[codicts-css-switcher id=”346″]

Global Law Experts Logo
psd3 france requirements

PSD3 France 2026 Requirements: PSR Scope, IBAN Verification, SCA 2.0 & Compliance Steps for Banks and Psps

By Global Law Experts
– posted 47 minutes ago

Last updated: 17 July 2026

The EU’s Payment Services package, comprising the third Payment Services Directive (PSD3, known in France as DSP3) and the new Payment Services Regulation (PSR, or RSP), represents the most significant overhaul of European payments law since PSD2 entered force in 2018. Following the provisional political agreement reached on 27 November 2025 between the European Parliament and the Council, French banks, payment institutions and fintechs now face a compressed window in which to understand and operationalise the new PSD3 France requirements. This article delivers a practical, France-focused compliance roadmap covering PSR scope changes, mandatory IBAN and beneficiary-name verification, the evolution to SCA 2.

0, enhanced fraud controls, revised licensing rules and the supervisory priorities that the ACPR and the Banque de France are expected to enforce. It also sets out a phased implementation timeline so that compliance officers and legal teams can prioritise remediation work immediately.

Executive Summary, Key Takeaways

  • Dual-instrument structure. PSD3 remains a Directive requiring French transposition; the PSR is a Regulation that will apply directly, no transposition needed.
  • IBAN/name verification becomes mandatory. Payment service providers (PSPs) must verify that the beneficiary’s IBAN matches the payee name before executing a credit transfer, with defined match-threshold rules and liability consequences for non-compliance.
  • SCA evolves to “SCA 2.0.” New exemptions, behavioural and contextual signals, and delegated-authentication models expand what counts as strong customer authentication, while raising the compliance bar for technical implementation.
  • Fraud controls and incident reporting are tightened. Mandatory real-time transaction monitoring, telemetry sharing between issuers and acquirers, and shorter incident-reporting windows are expected under PSR provisions.
  • Open banking access rules are strengthened. Third-party providers (TPPs) gain clearer data-access rights, but consent and security requirements are tightened, with a crosswalk to GDPR obligations.
  • Licensing scope shifts. Several operational requirements move from the Directive to the directly applicable PSR, narrowing national divergence and potentially affecting commercial-agent exemptions.
  • Supervisory focus in France. The ACPR and the Banque de France are expected to prioritise fraud-prevention readiness, IBAN-verification infrastructure and incident-reporting capabilities in early supervisory reviews.
  • Timeline snapshot. Political agreement: 27 November 2025. Formal adoption and publication in the Official Journal: expected H1 2026. PSR application: expected 18 months after entry into force. PSD3 transposition deadline: expected 18–24 months after entry into force.

What Are PSD3 and PSR? Scope and Legal Form

The European Commission proposed the PSD3/PSR package in June 2023, replacing the current PSD2 framework with a two-part legislative structure. The PSD3 text is a Directive, it sets the rules for authorisation, licensing and supervision of payment institutions and must be transposed into French law by the legislator (amending the Code monétaire et financier). The PSR is a Regulation, it lays down harmonised, directly applicable operational rules for all payment service providers across every EU Member State, including France, without the need for transposition.

This dual-instrument approach is deliberate. By moving key operational requirements (fraud controls, IBAN verification, SCA standards, data-access rules) into a Regulation, the European Commission eliminates the divergent national implementations that plagued PSD2. The PSD3 Directive retains the framework for licensing, prudential requirements and national supervisory powers. Together, the DSP3 et RSP package creates a single, uniform payments rulebook for the EU.

PSD3 vs PSR, Who Is Directly Bound?

  • Banks (credit institutions). Bound by both PSD3 (via transposition) and the PSR (directly). Banks face the broadest compliance surface.
  • Payment institutions and e-money institutions. Bound by both instruments. The PSR imposes uniform operational rules; PSD3 governs their authorisation status.
  • Third-party providers (AISPs and PISPs). Directly bound by the PSR’s access-to-data and security provisions.
  • Merchants and corporates. Not directly licensed, but indirectly affected through contractual requirements imposed by their PSPs under the new rules.

PSD3 Timeline: Current Status and Key Dates for France

Understanding the PSD3 timeline is essential for French institutions planning their compliance programmes. The table below maps EU-level milestones to their practical implications in France.

