IPR + PSD3 Combined: A Perfect Storm for European PSPs

1 September 2025

October 2025 and 2026 mark two huge regulatory shifts for the EU payments industry.
First, the Instant Payments Regulation (IPR) comes into effect. It mandates that euro-denominated transactions in the EEA must be processed in under 10 seconds, 24/7. No delays, no buffers.
Second, 2026 will bring in PSD3, the next evolution of the Payment Services Directive. Unlike PSD2, which focused on preventing unauthorized fraud, PSD3 goes further. It holds banks liable for authorized fraud too, especially impersonation scams.
The result is a perfect storm. Transactions have to be instant, but if a scammer tricks someone into authorizing a payment, the bank could be held responsible.
For PSPs, this changes everything.
Fraud detection systems can no longer rely on post-transaction reviews. Authentication must happen in real time and provide undeniable proof of identity.
That means two things:
  • You need to know the person authorizing the payment is the same person who opened the account.
  • You need to prove they were present on the device at the time of the transaction.
Passwords and SMS OTPs can’t do this. Neither can most passkey or token-based systems.
Biometrics, above all decentralized models, can.
Our upcoming report explores:
  • How IPR will force faster fraud prevention systems.
  • What PSD3’s liability shift means for authentication.
  • Why biometrics are now critical for transaction approval.
Europe’s new rules make authentication the frontline of fraud defense. Make sure your systems are ready.
Don’t miss our full analysis in The State of Authentication 2026, launching this October. The State of Authentication 2026 report will cover the five key forces reshaping authentication in the year ahead.
  • Stricter privacy and biometric compliance laws – and why decentralized biometrics are emerging as the only viable long-term solution.
  • Digital identity wallets – and how they’re set to replace traditional KYC and recovery flows.
  • The collision of IPR and PSD3 – and what it means for fraud, liability, and real-time authentication.
  • The evolving deepfake threat – and how organizations can future-proof their biometric systems today.
  • The limitations of passkeys – and why they’re not enough for high-risk scenarios.
Read Next
Blog
Authentication vs Authorization: What’s the Difference and Why it Matters
In this blog, we’ll break down authentication vs authorization in simple terms, explain why both are essential, and show how Keyless handles authentication in a more secure and private way.
Read Now
Blog
Phishing-Resistant MFA: What It Is and Why You Need It
In this blog, we’ll explain what phishing-resistant MFA is, why it’s essential for securing accounts and preventing breaches, and how businesses can implement it to protect both users and sensitive data.
Read Now
Blog
Passkeys Are Here to Stay. But Don’t Bet Everything on Them
Passkeys improve UX but struggle in high-risk scenarios like recovery or large transactions. Where do biometrics fit in? Read our preview blog ahead of the publication of the 2026 Authentication Trends Report.
Read Now
Consumer SolutionsWorkforce SolutionsTechnologyIndustriesResourcesCompanySupport Center
PSD2/SCA CompliantPSD2/SCA Compliant
GDPR CompliantGDPR Compliant
CCPA CompliantCCPA Compliant
FIDO2 CertifiedFIDO2 Certified
FIDO Biometrics CertifiedFIDO Biometrics Certified
ISO 27001 CertifiedISO 27001 Certified
ISO 9001 CertifiedISO 9001 Certified
ISO/IEC 30107-3 CertifiedISO/IEC 30107-3 Certified
NIST AccreditedNIST Accredited
eIDAS Module CertifiedeIDAS Module Certified
© 2025 Keyless. All rights reserved.
Cookie Settings