PSD3 & PSR: The New Reality for AML & Sanctions Screening
1. Introduction: The Convergence of Speed and Security
As of November 2025, the European financial services sector stands at a defining juncture, navigating the turbulence of a fundamental regulatory restructuring. For the compliance officer, this period represents not merely an update to existing protocols but a complete reimagining of the compliance function's role within the payments ecosystem. The simultaneous maturation of the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), coupled with the active enforcement of the Instant Payments Regulation (IPR), has created a complex matrix of obligations that demands immediate attention.
2. The Legislative Architecture: PSD3 and PSR
2.1 The Evolution from Directive to Regulation
To understand the specific obligations facing firms in late 2025, one must first appreciate the structural shift in how the European Union drafts payment laws. The transition from the Second Payment Services Directive (PSD2) to a dual framework consisting of a Directive (PSD3) and a Regulation (PSR) is a calculated move to eliminate regulatory arbitrage. Under PSD2, the transposition of directives into national law led to significant fragmentation; a "Gold Plating" phenomenon where Member States like France, Germany, and the Netherlands applied divergent standards to Strong Customer Authentication (SCA) and licensing.
By moving the substantive conduct of business rules—including transparency, liability, and open banking standards—into the PSR, the EU ensures that these rules apply directly and uniformly across all 27 Member States without the need for national transposition. For the compliance officer, this means the era of navigating 27 different "interpretations" of the same rule is ending. However, PSD3 remains a Directive, focusing on the authorization and supervision of Payment Institutions (PIs). This bifurcation means that while the "rules of the road" (PSR) are rigid and harmonized, the "driver's license" (PSD3) still involves national competent authorities (NCAs).
2.2 Unification of the Licensing Regime
A critical development for compliance teams in non-bank financial institutions is the merger of the Electronic Money Directive (EMD2) into PSD3. Historically, Electronic Money Institutions (EMIs) and Payment Institutions (PIs) operated under separate regimes with distinct capital and safeguarding requirements. PSD3 abolishes this distinction, creating a single category of Payment Service Providers (PSPs). This consolidation simplifies the regulatory landscape but triggers a massive re-authorization burden. Existing EMIs and PIs are currently facing a "grandfathering" period where they must demonstrate compliance with the new, unified standards to retain their licenses. For compliance officers in these firms, 2025 is dominated by gap analyses to ensure their capital adequacy and governance structures meet the elevated PSD3 benchmarks.
2.3 The Liability Shift and Fraud Prevention
Perhaps the most operationally significant change within the PSD3/PSR package is the enhanced liability framework for fraud. The regulator has taken a punitive stance on "spoofing" (impersonation fraud), shifting the liability from the consumer to the PSP in cases where the PSP fails to provide adequate fraud prevention mechanisms. This directly mandates the implementation of Verification of Payee (VoP) systems and requires compliance teams to work more closely than ever with fraud operations. The "gross negligence" bar for consumers has been raised, meaning banks will absorb more losses unless they can prove sophisticated fraud detection was in place and ignored by the user.
Table 1: Structural Comparison of Regulatory Frameworks
| Feature | PSD2 (2015) | PSD3 & PSR (2025 Status) |
|---|---|---|
| Legal Instrument | Directive (required national transposition) | Directive (Licensing) + Regulation (Conduct Rules) |
| Scope | PIs and Credit Institutions | PIs, Credit Institutions, and EMIs (Merged) |
| Open Banking | Basic Access to Accounts (XS2A) | Enhanced Interfaces & dedicated data access dashboards |
| Fraud Liability | Limited Consumer Protection | Expanded Liability for impersonation/spoofing |
| Non-Bank Access | Indirect Access to Settlement | Direct Access to Payment Systems allowed |
3. The Instant Payments Regulation (IPR): The Operational Reality
While PSD3 and PSR represent the medium-term horizon (with full enforcement expected around 2027), the Instant Payments Regulation (IPR) (Regulation (EU) 2024/886) is the immediate, burning platform for compliance officers in November 2025. This regulation fundamentally alters the mechanics of the Single Euro Payments Area (SEPA), mandating that instant credit transfers (SCT Inst) are not a premium feature, but the new normal.
