Council adopts position on PSD3 and PSR – key take-aways

Regarding the authorisation process for obtaining a payment institution license, the positions of the Parliament and Council are broadly aligned. The same is true for the exemptions from the licensing requirement. 

However, in this area, the Council introduces new exclusions in relation to crypto-asset services (see for further details below in section 2). Additional exclusions are further proposed for cash-related services such as the professional physical transport of banknotes and coins including their collecting, processing and delivery or the cash-to-cash currency exchange operations where funds are not held on a payment account.

Moreover, the Council helpfully refines the agent exemption by clarifying that the agent must have “real scope” for negotiation, and not the payer or payee, and that the agent must be in the possession of funds which did not seem to be a prerequisite according to the Parliament. Furthermore, the definition of agent no longer refers to the definition in the EU Commercial Agents Directive (Directive 86/653/EC), allowing for a more flexible interpretation of the exemption.

On the limited network exemption, the Council adds that ‘premises’ also include online stores and not only physical premises resulting in a broader application of the exemption. It is also noteworthy in this context that the notification requirement to national competent authorities (NCAs), which is currently mandatory where the total value of payment transactions exceeds EUR 1 million, shall become optional and up to the Member State’s discretion according to the Council. 

The Council position picks up a relatively recent topic that has emerged after the Market in Crypto-Assets Regulation (MiCAR) has entered into force in December 2024. Under MiCAR, certain stablecoins that reference one official currency (such as the euro or the US dollar), so called e-money tokens, are subject to rules governing e-money and crypto-assets. However, due to the fact that e-money also qualifies as “funds” for the purposes of PSD2, the question arises whether crypto-asset service providers (CASPs) that provide services in relation to e-money tokens require an additional payment services license under PSD2 (see our blogpost). As a result of these discussions, the European Banking Authority (EBA) released a so called "no-action" letter on 10 June 2025, in which the EBA advises NCAs to enforce authorisation of PSD2 only for a specified subset of CASPs that transact e-money tokens. In addition, enforcement shall only take place after 2 March 2026 and certain PSD2 provisions should be deprioritised. In the no-action letter, the EBA also advises the co-legislators to either amend MiCAR in order to subject such crypto-asset services with e-money tokens solely to MiCAR, or to clarify in PSD3/PSR whether and how these services should additionally be governed by payment service legislation.

The Council chose the latter approach. Pursuant to the Council’s position, PSD/PSR3 would clarify, largely aligned with the no-action letter, that certain crypto-asset services are out of scope of payment services regulation, such as exchange services where the buyer or seller acts in their own name, the operation of trading platforms, reception and transmission of orders and executing orders for crypto-assets. The same applies to payment transactions with e-money tokens without any intermediary involved, including their transfer between two self-hosted addresses. On the other hand, transfer services where e-money tokens are used to pay for goods or services, for peer-to-peer payment transactions or payment transactions between payment accounts held by the same person are not excluded and generally governed by payment services regulation, including the need for a license. 

In addition, the Council proposes that entities licensed for payment services shall, in the future, be able to provide crypto-asset services with e-money tokens that are equivalent to payment services for which they are licensed and suggests amending MiCAR in this respect.

Already before the issuance of the “no-action” letter, the Parliament suggested exempting payment transactions used for the execution of trading and settlement services using e-money tokens from the scope of PSR (and as an optional exemption for member states under PSD3), insofar the CASP is sufficiently licensed under MiCAR. The Parliament therefore took the stance that crypto-asset services should be (primarily) governed by MiCAR. 

The safeguarding rules under PSD2 generally aim to protect client funds by requiring payment institutions to keep those funds separately from the institution’s own funds. While the Commission and the Parliament were broadly aligned in their proposals to introduce new safeguarding requirements under PSD3 including e.g. the possibility to keep client funds on central bank accounts or by requiring institutions to diversify their safeguarding measures, the Council’s proposal extends these requirements. 

For example, to increase transparency, the Council suggests that payment institutions inform their clients about the applicable insolvency laws and competent courts where claims can be raised in case of the institution’s insolvency. Furthermore, according to the Council, the safeguarding of funds by holding them in settlement accounts of designated payment systems should be possible. The Council explicitly considers such funds as compliant with safeguarding requirements if they are not commingled with others’ funds, and mandates that Member States ensure funds held in these designated systems are insulated in accordance with national law, especially in the event of insolvency. The use of settlement accounts for safeguarding purposes in addition to other safeguarding measures will increase the payment institutions’ independence as they will not have to rely on banks for these purposes and is a consequential change alongside the amendments to the Settlement Finality Directive granting payment institutions direct access to payment systems.