Event EU Date France Implication
European Commission proposal 28 June 2023 French industry and ACPR begin preparatory analysis
Provisional political agreement (European Parliament & Council) 27 November 2025 Legislative text substantively finalised; French institutions should begin gap analysis
Formal adoption & publication in the Official Journal Expected H1 2026 Clock starts for transposition (PSD3 Directive) and application (PSR Regulation)
PSR becomes directly applicable Expected 18 months after entry into force French PSPs must comply with all PSR operational requirements without waiting for transposition
PSD3 transposition deadline Expected 18–24 months after entry into force France must amend the Code monétaire et financier to incorporate PSD3 licensing and supervisory rules
EBA technical standards (SCA, fraud, IBAN verification) Expected within 12–18 months of adoption Detailed implementation rules that French institutions will rely on for technical compliance

What to Expect in H1–H2 2026

Industry observers expect the formal adoption process to be completed in the first half of 2026. Once the texts are published in the Official Journal, French banks and PSPs will face a defined countdown. The PSR’s direct applicability means that operational obligations, IBAN verification, SCA standards, fraud controls, will take effect simultaneously across all Member States, leaving no room for delayed or divergent French implementation. The PSD3 Directive elements (licensing, supervision, governance) will require legislative action by the French parliament and regulatory guidance from the ACPR.

Key PSD3 France Requirements Impacting Banks and PSPs

The PSD3/PSR package introduces changes across five major themes. Each carries specific obligations and implementation demands for French entities.

PSR Scope Changes (Licensing and Perimeter)

  • Several operational rules previously subject to national transposition move into the directly applicable PSR, reducing room for French-specific interpretations.
  • Commercial-agent exemptions, widely used by marketplace platforms, are expected to narrow under harmonised PSR definitions.
  • The scope of activities requiring authorisation may expand to cover certain currently unregulated payment-adjacent services.

IBAN and Beneficiary-Name Verification

  • The PSR introduces a mandatory verification of payee (VoP) mechanism: PSPs must check that the IBAN provided by the payer corresponds to the name of the intended beneficiary before executing a payment.
  • This requirement applies to credit transfers and, in defined circumstances, to direct debits.
  • Liability rules are tightened: where a PSP fails to perform the verification and the payment is misdirected, the PSP bears enhanced responsibility for reimbursement.

SCA Updates (“SCA 2.0”)

  • The framework retains the two-factor authentication requirement but introduces broader exemptions and the recognition of behavioural and contextual signals.
  • Delegated authentication, where the PSP delegates the SCA process to a trusted third party, is formally accommodated.
  • Risk-based exemptions are expanded, allowing PSPs to exempt low-risk transactions using real-time risk analysis aligned with EBA technical standards.

Fraud Controls and Transaction Monitoring

  • PSPs must implement real-time transaction-monitoring systems capable of detecting and flagging suspicious patterns.
  • Mandatory information sharing between issuing and acquiring PSPs is introduced, including telemetry data to improve fraud-detection accuracy.
  • Incident-reporting timelines are shortened, with the PSR specifying maximum notification windows for major payment-related incidents.

Access-to-Data and Open Banking

  • The PSR strengthens TPPs’ right to access payment account data, requiring account-servicing PSPs (ASPSPs) to provide dedicated interfaces that meet defined performance and reliability standards.
  • Consent mechanisms are tightened, requiring explicit, granular user consent for data access, cross-referencing GDPR requirements.
  • A new obligation for “data dashboards” enables payment service users to monitor and revoke third-party access in real time.

IBAN and Beneficiary-Name Verification: Obligations and Implementation

The IBAN/name verification requirement is among the most operationally demanding of the new PSD3 France requirements. Its purpose is to combat authorised push-payment fraud and misdirected payments, areas where France has seen rising loss volumes.

Under the PSR, before executing a credit transfer, the payer’s PSP must verify that the payee name provided by the payer matches the name associated with the destination IBAN. The verification may rely on inter-PSP messaging (using existing SEPA infrastructure or dedicated verification APIs) and must return a match, partial match or mismatch result to the payer before final authorisation.