The IPR dictates that Eurozone PSPs must be capable of receiving instant payments by January 9, 2025, and sending them by October 9, 2025. Therefore, as of November 2025, the transition is theoretically complete for Eurozone institutions. The friction points now being experienced are not theoretical; they are live operational issues stemming from the requirement to settle payments within ten seconds, twenty-four hours a day, every day of the year.
This speed requirement is the architect of the new sanctions screening paradigm. The European regulator correctly identified that the primary bottleneck in processing speed was not the core banking ledger, but the financial crime compliance layer—specifically, the transaction filtering systems that halt payments to check for sanctions matches. To resolve this, the IPR introduces a legal prohibition that forces a complete redesign of AML workflows.
4. The Sanctions Screening Revolution
The user query rightly identifies sanctions screening as the most critical area of uncertainty. The traditional model of "stop-and-scan"—where every transaction is halted to check the sender, receiver, and remittance information against sanctions lists—is fundamentally incompatible with the IPR's requirement to settle payments within 10 seconds.
4.1 The Prohibition of Transaction-Based Screening
The most disruptive element of the new regime is Article 5d of the IPR. To ensure that instant payments are not delayed by false positives, the Regulation prohibits PSPs from performing transaction-based screening for EU sanctions lists on individual instant credit transfers.
The regulatory logic posits that if Bank A (the Payer’s bank) screens its customer base daily, and Bank B (the Payee’s bank) screens its customer base daily, then both ends of the transaction are theoretically "clean." Therefore, stopping the transaction in the middle to screen it again is redundant and causes unnecessary friction. This effectively bans the practice of screening the payment message itself for EU sanctions matches for intra-EU instant payments.
Insight for the Compliance Officer: This prohibition is specific. It applies to instant credit transfers and EU sanctions lists. It does not explicitly forbid screening for money laundering patterns or fraud (which is encouraged), nor does it legally forbid screening for non-EU lists (like OFAC). However, the operational constraints of the 10-second timeout effectively make transaction screening for any list highly risky.
4.2 The New Mandate: Daily Periodic Screening
In place of transaction screening, the regulator mandates a rigorous periodic verification regime. The shift is from "screening the flow" to "screening the stock."
Frequency: PSPs must verify their entire Payment Service User (PSU) database against EU sanctions lists at least once every calendar day.
Trigger Events: Screening must also occur immediately after the entry into force of any new or amended restrictive measures.
The definition of "immediately" is a critical operational metric. It implies that compliance teams must have data ingestion pipelines capable of receiving an update from the Official Journal of the EU, parsing it, and running a full database scan within hours, if not minutes. The "daily" requirement is a floor, not a ceiling. In practice, most sophisticated institutions in November 2025 are running these batch checks multiple times a day to minimize the window of exposure.
4.3 Resolving the User's Queries on Sanctions
Question: "Is there anything new there [EU Consolidated List]?"
Analysis: The list itself remains the source of truth, but the method of applying it has inverted. You no longer apply this list to the payment stream; you apply it to the client database. The "new" aspect is the legal prohibition on using this list to stop instant payments.
Question: "Do they have to screen often?"
Analysis: Yes, the frequency has increased and become more rigid. Previously, firms might have screened the database weekly or monthly, relying on transaction filters to catch everything else. Now, the daily screening of the entire customer base is a hard legal requirement. Furthermore, the requirement to screen "immediately" upon new designations forces a 24/7 operational capability for data management.
Question: "Do I need to screen names in every transaction?"
Analysis:
• For EU Sanctions: No. In fact, you must not screen names in the transaction for EU lists if it causes the payment to be delayed or rejected erroneously. The regulation explicitly prohibits this to prevent false positives from breaking the instant payment promise.
• For Non-EU Sanctions (OFAC/UK): This is the gray area. The EU regulation does not govern OFAC compliance. However, if you choose to screen for OFAC names in every transaction, and that screening causes a delay beyond 10 seconds, you are in breach of the IPR's time-out rules. Consequently, most EU banks in late 2025 have disabled transaction screening for intra-EU flows entirely, relying on the assumption that an intra-EU payment is low risk for OFAC violations, or accepting the residual risk.
