Our Expert in France
No results available
Last updated: 17 July 2026
The EU’s Payment Services package, comprising the third Payment Services Directive (PSD3, known in France as DSP3) and the new Payment Services Regulation (PSR, or RSP), represents the most significant overhaul of European payments law since PSD2 entered force in 2018. Following the provisional political agreement reached on 27 November 2025 between the European Parliament and the Council, French banks, payment institutions and fintechs now face a compressed window in which to understand and operationalise the new PSD3 France requirements. This article delivers a practical, France-focused compliance roadmap covering PSR scope changes, mandatory IBAN and beneficiary-name verification, the evolution to SCA 2.
0, enhanced fraud controls, revised licensing rules and the supervisory priorities that the ACPR and the Banque de France are expected to enforce. It also sets out a phased implementation timeline so that compliance officers and legal teams can prioritise remediation work immediately.
The European Commission proposed the PSD3/PSR package in June 2023, replacing the current PSD2 framework with a two-part legislative structure. The PSD3 text is a Directive, it sets the rules for authorisation, licensing and supervision of payment institutions and must be transposed into French law by the legislator (amending the Code monétaire et financier). The PSR is a Regulation, it lays down harmonised, directly applicable operational rules for all payment service providers across every EU Member State, including France, without the need for transposition.
This dual-instrument approach is deliberate. By moving key operational requirements (fraud controls, IBAN verification, SCA standards, data-access rules) into a Regulation, the European Commission eliminates the divergent national implementations that plagued PSD2. The PSD3 Directive retains the framework for licensing, prudential requirements and national supervisory powers. Together, the DSP3 et RSP package creates a single, uniform payments rulebook for the EU.
Understanding the PSD3 timeline is essential for French institutions planning their compliance programmes. The table below maps EU-level milestones to their practical implications in France.
| Event | EU Date | France Implication |
|---|---|---|
| European Commission proposal | 28 June 2023 | French industry and ACPR begin preparatory analysis |
| Provisional political agreement (European Parliament & Council) | 27 November 2025 | Legislative text substantively finalised; French institutions should begin gap analysis |
| Formal adoption & publication in the Official Journal | Expected H1 2026 | Clock starts for transposition (PSD3 Directive) and application (PSR Regulation) |
| PSR becomes directly applicable | Expected 18 months after entry into force | French PSPs must comply with all PSR operational requirements without waiting for transposition |
| PSD3 transposition deadline | Expected 18–24 months after entry into force | France must amend the Code monétaire et financier to incorporate PSD3 licensing and supervisory rules |
| EBA technical standards (SCA, fraud, IBAN verification) | Expected within 12–18 months of adoption | Detailed implementation rules that French institutions will rely on for technical compliance |
Industry observers expect the formal adoption process to be completed in the first half of 2026. Once the texts are published in the Official Journal, French banks and PSPs will face a defined countdown. The PSR’s direct applicability means that operational obligations, IBAN verification, SCA standards, fraud controls, will take effect simultaneously across all Member States, leaving no room for delayed or divergent French implementation. The PSD3 Directive elements (licensing, supervision, governance) will require legislative action by the French parliament and regulatory guidance from the ACPR.
The PSD3/PSR package introduces changes across five major themes. Each carries specific obligations and implementation demands for French entities.
The IBAN/name verification requirement is among the most operationally demanding of the new PSD3 France requirements. Its purpose is to combat authorised push-payment fraud and misdirected payments, areas where France has seen rising loss volumes.
Under the PSR, before executing a credit transfer, the payer’s PSP must verify that the payee name provided by the payer matches the name associated with the destination IBAN. The verification may rely on inter-PSP messaging (using existing SEPA infrastructure or dedicated verification APIs) and must return a match, partial match or mismatch result to the payer before final authorisation.
| Verification Result | PSP Action Required | Liability Position |
|---|---|---|
| Exact match | Proceed with execution | Standard liability rules apply |
| Partial match | Warn payer; allow override with explicit confirmation | Reduced PSP liability if payer confirms |
| Mismatch | Alert payer prominently; execution only on explicit override | Enhanced PSP liability if verification was not offered |
| Verification unavailable (system outage) | Notify payer that verification could not be performed; document incident | PSP must demonstrate reasonable efforts; incident-reporting obligations may apply |
The SCA framework under the PSD3/PSR package, sometimes called “SCA 2.0”, retains the core principle of two-factor authentication (knowledge, possession, inherence) while introducing greater flexibility and new compliance pathways. For French banks and PSPs, this evolution demands both technical upgrades and policy revisions.
The key changes include formal recognition of behavioural and contextual signals as supplementary authentication factors. Device fingerprinting, geolocation patterns and transaction-velocity analysis may be used to support (though not replace) one of the three SCA elements. Additionally, delegated authentication is explicitly accommodated: a PSP may allow a trusted merchant or wallet provider to perform the SCA process on its behalf, subject to contractual arrangements and compliance with EBA guidelines. Risk-based exemptions are broadened, and the transaction-risk-analysis (TRA) thresholds are expected to be revised upward, allowing more low-risk transactions to proceed without a full SCA challenge.
