While much of the commentary has focused on open banking provisions and fraud liability, the changes to client fund safeguarding are the most operationally consequential for platforms holding customer money.
On 27 November 2025, the European Parliament and Council reached a provisional political agreement on PSD3 and PSR. Formal adoption is expected in the first half of 2026, with an 18 to 24-month transition period before compliance becomes mandatory. That places full compliance in the second half of 2027 or early 2028. Combined with the UK's parallel reforms under PS25/12 and the US GENIUS Act, the direction is globally consistent: client funds must be structurally segregated.
What PSD3 changes for safeguarding
PSD3 consolidates PSD2 and the revised Electronic Money Directive (EMD2) into a single licensing and supervisory framework for payment institutions. The European Commission's legislative package goes beyond the current regime in several specific areas. Most significantly, the PSR is directly applicable EU regulation, removing the variation that previously existed across member state implementations of PSD2 and ensuring uniform standards across the bloc.
Segregation at receipt means funds must enter a safeguarding account the moment the institution has an entitlement to them. PSD3 eliminates the current practice of receiving funds into operational accounts and subsequently transferring them into safeguarding. Client funds must never, at any point, be commingled with the institution's own funds. The directive also permits payment institutions to safeguard client funds directly with central banks, where the relevant central bank allows it.
The re-licensing requirements add operational urgency. Existing payment institution licences remain valid for a maximum of 30 months, but firms must submit new applications under the PSD3 framework within that window. As Norton Rose Fulbright's PSD3 readiness analysis notes, existing EMIs must demonstrate compliance with updated governance arrangements, DORA-compliant ICT frameworks, safeguarding policies aligned with PSD3, and revised capital requirements. This is not a simple compliance update. It is an infrastructure overhaul.
Two parallel regimes for cross-border firms
For platforms operating in both the UK and EU, the challenge is satisfying two safeguarding regimes simultaneously. The approaches share the same objective, structural protection of client funds, but differ in mechanism. The UK is moving toward a statutory trust framework for safeguarded funds, building on the FCA's existing Client Assets Sourcebook (CASS) approach. The Supplementary Regime, effective May 2026, introduces daily reconciliation, resolution packs, and audit requirements as interim measures.
The EU avoids trust concepts, relying instead on strict segregation and regulatory oversight. PSD3's segregation-at-receipt requirement establishes a structural prohibition on commingling. As DLA Piper's PSD3/PSR analysis notes, the PSD3 updates provisions relating to payment institutions and integrates e-money institutions as a sub-category, while the PSR replaces most of PSD2's conduct and market rules with a directly applicable instrument. Cross-border firms will need to design frameworks capable of satisfying both the UK's trust-based approach and the EU's strict segregation model simultaneously.
MiCA adds a third dimension for firms involved in e-money tokens, which must be safeguarded under MiCA rather than PSD3. Norton Rose Fulbright notes that the practical challenge of determining which e-money token activities require a PSD3 licence in addition to MiCA authorisation remains significant, with two-licence outcomes necessary for certain business models. The compliance architecture for a cross-border platform operating in the UK and EU, handling both fiat and tokenised assets, is now a multi-regime problem that demands unified infrastructure.
The infrastructure response
Platforms that currently hold client funds in pooled accounts face the most significant adjustment. Pooled structures, where a single bank account holds funds for multiple clients tracked by an internal ledger, are fundamentally at odds with the segregation-at-receipt requirement. If funds enter an operational account before being transferred to safeguarding, the commingling has already occurred, regardless of how quickly the transfer happens. The architecture itself must prevent commingling, not the process layered on top of it.
Named account structures, where each client's funds enter a distinct named custody account at the point of receipt, satisfy the segregation requirement by design. The funds are never commingled because the account structure prevents it. The reconciliation question simplifies from "does our ledger match the bank's aggregate balance" to "does each named account hold the correct amount." The compliance burden shifts from process to architecture.
For platforms operating across the UK and EU simultaneously, a custody architecture that provides structural segregation satisfies both regimes. The named account is both a trust asset under UK law and a segregated safeguarding account under EU regulation. One infrastructure decision addresses both. Platforms that build for the stricter of the two requirements will automatically comply with both, avoiding the cost of maintaining separate custody architectures for each jurisdiction.
Preparing for 2027
The preparation timeline starts now. Platforms should be working through several parallel workstreams:
The Lexology global payments analysis notes that 2026 will see significant regulatory activity around PSD3 implementation, including EPC standard updates, AMLA preparation for direct supervision, and ongoing national-level work. Platforms that wait for final rules before beginning infrastructure changes will find themselves under time pressure.
Lorum provides custody and multi-currency clearing infrastructure that meets the segregation requirements of both the UK and EU regimes. Structural segregation by design, not process, across 30+ markets through a single integration. The preparation window for PSD3 compliance is narrowing. The infrastructure decisions platforms make in 2026 will determine their regulatory posture for years to come.