Question: "Is it helpful API or batch screening?"
Analysis: This question strikes at the heart of the architectural change.
• Batch Screening is Essential: For the IPR requirement (Article 5d), batch screening is the primary tool. You must take your millions of customer records and batch-match them against the EU list every 24 hours. API screening is inefficient for this volume.
• API Screening is Critical for Onboarding: Because you can no longer catch a sanctioned person during the transaction, you must catch them at the door. API-based screening allows for a real-time check before the customer is onboarded or before a new beneficiary is added to a template. If you wait for the nightly batch, you might allow a sanctioned entity to operate for 12 hours. Therefore, API screening is "helpful" and arguably necessary for the onboarding and beneficiary management stages, even if Batch is used for the daily maintenance.
Question: "During onboarding?"
Analysis: Yes. Onboarding is now the most critical control point. Under the old model, if a sanctioned entity slipped through onboarding, the transaction filter would likely catch their first payment. Under the IPR model, there is no transaction filter for EU lists. If a sanctioned entity is onboarded, they can send and receive instant payments freely until the next daily batch run catches them. Therefore, the rigor of the onboarding screen must be absolute.
4.4 Clarifying Questions from the Commission (November 2025 Update)
To further clarify the operational boundaries of the IPR, the following questions and answers have been synthesized directly from the European Commission's implementation guidance (DG FISMA). These address common "edge cases" that compliance officers often face.
Q1: Does the prohibition on transaction screening apply to "Non-Time Critical" (NTC) payments or bulk files?
Clarification: If a payment does not comply with the definition of an "instant credit transfer" (e.g., a standard SEPA credit transfer or a bulk file processed overnight), the prohibition in Article 5d(2) does not apply. You are free to screen these transactions as usual. However, if your institution offers instant payments, you must still perform the daily database screening for all clients, regardless of which payment rails they use.
Q2: What exactly does "immediately" mean regarding the daily verification requirement?
Clarification: The Commission has clarified that "carried out immediately" implies both the start and the completion of the verification procedure. You cannot launch a batch screen on a calendar day and finish the manual review of alerts on the next business day. The entire process—screening and alert disposition—must be finalized to ensure the database is clean.
Q3: Are we allowed to screen transactions for National Sanctions Lists (e.g., French or German lists)?
Clarification: Yes. Article 5d(2) only prohibits transaction screening for the EU-wide consolidated list. It does not prohibit screening for national lists established by Member States (e.g., lists of entities owned or controlled by designated persons). If a National Competent Authority requires you to screen for a local list, you may do so, provided you can still meet the 10-second settlement requirement.
Q4: Do Payment Initiation Service Providers (PISPs) have to perform this daily screening?
Clarification: No. PISPs that do not handle funds (i.e., they only initiate the payment but do not touch the money) are not subject to Article 5d. They must continue to ensure compliance with general EU restrictive measures and AML/CFT frameworks, but they are not bound by the specific IPR "daily screening" mandate, as they are not the entity executing the transfer.
Q5: If we use the UN Sanctions List, does that count as an "EU List"?
Clarification: Yes. UN Security Council sanctions are implemented in the EU through Council Regulations. Once a UN designation is transposed into the EU framework, it becomes part of the "EU-wide list." Therefore, transaction screening for these UN entities becomes prohibited under Article 5d once they are on the EU list.