The new framework distinguishes more clearly between recurring payment mandates and one-off transactions. For recurring payments (subscriptions, standing orders), an initial SCA at mandate set-up is expected to suffice, provided ongoing transaction monitoring is in place. For one-off payments, the full SCA process applies unless a valid exemption (TRA, low-value, trusted beneficiary) is triggered. French PSPs should review their exemption engines and ensure alignment with the forthcoming EBA Regulatory Technical Standards (RTS).
The PSR elevates fraud prevention from a best-practice expectation to a binding, measurable obligation. French banks and PSPs must deploy real-time transaction-monitoring systems that can detect anomalies, flag suspicious transactions and, in defined cases, block execution before settlement.
A significant new obligation is mandatory telemetry sharing between issuing and acquiring PSPs. The goal is to create a richer data environment for fraud detection: acquirers must share defined transaction attributes with issuers in near-real time, enabling more accurate risk scoring. Early indications suggest that EBA technical standards will specify the minimum data fields and sharing protocols.
Incident-reporting obligations are also tightened. The PSR sets maximum notification windows for major payment-related incidents: PSPs must report to the competent authority within a defined number of hours, with follow-up reports at prescribed intervals. For those unfamiliar with how banks’ responsibilities in cases of unauthorised access already operate, the new rules extend and formalise these duties.
In France, the ACPR serves as the primary supervisory authority for payment institutions, while the Banque de France oversees payment-system security through its National Payments Committee. Industry observers expect the ACPR to issue supplementary guidance clarifying how the PSR’s incident-reporting obligations interact with existing French notification frameworks. PSPs operating in France should:
One of the most structurally important aspects of the PSD3/PSR reform is the migration of key operational rules from the Directive (requiring transposition) to the Regulation (directly applicable). This shift has practical consequences for every entity providing payment services in France.
| Entity Type | Current PSD2 Treatment | Expected PSD3/PSR Treatment (Practical Impact) |
|---|---|---|
| Bank (credit institution) | Full scope; SCA obligations; reimbursements under national law | Continued full scope; PSR imposes additional harmonised operational rules, stronger fraud-liability allocations, mandatory IBAN/name verification |
| Payment institution (PSP) | Authorised under PSD2; passporting to member states | PSR tightens operational requirements; capital and governance rules migrate from Directive to Regulation, faster cross-border effect |
| Commercial agents / aggregators | Exemptions varied by Member State | PSR harmonises exemptions; commercial-agent carve-outs are expected to narrow, review all commercial relationships relying on this exemption |
PSPs that are currently authorised under PSD2 in France will need to confirm that their existing authorisation remains valid under the new framework. The likely practical effect will be a re-notification or confirmation filing with the ACPR. New applicants should prepare for updated governance, capital-adequacy and operational-resilience requirements. Entities relying on commercial-agent exemptions must reassess whether their arrangements still qualify under the narrower PSR definitions. For a comparative perspective on how other jurisdictions handle PSP licensing, French operators can benchmark their readiness.
The PSR strengthens the open-banking framework introduced under PSD2 by addressing several pain points that hindered TPP access in practice. Account-servicing PSPs (ASPSPs), including French banks, must provide dedicated interfaces (APIs) that meet defined availability, latency and data-completeness standards. The era of screen-scraping fallbacks is expected to end once the new rules apply.
Consent management receives a significant upgrade. Users must be able to provide granular, explicit consent for each category of data accessed by a TPP. A new “data dashboard” requirement obliges ASPSPs to offer users a real-time overview of all active TPP connections, with the ability to revoke access instantly. These requirements cross-reference GDPR obligations, meaning that French institutions must ensure alignment between their payments-consent infrastructure and their data-protection compliance programmes.
These developments mirror broader trends in financial regulation: just as MiCA compliance deadlines forced crypto-asset service providers to upgrade their data and consent systems, the PSD3/PSR package demands equivalent rigour from traditional payments players.
Given the compressed implementation window, French institutions should organise their compliance programmes into three phases, prioritised by regulatory risk.
Comparable regulatory transitions, such as the RBI’s 2026 banking-rule changes in India, demonstrate that institutions that begin implementation before final technical standards are published consistently outperform those that wait.
Based on the supervisory priorities communicated by the ACPR and the Banque de France through their payments oversight framework, French institutions should expect early scrutiny in the following areas:
The PSD3/PSR package is not an incremental update, it is a structural reset of European payments regulation with immediate operational consequences for every French bank, payment institution and fintech. The PSD3 France requirements demand action on multiple fronts simultaneously: IBAN-verification infrastructure, SCA 2.0 authentication upgrades, real-time fraud monitoring, open-banking API enhancements and supervisory-readiness documentation. The compressed timeline between the 27 November 2025 political agreement and the expected application dates leaves limited room for delay. Institutions that begin gap analysis and implementation now will be best positioned when the ACPR conducts its first compliance reviews. For tailored guidance on navigating these requirements, consulting with specialist banking-law counsel is strongly recommended.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Philippe Buerch at Clarelis Avocats , a member of the Global Law Experts network.
posted 20 minutes ago
posted 45 minutes ago
posted 1 hour ago
posted 1 hour ago
posted 2 hours ago
posted 2 hours ago
posted 3 hours ago
posted 3 hours ago
posted 4 hours ago
posted 4 hours ago
posted 4 hours ago
posted 5 hours ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message