PSD3 is no longer a distant regulatory discussion. For banks, payment institutions, e-money providers, and embedded-finance players, it is becoming a practical readiness challenge that touches fraud prevention, customer journeys, supervision, operational resilience, and the ability to prove compliance with confidence.
PSD3 signals a broader shift in how the EU wants payments to work: more consistently, more securely, and with less room for fragmented national interpretation. Together with PSR, which is set to establish directly applicable rules for payment conduct and operations, PSD3 marks the transition from a compliance model based on patchwork adjustments to one built on stronger governance, clearer accountability, and improved customer protection.
The new regulatory framework has direct implications for customer onboarding, user authentication, payment monitoring, and much more. PSD3 readiness is, at its core, operational readiness. Institutions that still rely on fragmented systems, manual evidence gathering, or inconsistent approval flows may find that the new environment exposes weaknesses that were previously tolerated under PSD2.
One of the clearest reasons to act early is the stronger focus on fraud prevention. Under the emerging framework, providers are expected to do more than process transactions correctly. They must implement appropriate controls, support name-and-identifier checks for payees, strengthen customer warnings, and operate with transparency and traceability that withstand regulatory scrutiny. This shifts compliance from a back-office obligation to a visible part of the customer journey and raises the cost of poor process design.
At the same time, PSD3 readiness is inseparable from PSR readiness. The division between the two is important. PSD3 focuses on authorization, licensing, and supervision, while PSR is expected to govern many of the day-to-day operational rules governing fraud, authentication, transparency, and open banking access. For institutions, however, these are not separate implementation projects. They converge in the same internal processes, control frameworks, and data environments, which is why readiness planning has to start with an end-to-end view of how money moves through the organization.
The European Commission first proposed PSD3 and PSR in June 2023, and the provisional political agreement reached in late 2025 has significantly reduced the uncertainty around the package's strategic direction. While formal adoption is still required, firms that delay until the final wording is published risk compressing what should be a multi-year transformation into a short and expensive remediation program. Readiness, therefore, means using the current lead time to identify gaps, prioritize affected journeys, and align compliance, operations, product, and IT teams around a shared roadmap.
The broader regulatory backdrop makes this even more pressing. AMLA, the new EU authority for anti-money laundering and countering the financing of terrorism, was established in 2024 and became operational in 2025, with direct supervision of selected high-risk entities expected to begin in 2028. Even for companies that are not directly supervised in the first wave, the message is clear: supervisors across Europe are moving toward a more evidence-based, harmonized, and centralized model. That means the ability to demonstrate who approved what, when a control was applied, and how decisions were documented is becoming a core business capability rather than a niche compliance requirement.
This is also why PSD3 readiness extends well beyond traditional banks. Payment institutions, e-money providers, fintechs, marketplaces, wallet providers, and embedded finance businesses all need to assess their level of exposure. If a company moves money, holds funds, enables account access, or builds the technical layer through which payment data flows, the new framework is likely to affect its operating model. Organizations whose growth depends on digital onboarding, open banking, merchant services, or account-to-account payments should be extra attentive, because these models sit directly at the intersection of authentication, fraud controls, liability allocation, and customer trust.
Trust services act as a unified digital “trust layer” for banks and fintechs, helping them meet multiple regulations simultaneously while enabling fully digital customer journeys. Instead of using separate solutions for PSD3/PSR, AML/KYC, DORA, FIDA, and future EU Digital Identity Wallet requirements, institutions can rely on eIDAS-compliant tools such as qualified electronic signatures (QES), qualified seals, and secure digital identity verification.
This trust layer improves compliance and security across several areas:
Under DORA, qualified seals protect logs and approval workflows from tampering, ensuring auditability and operational resilience.
For AML/KYC, identity verification and QES enable secure remote onboarding, reducing fraud and deepfake risks without requiring paper forms or branch visits.
In open finance and FIDA use cases, cryptographic signing ensures that shared financial data is authentic, traceable, and protected.
For PSD3/PSR and Strong Customer Authentication (SCA), qualified trust services already provide strong cryptographic authentication that can replace fragmented proprietary systems.
In practical banking processes such as account opening, lending, card issuance, deposits, and securities agreements, documents can be presented, signed, and sealed digitally with full legal validity. This creates an end-to-end audit-proof chain of evidence, strengthens legal enforceability under eIDAS, simplifies regulatory reviews, and supports fully paperless operations.
The recommended approach is for institutions to first identify regulatory pain points in key customer journeys, integrate a Qualified Trust Service Provider (QTSP), and establish trust services as a core compliance layer. Over time, this infrastructure can expand into lending, custody, and open finance APIs, turning compliance into a competitive advantage.
With customers such as Baloise and St. Galler Kantonalbank, Swisscom has a proven track record in the financial sector. As a certified trust service provider (TSP) the company can offer qualified electronic signatures and seals that are valid and certified in both Switzerland and the European Union.
Looking for more insights into PSD3 and PSR? Don't miss our latest whitepaper. Download it for free.