PSD2 (and PSD3)
The EU's payment-services framework - governing payment institutions, strong customer authentication and open banking access - currently being updated to PSD3 / PSR.
Scope
PSD2 (Directive (EU) 2015/2366, applicable since January 2018) regulates payment-service providers in the EU: licensing of payment institutions and e-money institutions, conduct rules, security requirements (including Strong Customer Authentication under RTS), and access to payment-account information for licensed third-party providers (PISP, AISP).
Strong Customer Authentication
SCA requires authentication using at least two independent factors among knowledge, possession and inherence. SCA shaped the modern e-commerce payment flow (3-D Secure 2) and continues to evolve through EBA Q&A.
PSD3 / PSR
The proposed PSD3 Directive and Payment Services Regulation (PSR) - currently in trilogue - modernise PSD2 with stronger fraud-liability rules (notably for APP fraud), an enhanced confirmation-of-payee regime, and a clearer split between the licensing (PSD3) and harmonised rulebook (PSR) layers.
Why it matters to AML
Payment-services data flows are the single richest source for transaction monitoring and mule detection. PSD2/3's open-data architecture, combined with the EU Instant Payments Regulation (2024/886), is rapidly reshaping the timing and depth of fraud and AML controls.