The payments world rarely stands still. By early 2026 the third Payment Services Directive (PSD3) and accompanying Payment Services Regulation (PSR) had progressed to the final stages of Brussels negotiations. A consensus was reached late in 2025, with European institutions aiming to finalise the rules in the first half of 2026. PSD3 replaces PSD2, which came into force in 2018 and was implemented unevenly across member states. The new regime will be a hybrid: PSD3 will harmonise licensing and supervision requirements for banks and payment institutions, while the PSR will directly apply in all EU states, covering issues such as open data access, fraud prevention and strong customer authentication. Although the UK left the EU, it has kept its payments framework close to European rules; British firms with European clients will need to comply with PSD3/PSR when operating across borders.
The strategic opportunity of Open Finance
Open banking has moved beyond its experimental phase. Lauren Jones of Paylume notes that PSD3 and the PSR provide the legislative framework to advance open banking and open finance; she argues that banks should view these reforms as a strategic opportunity rather than a box-ticking exercise. Early adopters can unlock new revenue models by becoming consumers of data themselves, rather than just providers. The EU's parallel framework, the Financial Data Access Act (FiDA), will create rules for sharing financial data beyond payments and will push banks toward a data economy. Failure to build APIs that can consume third-party data could leave established institutions vulnerable to nimble fintechs.
For UK founders, this means designing products that can operate seamlessly with data held by banks and insurers across Europe. Payments will need to be initiated, verified and reconciled via APIs with real-time fraud checks. It also means updating terms of service and customer consents to reflect new liability rules: the PSR will shift the burden of fraudulent payments away from users and onto providers. Fintechs should expect to process and share more transaction data with issuers and fraud engines, sometimes without explicit user consent, if strictly necessary for fraud prevention. That raises ethical questions about data minimisation and privacy. Businesses must invest in risk controls that can operate at wire-speed without introducing friction.
Instant payments and instant fraud
Barry Rodrigues of Finastra observes that more than 80 countries now operate instant payment schemes and predicts that one in four global payments will be real-time by 2028. Europe's Instant Payments Regulation, which entered into force in late 2025, removes the 100,000 euro ceiling on instant transfers and makes immediacy the default. The result is that fraudsters have new avenues to exploit. Verification of Payee services rolled out across Europe in 2025, but many corporate payments remain exempt from strong customer authentication.
That risk is not theoretical. A joint report by the European Central Bank and European Banking Authority put the total value of payment fraud in the European Economic Area at 4.2 billion euros in 2024, up from 3.5 billion euros in 2023. Juniper Research predicts an 85% jump in global investment on fraud detection and prevention, from $21 billion in 2025 to $39 billion in 2030. PSD3 addresses this by tightening the rules on strong customer authentication: authentication methods must be accessible for all users and cannot rely solely on smartphones, and the regulation clarifies that extra data can be processed without consent if strictly to prevent fraud. For founders this means building authentication flows that work for visually impaired customers, those with low-end devices and those on patchy broadband while still achieving near-zero false positives. It also means collaborating closely with fraud-prevention vendors and banks to share threat intelligence via APIs.
UK alignment and divergence
The UK is no longer obliged to implement EU regulations, but its regulators are aligning with many of the same principles. The Payment Systems Regulator has consulted on extending Confirmation of Payee to all banks and large PSPs and is expected to introduce mandatory reimbursement for authorised push-payment fraud. British firms operating in Europe will have to hold an EU licence or partner with one; PSD3 will grant national supervisors greater power over agents and distributors. At the same time, the UK's Data (Use and Access) Act (June 2025) and forthcoming Digital Verification Services regime will underpin digital identity infrastructure, including a statutory register of verified identity providers and a UK trust mark. That law will enable public authorities to share information with providers and should make it easier for consumers to authorise payment and credit checks across services.
For fintech startups, the confluence of PSD3 and domestic digital identity rules creates both opportunity and complexity. On the one hand, digital verification could reduce onboarding friction and cut fraud; on the other, it introduces dependencies on government-approved providers and adds compliance obligations. Founders will need to design identity verification flows that meet EU and UK standards while remaining usable. They will also need to update privacy policies to explain when data will be shared with third parties for fraud prevention.
Beyond payments: open data in 2026
Looking ahead, the move from open banking to open finance and open data suggests that 2026 will be the year banks become data consumers as well as producers. The UK's competition watchdog has signalled its intention to push for open finance legislation, while HM Treasury's Smart Data proposals could extend data-sharing rules to pensions, mortgages and telecoms. The strategic question for founders is whether to build narrowly around payments or broaden into financial wellness, cash-flow forecasting and credit underwriting using enriched data sets. Those who embrace the data opportunity may discover new revenue models through premium analytics or embedded finance.
In 2026, the regulatory pendulum is swinging towards consumer protection and data portability. Fintech founders cannot treat compliance as an afterthought; they must bake regulation into their product architecture. Those who do will not only avoid fines but also gain an edge in the new data economy.