and third parties — including the dedicated-interface (API) and fallback provisions. EBA guidelines and Q&As cross-referenced.
Open banking — AISPs, PISPs and account access
Access-to-the-account (XS2A): account-servicing banks must let authorised account-information (AISP) and payment-initiation (PISP) providers access payment-account data with the customer's consent. We track EBA API / interface positions and national-supervisor expectations on prohibited access obstacles.
Instant Payments Regulation (EU) 2024/886
The phased reachability duties — euro-area PSPs receiving since 9 January 2025, sending since 9 October 2025; non-euro-area Member States follow in 2027 — plus the verification-of-payee (IBAN/name match with a discrepancy warning) and the rule that an instant euro transfer may not cost more than a standard one. Each milestone is a tracked, dated event.
The proposed PSD3 + PSR (COM(2023) 366 / 367)
The overhaul, tracked as a status-tagged pipeline — not as law. The June 2023 package reached a provisional political agreement on 27 November 2025 and is close to adoption, but is not yet adopted or in the Official Journal. Proposed changes include folding the e-money regime into the payment-institution framework, anti-fraud measures (verification-of-payee beyond instant payments, refund rules for impersonation/spoofing fraud), better third-party API access, and ICT alignment with DORA. We surface every step (proposal → EP → Council → trilogue → adoption) with no in-force claim until publication.
E-money institutions (EMD2, Dir. 2009/110/EC)
Electronic-money institutions are governed today by the second E-Money Directive (2009/110/EC). PSD3 would fold them into the payment-institution regime — a proposed change we track as pending, not as current law. Until then EMD2 stands.
Cross-cuts with DORA, AMLR and the Travel Rule
Payment and e-money institutions fall under DORA for ICT and operational-resilience risk (applicable since 17 January 2025) and under the AMLR as obliged entities. The TFR (Reg. (EU) 2023/1113) governs crypto transfers where a payments player also handles crypto. We tag findings against every framework that applies — once.
How Horizon Scanner helps
Specifically for PSD2 / PSD3 teams.
- 01
Filtered by institution type
Configure your licence type — payment institution, e-money institution, a bank's payments unit, or an AISP/PISP. The inbox surfaces only what applies to your permissions; an AISP doesn't see settlement rules for permissions it doesn't hold.
- 02
Tracks the instant-payments rollout
The dated reachability milestones (receive, send, the non-euro-area 2027 dates), verification-of-payee go-live, and charge-parity — each a tracked event in the routing engine with reminders to your payments-operations lead.
- 03
Separates enacted from proposed
PSD3/PSR findings sit in their own sub-stream with an explicit legislative-process status (proposal / EP position / Council / trilogue / agreed / adopted). Until the texts are published in the Official Journal, nothing is presented as an in-force obligation — so your team plans on the agreement without mistaking it for law.
- 04
Routes to payments, fraud and compliance
Default routing: SCA and API-interface changes to payments engineering, fraud-liability and verification-of-payee items to the fraud team, licensing and prudential changes to compliance — each with an immutable, timestamped audit trail for the supervisor.
Sources monitored
The regulators we crawl for PSD2 / PSD3.
- EUR-LexDirective (EU) 2015/2366 (PSD2), Delegated Regulation (EU) 2018/389 (SCA-RTS), Regulation (EU) 2024/886 (Instant Payments), Directive 2009/110/EC (EMD2), the PSD3/PSR proposals (COM(2023) 366/367), all amending acts.
- EBARTS and guidelines under the payments framework, the central register of payment and e-money institutions, fraud-reporting and major-incident guidelines, API / interface positions.
- CommissionThe PSD3 / PSR / FIDA legislative pipeline, delegated and implementing acts, official FAQs, Member-State infringement notices.
- ECB / EurosystemRetail-payments strategy, Eurosystem oversight of payment systems, and the SEPA instant-credit-transfer scheme rulebooks underlying the reachability duties.
- BaFinZAG (Zahlungsdiensteaufsichtsgesetz) circulars, German SCA and open-banking positions, supervisory communications to payment and e-money institutions.
- ACPRFrench payment-institution authorisation and supervision positions, instant-payments and fraud communications.
- FMAAustrian payment-services supervision, national implementing positions and registration practice.
- National peersOther national supervisors (DNB, Banca d'Italia, CSSF, Banco de España) on payment-services authorisation, open banking and the instant-payments rollout.
Custom sources can be added in minutes — supervisory blog feeds, association circulars, internal counsel memos all route through the same engine.
FAQ
What PSD2 / PSD3 buyers ask first.
Are PSD3 and the PSR already in force?
No. The Commission proposed them in June 2023; the co-legislators reached a provisional political agreement on 27 November 2025 and the texts are close to adoption, but they have not been formally adopted or published in the Official Journal. We track them as a status-tagged pipeline and only treat an obligation as binding once it is published — so you can plan ahead without acting on a non-final text.
Do you cover the instant-payments deadlines?
Yes. The Instant Payments Regulation (EU) 2024/886 phased in for euro-area PSPs — reachable to receive since 9 January 2025, able to send since 9 October 2025 — with non-euro-area Member States following in 2027. The verification-of-payee duty and the rule that an instant transfer can't cost more than a standard one are surfaced and routed, with the dated milestones tracked.
How does this overlap with DORA?
DORA (Regulation (EU) 2022/2554, applicable since 17 January 2025) governs ICT and operational-resilience risk for financial entities including payment and e-money institutions; the PSD2 SCA-RTS governs authentication and secure communication. They are complementary, not one replacing the other — we tag a finding against both where it touches both, deduplicated.
We're an e-money institution — are we in scope?
Yes. E-money institutions are governed today by EMD2 (Directive 2009/110/EC). The proposed PSD3 would fold e-money institutions into the payment-institution regime — but that is proposed, not yet law, so EMD2 still applies. We track both the current EMD2 obligations and the PSD3 pipeline that would change them.