Implementation Checklist

  • Identify data sources. Determine which directories, inter-PSP protocols or third-party API services will provide the name-IBAN lookup. Industry observers expect EBA technical standards to specify minimum data-quality thresholds.
  • Define match logic. Establish rules for exact match, partial match (e.g., minor typographical differences) and mismatch, including how each scenario is communicated to the payer.
  • Build user notification flows. The payer must receive a clear warning before proceeding if a mismatch is detected. Design UX flows for online banking, mobile apps and batch-payment channels.
  • Address exceptions. Certain transaction types (e.g., payments to government entities, intra-group transfers) may be subject to specific rules or carve-outs. Monitor EBA guidance.
  • Document liability allocation. Update terms and conditions to reflect the PSP’s enhanced reimbursement obligations where verification is not performed or is performed incorrectly.
Verification Result PSP Action Required Liability Position
Exact match Proceed with execution Standard liability rules apply
Partial match Warn payer; allow override with explicit confirmation Reduced PSP liability if payer confirms
Mismatch Alert payer prominently; execution only on explicit override Enhanced PSP liability if verification was not offered
Verification unavailable (system outage) Notify payer that verification could not be performed; document incident PSP must demonstrate reasonable efforts; incident-reporting obligations may apply

Strong Customer Authentication (SCA), What Is Changing and How to Comply

The SCA framework under the PSD3/PSR package, sometimes called “SCA 2.0”, retains the core principle of two-factor authentication (knowledge, possession, inherence) while introducing greater flexibility and new compliance pathways. For French banks and PSPs, this evolution demands both technical upgrades and policy revisions.

The key changes include formal recognition of behavioural and contextual signals as supplementary authentication factors. Device fingerprinting, geolocation patterns and transaction-velocity analysis may be used to support (though not replace) one of the three SCA elements. Additionally, delegated authentication is explicitly accommodated: a PSP may allow a trusted merchant or wallet provider to perform the SCA process on its behalf, subject to contractual arrangements and compliance with EBA guidelines. Risk-based exemptions are broadened, and the transaction-risk-analysis (TRA) thresholds are expected to be revised upward, allowing more low-risk transactions to proceed without a full SCA challenge.

SCA for Recurring vs One-Off Transactions

The new framework distinguishes more clearly between recurring payment mandates and one-off transactions. For recurring payments (subscriptions, standing orders), an initial SCA at mandate set-up is expected to suffice, provided ongoing transaction monitoring is in place. For one-off payments, the full SCA process applies unless a valid exemption (TRA, low-value, trusted beneficiary) is triggered. French PSPs should review their exemption engines and ensure alignment with the forthcoming EBA Regulatory Technical Standards (RTS).

Implementation Steps

  • Audit current SCA flows. Map every customer-facing authentication flow (web, mobile, in-app, USSD) against the updated requirements.
  • Upgrade exemption engines. Ensure real-time risk-scoring systems can evaluate the revised TRA thresholds and apply exemptions dynamically.
  • Negotiate delegated-authentication agreements. Where merchants or wallets will perform SCA, execute written agreements specifying responsibilities, fallback procedures and liability allocation.
  • Test fallback mechanisms. Regulators will expect evidence that where an exemption fails or a delegated party is unavailable, a full SCA challenge is triggered without friction.
  • Document UX decisions. Supervisors will review whether authentication prompts are clear and do not mislead users. Maintain design documentation.

Fraud Controls, Transaction Monitoring and Incident Reporting

The PSR elevates fraud prevention from a best-practice expectation to a binding, measurable obligation. French banks and PSPs must deploy real-time transaction-monitoring systems that can detect anomalies, flag suspicious transactions and, in defined cases, block execution before settlement.

A significant new obligation is mandatory telemetry sharing between issuing and acquiring PSPs. The goal is to create a richer data environment for fraud detection: acquirers must share defined transaction attributes with issuers in near-real time, enabling more accurate risk scoring. Early indications suggest that EBA technical standards will specify the minimum data fields and sharing protocols.

Incident-reporting obligations are also tightened. The PSR sets maximum notification windows for major payment-related incidents: PSPs must report to the competent authority within a defined number of hours, with follow-up reports at prescribed intervals. For those unfamiliar with how banks’ responsibilities in cases of unauthorised access already operate, the new rules extend and formalise these duties.

Coordination with French Authorities (ACPR / Banque de France)

In France, the ACPR serves as the primary supervisory authority for payment institutions, while the Banque de France oversees payment-system security through its National Payments Committee. Industry observers expect the ACPR to issue supplementary guidance clarifying how the PSR’s incident-reporting obligations interact with existing French notification frameworks. PSPs operating in France should:

  • Designate a single point of contact (SPOC) for incident reporting to the ACPR.
  • Pre-agree communication templates and escalation flows with internal IT security, legal and compliance teams.
  • Maintain an incident register with timestamps, root-cause analysis and remediation evidence.
  • Track fraud KPIs, transaction-fraud rates, false-positive rates, average detection-to-block time, for supervisory reporting.

PSD3 France Requirements: PSR Scope and Licensing Changes

One of the most structurally important aspects of the PSD3/PSR reform is the migration of key operational rules from the Directive (requiring transposition) to the Regulation (directly applicable). This shift has practical consequences for every entity providing payment services in France.