The Parliament (in line with the Commission) proposed a detailed regime for open banking, underlining the obligation for account servicing payment service providers (ASPSPs) to maintain dedicated interfaces meeting high standards of security, availability, and data parity. The Parliament also clarified exemptions for small ASPSPs from dedicated interface obligations. 

The Council position is largely aligned with the Parliament position. However, the Council removes the procedure for account information service providers with NCAs to request access to the interface provided by the ASPSP to its users when a dedicated interface is unavailable and until the dedicated interface is again accessible. Furthermore, it limits planned unavailability to the hours between midnight and 6am and requires ASPSPs to ensure that the dedicated interface is statistically available at least as much as the interface that the ASPSP uses for authentication and communication with its users.

Fraud is expected to be a key issue in upcoming trilogue negotiations, as co-legislators work to make the future payments framework more resilient against increasingly sophisticated fraud. While the Parliament’s position emphasised strengthening transaction monitoring, improving information sharing, and introducing clear user notification requirements, the Council suggests refining the anti-fraud aspects of the proposals in several ways. 

In relation to “spoofing” or “impersonation fraud”, the Council proposes (in line with the Commission’s original proposal) that the obligation of payment service providers (PSPs) to refund the consumer the amount of the fraudulently authorised payment transaction should be limited to cases where the fraudster impersonates the PSP, as opposed to the Parliament’s proposal which suggested extending such liability to cases where the fraudster impersonates any entity of a private or public nature. The Council also sets out clearer obligations for victims in relation to notifying their PSP to receive a refund: they must provide all the relevant information requested by the PSP and that they can reasonably be expected to have regarding the events leading up to the disputed payment transaction without undue delay. Furthermore, the Council extends the deadline for PSPs to reimburse victims of impersonation fraud to 15 business days, compared to the 10 business days proposed by the Commission and the Parliament. 

The Council also suggests that the Commission creates a platform on combating fraud, which will bring together experts from both public and private sectors to promote cooperation and share best practices. Furthermore, the Council proposes more specific conditions for fraud-related data sharing between PSPs, such as that they should conduct joint data protection assessments before sharing data. 

In line with the Parliament, the Council proposes to introduce certain requirements for electronic communications services providers (ECSPs). However, the approach taken is somewhat different.

In particular, the Parliament suggested to make ECSPs, defined as any entities covered by the Digital Services Act (Regulation (EU) 2022/2065) or the European Electronic Communications Code (Directive (EU) 2018/1972), liable in the context of impersonation fraud: According to the Parliament, if ECSPs fail to remove fraudulent or illegal content after being informed of it, they must refund the PSP the full amount of the fraudulent authorised payment transaction (provided that the consumer has, without any delay, reported the fraud to the police and notified its PSP). Additionally, the Parliament’s position would require ECSPs to implement a range of fraud prevention and mitigation techniques and educational measures, such as alerts and guidance to their customers.

The Council’s position does not include any such liability of ECSPs but focuses more on cross-sectoral cooperation between ECSPs and PSPs, with the aim of preventing and detecting fraud. Notably, the Council advocates for requiring ECSPs, defined as providers of electronic communications services within the meaning of Article 2(4)(b) of the European Electronic Communications Code, i.e. interpersonal communications services, to establish dedicated communication channels with PSPs or to participate in a system for effective communication or an information-sharing mechanism to allow for faster and more effective sharing of any information that could be useful in the prevention and detection of fraud, and to take all reasonable organisational and technical measures to detect and prevent fraud within their sphere of competence. This would be highly relevant for companies in the telecoms sphere providing such interpersonal communications services. 

In relation to access to mobile devices, the Parliament proposed to insert a provision whereby original equipment manufacturers of mobile devices and ECSPs should allow providers of front-end services effective interoperability with, and access for these purposes to, technical features necessary for storing and transferring data to process payment transactions, on fair, reasonable, and non-discriminatory terms, and that they publish general conditions of effective interoperability and access. The Council suggests deleting this provision and not addressing interoperability at all (except in a recital).

