Compliance

PSD3 and Cross-Border Payments: What Changes in 2026

PSD3 is still awaiting formal adoption, but payment institutions and BaaS providers are already preparing for stronger fraud controls, beneficiary verification, open banking reforms, and new liability expectations.

PSD3 is not already in force on 29 May 2026. But it is already shaping how payment institutions, cross-border wallets, and BaaS teams should design fraud controls, account access, open banking, and customer communications. The mistake is to wait for final publication before changing the operating model.

What actually changes for cross-border payments in 2026 under PSD3? As of 29 May 2026, the PSD3 and PSR package is still not formally adopted, so the legal framework in force remains PSD2 plus the other payment and AML rules already applying. But the package reached a provisional political agreement on 27 November 2025, and the direction of change is clear: stronger anti-fraud controls, IBAN-name checks before transfers, tighter liability expectations, better open-banking access, more transparent fees, and a more explicit framework for payment institutions and e-money institutions.

VOVE ID helps payment institutions absorb PSD3 in markets where the cross-border footprint is wider than the home licence suggests. On paper, PSD3 looks incremental.

In practice, it touches onboarding, fraud liability, data access, and reporting at the same time.

First, the date question matters

Founders keep talking about PSD3 as though it already rewrote the rulebook.

That is not accurate.

Here are the dates that matter:

28 June 2023: the European Commission published the PSD3 and PSR proposals.
18 June 2025: the Council approved its negotiating mandate.
27 November 2025: the Council and the European Parliament announced a provisional political agreement.
29 May 2026: the package is still close to adoption, but it still needs formal adoption by Parliament and Council before it can enter into force.

So when this article asks what changes in 2026, the answer is not “the final law is already applying.”

The answer is that 2026 is the year serious payment teams should stop pretending the PSD2 operating model is enough.

Why cross-border payment teams should care before formal application

Cross-border providers usually feel legal change earlier than domestic players because they sit at the intersection of:

payer and payee identity mismatches
correspondent or partner-bank friction
spoofing and impersonation risk
open-banking dependencies
multi-jurisdiction complaint and reporting expectations

That means PSD3 does not need to be fully applicable before it affects product decisions.

If the political direction is already clear, the teams that wait until the Official Journal stage are usually the ones that end up reworking fraud controls, onboarding logic, and customer messaging under deadline pressure.

What PSD3 and the PSR package are trying to change

The package is not one small fraud fix.

It is a broader rewrite of the payment-services framework that the EU institutions have described around four recurring themes:

stronger anti-fraud controls
more transparency on fees
better consumer protection
a more workable open-banking and market-access model

For cross-border payment teams, the first and fourth points matter most.

1. Anti-fraud rules move closer to the payment decision itself

This is the biggest operational shift.

The Council said in June 2025 that the package aims for a comprehensive anti-fraud framework and specifically highlighted:

sharing fraud-related information between payment service providers
checking IBAN numbers against the corresponding account name before transfer
stronger consumer protection where fraud prevention tools are not properly used

Then the 27 November 2025 provisional agreement sharpened the message further:

payment account IBANs would have to be checked against the corresponding account name before a transfer
PSPs would have to share fraud-related information
PSPs could be held liable where they fail to use some of the preventive tools

That matters for cross-border players because fraud risk in cross-border payments is often not one event. It is a chain:

wrong beneficiary details
weak account-name matching
customer manipulation
delayed intervention
poor evidence when the complaint arrives

PSD3 pushes the control closer to the moment of payment rather than leaving it as a post-event investigation problem.

2. Strong customer authentication is not going away, but the edge cases get harder

PSD2 already made strong customer authentication central.

The next framework does not reverse that. It builds around the practical places where payment fraud still escapes the system, especially impersonation and account-detail manipulation.

For cross-border providers, that means the difficult cases become more important:

the payer was manipulated into authorising the payment
the beneficiary details looked technically valid but commercially wrong
the user experience encouraged speed over verification
a confirmation-of-payee style mismatch appeared and nobody acted properly on it

This is not just a fraud-team concern. Many of these controls depend on the quality of customer onboarding and identity verification. Our KYC Compliance Guide explains the core requirements behind customer due diligence and risk-based onboarding.

It reaches onboarding, product design, support scripts, and case evidence.

3. Open banking gets less theoretical and more enforceable

The European Parliament’s legislative train summary, current as of 20 February 2026, says the agreed text aims to:

reduce market barriers for open-banking services
list prohibited obstacles to data access
let authorised open-banking providers access related payment-account data
give users a dashboard to monitor and manage permissions

That matters because many cross-border payment products depend on account information and initiation layers to support:

account verification
funding confirmation
affordability or business-activity context
smoother payout or treasury routing

If access stays unreliable, those workflows become fragile.

If access improves but governance is weak, the startup inherits a bigger permissions and data-use burden.

So the open-banking part of PSD3 is not an isolated ecosystem issue. It changes what product teams can responsibly rely on.

4. Payment institutions and e-money institutions get a clearer framework

The PSD3 side of the package also revises how payment institutions are framed and treats e-money institutions as a sub-category of payment institutions.

That matters for cross-border operators because licensing structure, prudential expectations, and account access affect growth almost as much as payments logic does.

The Parliament’s legislative-train summary also highlights two issues that matter directly in practice:

banks are asked to provide payment institutions with access to payment accounts on a non-discriminatory basis
authorisation is meant to be simplified while preserving capital, prudential, and own-funds requirements

That does not mean a lighter compliance burden.