Entity Type Current PSD2 Treatment Expected PSD3/PSR Treatment (Practical Impact)
Bank (credit institution) Full scope; SCA obligations; reimbursements under national law Continued full scope; PSR imposes additional harmonised operational rules, stronger fraud-liability allocations, mandatory IBAN/name verification
Payment institution (PSP) Authorised under PSD2; passporting to member states PSR tightens operational requirements; capital and governance rules migrate from Directive to Regulation, faster cross-border effect
Commercial agents / aggregators Exemptions varied by Member State PSR harmonises exemptions; commercial-agent carve-outs are expected to narrow, review all commercial relationships relying on this exemption

Practical Steps for PSPs Seeking Authorisation in France

PSPs that are currently authorised under PSD2 in France will need to confirm that their existing authorisation remains valid under the new framework. The likely practical effect will be a re-notification or confirmation filing with the ACPR. New applicants should prepare for updated governance, capital-adequacy and operational-resilience requirements. Entities relying on commercial-agent exemptions must reassess whether their arrangements still qualify under the narrower PSR definitions. For a comparative perspective on how other jurisdictions handle PSP licensing, French operators can benchmark their readiness.

Data Access, Consent and Third-Party Access (Open Banking Changes)

The PSR strengthens the open-banking framework introduced under PSD2 by addressing several pain points that hindered TPP access in practice. Account-servicing PSPs (ASPSPs), including French banks, must provide dedicated interfaces (APIs) that meet defined availability, latency and data-completeness standards. The era of screen-scraping fallbacks is expected to end once the new rules apply.

Consent management receives a significant upgrade. Users must be able to provide granular, explicit consent for each category of data accessed by a TPP. A new “data dashboard” requirement obliges ASPSPs to offer users a real-time overview of all active TPP connections, with the ability to revoke access instantly. These requirements cross-reference GDPR obligations, meaning that French institutions must ensure alignment between their payments-consent infrastructure and their data-protection compliance programmes.

Implementation Checklist, Open Banking

  • API performance audit. Test dedicated interfaces against the forthcoming EBA performance benchmarks (uptime, response time, error rates).
  • Consent-log architecture. Build or upgrade systems to capture, store and retrieve granular consent records for each TPP connection.
  • Data-dashboard deployment. Design and deploy a user-facing interface for monitoring and revoking TPP access.
  • Contractual review. Update agreements with TPPs to reflect new liability, security and data-handling obligations.
  • GDPR crosswalk. Map PSD3/PSR consent requirements against GDPR lawful-basis and data-subject-rights obligations to avoid duplication or conflict.

These developments mirror broader trends in financial regulation: just as MiCA compliance deadlines forced crypto-asset service providers to upgrade their data and consent systems, the PSD3/PSR package demands equivalent rigour from traditional payments players.

Practical Compliance Roadmap for French Banks and PSPs (12–36 Weeks)

Given the compressed implementation window, French institutions should organise their compliance programmes into three phases, prioritised by regulatory risk.

Phase 1: Weeks 1–12 (Urgent, Transactional Controls)

  • Complete gap analysis against the finalised PSD3 text and PSR provisions.
  • Initiate IBAN/name-verification infrastructure procurement or development.
  • Audit and upgrade SCA exemption engines and authentication flows.
  • Establish incident-reporting protocols aligned with the PSR’s shortened timelines.
  • Appoint a PSD3/PSR project lead and cross-functional steering committee.

Phase 2: Weeks 13–24 (Medium, Licensing and Contracts)

  • Submit re-notification or confirmation filings to the ACPR (if required).
  • Review and renegotiate TPP contracts, commercial-agent arrangements and delegated-authentication agreements.
  • Deploy fraud-monitoring enhancements, including telemetry-sharing protocols with counterpart PSPs.
  • Update terms and conditions for customers and merchants to reflect new liability rules.

Phase 3: Weeks 25–36 (Lower Priority, Product and UX Changes)

  • Launch user-facing data dashboards for TPP-access management.
  • Implement updated consent-management flows across all digital channels.
  • Conduct end-to-end testing of all modified authentication, verification and monitoring systems.
  • Prepare supervisory-readiness documentation (policies, test reports, vendor SLAs) for anticipated ACPR reviews.

Comparable regulatory transitions, such as the RBI’s 2026 banking-rule changes in India, demonstrate that institutions that begin implementation before final technical standards are published consistently outperform those that wait.