In relation to fees and fee transparency, the Parliament and the Council take somewhat different approaches. 

While the Parliament suggested to introduce a broad ban on surcharging for any payment instrument, the Council does not propose any amendments to the Commission proposal, which would only slightly extend the current surcharging ban from transactions covered by the SEPA Regulation (and transactions covered by the Interchange Fee Regulation) to all direct debits and credit transfers in the Union, in particular transactions denominated in currencies other than the euro.

Without precedent in the Commission and Parliament proposal, the Council has introduced new provisions on fee transparency for card schemes. Under these proposals, payment card schemes and processing entities must display their rules and fees “transparent and consistent” to the acquiring entities to ensure comparability and competition. While the Interchange Fee Regulation already requires providing this information, the new rules would concern how this information is disclosed in a “transparent and consistent” manner and therefore complement the Interchange Fee Regulation. The terms “transparent and consistent” are to be specified in RTS developed by EBA. Acquiring entities would in turn be required to “transparently” disclose merchant services charges to their business payments services users of the payment card scheme consistently with their obligations under the Interchange Fee Regulation. They would also need to communicate any change in scheme and processing rules and fees at least six months in advance before implementation. 

It seems likely that fee issues will receive more attention during the trilogues, even more now that the Commission does not seem to envision a revision of the Interchange Fee Regulation anytime soon.

In respect of strong customer authentication (SCA), compared to the Parliament’s position, the Council proposes additional scenarios in which PSPs must apply SCA, such as when the payer accesses payment account information online or orders the creation or replacement of a token of a payment instrument via a remote channel, or for remote increases of an agreed spending limit or activations of mobile applications on a new device to initiate or give consent to payment transactions. The Council retains the proposal that SCA shall not apply to payment transactions triggered by the payee, including refunds initiated by the original payee in favour of the payer. However, instead of clarifying that this exemption also captures certain payment orders placed by the payee based on a mandate given by the payer (as proposed by the Parliament), the Council advocates for a new article specifically on merchant-initiated credit transfers to which SCA shall not apply, subject to conditions to be specified by way of EBA RTS. Furthermore, the Council proposes clarifying that exemptions from the application of SCA are not mandatory, in the sense that a PSP always retains the right to decide that, under the circumstances, SCA is necessary.

Notably, while the Parliament indicated (in line with the Commission’s original proposal) that the two or more elements of SCA (knowledge – something only the user knows, possession – something only the user possesses, and inherence – something the user is) may belong to the same category, the Council requires that they belong to different categories.

In terms of accessibility regarding SCA, the Council takes a more flexible approach. It would not require PSPs to develop “more than one” means for the application of SCA to cater for the specific situation of all customers – especially older persons and those with disabilities, users with few digital skills, or those who do not have access to digital channels or payment instruments – as proposed by the Parliament. Rather, the Council suggests that PSPs should support payment service users and adequately inform them about the different means available to perform SCA. The Council also recognises that, where the product chosen by the user consists of providing services exclusively through a smartphone, the performance of SCA may be made dependent on the possession of a smartphone.

Under the Council’s position, competent authorities would have a broadened toolkit of supervisory powers, including the ability to require payment institutions to hold additional own funds, order changes to strategies, processes, mechanisms and arrangements, limit businesses, operations or networks, request divestments and risk reductions, restrict profit distributions, or remove managers.

Besides this, the Council proposes to strengthen competent authorities’ investigation and enforcement powers. These would include, for example, seizing items, documents or data, freezing or sequestrating assets, prohibiting payment services, barring offerings to the public, suspending marketing communications, removing content from or restricting access to online interfaces, deleting domain names, accessing data traffic records held by telecommunications operators, or – in the context of investigations – interviewing natural persons irrespective of their consent, or requiring anyone involved in the initiation, conclusion, or processing of payment services, regardless of negligence or knowledge of involvement, to provide information or documents.

The Council’s position also reinforces “naming and shaming” and increases the maximum administrative fines that can be levied in cases of breaches to at least twice the amount of the profits gained therefrom or, if higher, 10% of the total annual turnover (for legal persons) / EUR 5 million (for natural persons). This is in contrast to the Parliament’s position, which provided for a lower ceiling of 7.5% / EUR 2.75 million.