It means the EU is trying to reduce structural unfairness while still expecting the operating model to be sound.

A realistic PSD3 failure: when fraud liability sits with the wrong party

A French-licensed payment institution sends payouts into several Eastern European corridors.

The team feels comfortable because:

onboarding is live
SCA is in place
fraud reviews exist
customer support can intervene after complaints

Then a mismatch appears.

A payment order is authorised after a beneficiary-detail change. The IBAN is technically valid, but the account-name logic shows a discrepancy. The user has also been nudged by a spoofing-style contact that looks like a legitimate service message. The payment moves anyway because the intervention workflow is weak and the support team assumes the user knowingly accepted the risk.

Later, the issue becomes a liability question:

was the mismatch surfaced clearly enough?
did the PSP use the available preventive tool correctly?
did the fraud workflow meet the expected standard?
which provider in the chain failed, and who carries the cost?

That is the kind of case PSD3 turns from an awkward complaint into a rule-structure problem.

What cross-border providers should change during 2026

The practical move is not to guess the final recital wording.

It is to adapt the stack to the direction that is already clear.

1. Treat beneficiary verification as product infrastructure

If the business still handles beneficiary-detail mismatches as an occasional support edge case, the control is too weak.

Cross-border payment teams should design:

pre-transfer name and account checks
clear mismatch handling
user messaging that distinguishes warning from block
evidence capture showing what the user saw and what the provider did

2. Move fraud scoring closer to onboarding and account change events

A lot of cross-border payment loss starts before the transfer itself:

account takeover risk
weak business verification
suspicious device or access patterns
high-risk changes to payout destinations

For providers onboarding corporate customers, business verification and ownership checks are often the first line of risk control. See our KYB Compliance Guide for a detailed breakdown of business onboarding requirements.

Fraud logic should not begin only at transaction authorisation.

3. Build the permissions and data-governance layer now

If the open-banking side of the package becomes more usable, teams will want to consume more payment-account data. That only helps if the startup can:

govern permissions cleanly
explain why data was accessed
show how long permissions last
separate product convenience from justified processing

4. Prepare for account-access and partner-bank discussions with evidence

Non-discriminatory access to payment accounts is strategically important.

But access improves in practice only for firms that can still demonstrate that they are operationally well controlled. Cross-border players should expect to prove:

customer segmentation
fraud rates and controls
sanctions and AML workflows
complaints handling
incident response

AML controls increasingly sit alongside fraud controls when payment institutions are assessed by regulators and banking partners. For a broader overview of AML requirements for payment providers and fintechs, see our AML Compliance Guide.

How VOVE ID adapts onboarding to PSD3-era obligations

VOVE ID helps payment institutions and BaaS teams connect onboarding, verification, fraud controls, and operational evidence into one workflow.

For PSD3 preparation, that means teams can build around:

confirmation-of-payee and beneficiary verification logic
fraud scoring connected to onboarding and profile changes
business and user verification tied to live payment permissions
reporting hooks and case history that survive dispute review
a single operational record across customer, transfer, and investigator actions

The advantage is not only compliance readiness.

It is cleaner product decision-making.

When the rulebook shifts, the startup already knows where the real control points sit.

Practical checklist

Fraud

Map where beneficiary-detail checks happen before transfer.
Test how spoofing and impersonation cases escalate.
Record what warning, mismatch, or confirmation message the customer actually saw.

Open banking

Audit which payment-account data your product truly depends on.
Identify where access obstacles still break onboarding or payment flows.
Design permission dashboards and consent handling as durable infrastructure, not temporary UI.

Cross-border operations

Review which corridors create the most beneficiary mismatches or complaint risk.
Align onboarding, payout-change controls, and fraud review across jurisdictions.
Make sure support, compliance, and product teams use the same case record.

Governance

Track the formal adoption process rather than assuming PSD3 is already in force.
Prepare 2026 implementation work on the basis of the 27 November 2025 provisional agreement.
Avoid building a PSD2-only operating model that will need to be rebuilt immediately after adoption.

FAQ

1. Is PSD3 already in force on 29 May 2026?

No. As of 29 May 2026, the package is still not formally adopted. The legal direction is clearer because the Council and Parliament reached a provisional political agreement on 27 November 2025, but formal adoption still matters.

2. Is PSD3 only about fraud?

No. Fraud is central, but the package also covers open banking, payment-account access, transparency on fees, consumer protection, access to cash, and the institutional framework for payment and e-money providers.

3. Why does this matter so much for cross-border payments specifically?

Because cross-border providers face more beneficiary mismatches, more partner dependencies, more data-access friction, and more complex fraud and liability chains than purely domestic payment flows.

4. What should a startup do first?

Start with beneficiary verification, fraud intervention logic, and case evidence. Those are the areas where PSD3-era expectations most directly collide with live payment operations.

Conclusion

PSD3 is not yet the law in force on 29 May 2026.

But for cross-border payment providers, 2026 is still the right year to act as if the framework change is operationally real. The package is close enough to adoption, and the themes are clear enough, that waiting for the final procedural step is mostly a way to delay necessary redesign.

The teams that handle beneficiary verification, fraud controls, open-banking permissions, and payment-institution governance as one system will absorb the change far more cleanly than the teams that keep treating each one as a separate workstream.

Want to see how VOVE ID helps payment institutions map onboarding, fraud controls, and cross-border payment evidence to the PSD3 direction of travel?

Talk to the team