What Supervisors Will Check, ACPR and Banque de France Focus Areas

Based on the supervisory priorities communicated by the ACPR and the Banque de France through their payments oversight framework, French institutions should expect early scrutiny in the following areas:

  • IBAN/name-verification readiness. Evidence that systems are operational, match-logic is documented and user-notification flows are tested.
  • Fraud-monitoring capabilities. Documented monitoring rules, KPI dashboards (fraud rates, detection speed, false-positive management) and evidence of telemetry-sharing arrangements.
  • SCA compliance documentation. Written policies on exemptions, delegated-authentication contracts and fallback-mechanism test reports.
  • Incident-reporting preparedness. Named SPOC, tested notification templates and an incident register with at least one tabletop exercise completed.
  • Open-banking API performance. Uptime logs, response-time statistics and evidence that APIs meet forthcoming EBA benchmarks.
  • Governance and accountability. Board-level awareness of PSD3/PSR obligations, documented project plan and clear allocation of compliance responsibilities.

Conclusion

The PSD3/PSR package is not an incremental update, it is a structural reset of European payments regulation with immediate operational consequences for every French bank, payment institution and fintech. The PSD3 France requirements demand action on multiple fronts simultaneously: IBAN-verification infrastructure, SCA 2.0 authentication upgrades, real-time fraud monitoring, open-banking API enhancements and supervisory-readiness documentation. The compressed timeline between the 27 November 2025 political agreement and the expected application dates leaves limited room for delay. Institutions that begin gap analysis and implementation now will be best positioned when the ACPR conducts its first compliance reviews. For tailored guidance on navigating these requirements, consulting with specialist banking-law counsel is strongly recommended.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Philippe Buerch at Clarelis Avocats , a member of the Global Law Experts network.

Sources

  1. EUR-Lex, PSD3/PSR Legislative Texts
  2. European Commission, Payment Services
  3. Banque de France, Payments FAQ
  4. ACPR (Autorité de Contrôle Prudentiel et de Résolution)
  5. European Banking Authority (EBA)
  6. European Central Bank, Payments Oversight

FAQs

Qu'est-ce que la directive PSD3 ?
PSD3 (DSP3 en français) est la troisième Directive sur les services de paiement de l’UE. Elle remplace la PSD2 et régit l’agrément, la supervision et la gouvernance des établissements de paiement. Contrairement au PSR (RSP), la PSD3 est une Directive qui doit être transposée en droit français.
Le 27 novembre 2025, le Parlement européen et le Conseil sont parvenus à un accord politique provisoire sur le paquet PSD3/PSR. Cet accord fixe le contenu substantiel des textes. L’adoption formelle et la publication au Journal officiel de l’UE sont attendues au premier semestre 2026.
L’adoption formelle est attendue au S1 2026. Le PSR (Règlement) s’appliquera directement environ 18 mois après l’entrée en vigueur. La PSD3 (Directive) devra être transposée en droit français dans un délai de 18 à 24 mois. Les établissements français doivent commencer leurs travaux de conformité dès maintenant.
La PSD3 (DSP3) est une Directive qui régit l’agrément et la supervision, elle sera transposée par le législateur français. Le PSR (RSP) est un Règlement directement applicable : les règles opérationnelles (SCA, vérification IBAN, prévention de la fraude) s’imposeront uniformément sans transposition nationale, éliminant les divergences entre États membres.
Les banques doivent maintenir l’authentification forte (deux facteurs : connaissance, possession, inhérence) tout en intégrant de nouvelles possibilités : signaux comportementaux et contextuels, authentification déléguée et exemptions basées sur le risque élargies. Les standards techniques de l’ABE (EBA) préciseront les seuils et conditions applicables.
Yes. The PSR introduces a mandatory verification-of-payee mechanism. Before executing a credit transfer, the payer’s PSP must check that the beneficiary’s IBAN corresponds to the payee name. Where verification is not performed and the payment is misdirected, the PSP faces enhanced reimbursement liability.
The ACPR and the Banque de France are expected to focus on IBAN/name-verification readiness, real-time fraud-monitoring capabilities, SCA compliance documentation, incident-reporting preparedness (including designated SPOCs and tested templates) and open-banking API performance. Institutions should prepare evidence files for each area before supervisory reviews begin.
By ILIA ETL GLOBAL

posted 8 hours ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

PSD3 France 2026 Requirements: PSR Scope, IBAN Verification, SCA 2.0 & Compliance Steps for Banks and Psps

Send welcome message

Custom Message