Table 2: The Shift in Sanctions Screening Methodologies
| Methodology | Pre-2025 Standard Model | Post-2025 IPR Model (Nov 2025) |
|---|---|---|
| Primary Control | Transaction Filtering (Real-time) | Client Database Screening (Periodic) |
| Screening Trigger | Every Payment Instruction | Daily Calendar / List Update |
| False Positive Handling | Manual Review (Payment Held) | Alert Investigation (Account Frozen post-match) |
| Time Constraint | Flexible (Hours/Days) | None (Screening happens offline) |
| Technology | Payment Engine Integration | Data Lake / Batch Processing |
| Risk Focus | "Stop the Money" | "Identify the Entity" |
5. The Operational Dilemma: EU vs. Global Sanctions Lists
A profound challenge for the compliance officer in November 2025 is the "rock and a hard place" scenario created by the divergence between EU law and global (US/UK) sanctions regimes. The IPR prohibition on transaction screening applies strictly to EU sanctions lists. It does not legally prohibit screening for OFAC (US) or UK sanctions lists. However, the operational reality of the 10-second settlement mandate effectively creates a prohibition. If a European bank processes a transaction involving a US-sanctioned entity (who is not EU-sanctioned), and they fail to screen the transaction because they disabled their filters to comply with IPR, they risk violating US secondary sanctions. Conversely, if they leave the filter on and it triggers a false positive that delays the payment beyond 10 seconds, they violate the EU IPR. In November 2025, the industry consensus has largely shifted toward a Risk-Based Approach (RBA). For purely domestic or intra-EEA payments, many institutions have removed transaction filters entirely, accepting the theoretical risk of an OFAC violation to ensure IPR compliance. They justify this by relying on the rigorous daily client screening of both their own customer and the counterparty bank's customer (who is also subject to IPR rules). However, for cross-border payments leaving the SEPA zone, or for transactions involving high-risk jurisdictions, real-time transaction screening remains active, often utilizing high-speed API calls to minimize latency.
6. Politically Exposed Persons (PEPs) and the Single Rulebook
While sanctions screening has undergone a mechanical revolution, the management of Politically Exposed Persons (PEPs) is undergoing a definitional evolution driven by the "Single Rulebook"—the combination of the 6th Anti-Money Laundering Directive (AMLD6) and the Anti-Money Laundering Regulation (AMLR).
6.1 The Harmonization of PEP Definitions
By November 2025, the new Anti-Money Laundering Authority (AMLA) is operational, driving a harmonized interpretation of PEP status across the EU. Previously, definitions of "close associates" or "prominent public functions" varied slightly between Member States. The AMLR now provides a unified definition, reducing the complexity for cross-border compliance.
6.2 The Senior Managing Official (SMO) Nuance
A specific area of regulatory focus in 2025 is the treatment of Senior Managing Officials (SMOs) in corporate entities where no beneficial owner can be identified. The Clarification: Recent guidance has clarified that while SMOs must be identified for Customer Due Diligence (CDD) purposes, they are not automatically treated as Beneficial Owners for the purpose of PEP screening. Operational Impact: Compliance officers do not need to apply full Enhanced Due Diligence (EDD) and PEP screening to every CEO of a corporate client unless a specific risk factor is present. This distinction is crucial for reducing the "noise" in PEP screening programs.
6.3 The EU Functional PEP List
To assist compliance officers, the EU Commission now publishes a Consolidated Functional PEP List. Nature of the List: It is vital to understand that this is not a list of names. It does not list "Olaf Scholz" or "Emmanuel Macron." Instead, it lists the functions (e.g., "Chancellor," "Minister of Finance," "Supreme Court Judge") that qualify as PEP positions in each Member State. Operational Requirement: Compliance officers cannot simply "download the EU list" and screen against it. They must continue to engage commercial data providers (e.g., LSEG World-Check, Dow Jones, Moody's) who map these functional titles to the actual human beings currently holding office. The EU list serves as the legal validation layer for these commercial databases.
7. Verification of Payee (VoP): The New Fraud Control
Strictly speaking, Verification of Payee (VoP) is a fraud prevention mechanism, mandated by the IPR to combat Authorized Push Payment (APP) fraud. However, its implementation has significant collateral benefits for sanctions screening and compliance data quality.
7.1 The Mechanism
VoP requires the Payer’s PSP to verify the consistency between the payee’s name and payment account identifier (IBAN) before the payer authorizes the transaction. If there is a mismatch (e.g., the user types "Tesla Motors" but the IBAN belongs to "John Doe"), the system must alert the payer.
7.2 Integration with Compliance
For the compliance officer, VoP is a powerful data hygiene tool. Reduced False Positives: By ensuring that the name on the payment instruction matches the legal name on the account before the payment is sent, VoP reduces the incidence of "garbage data" entering the payment system. Cleaner data means fewer false positives if and when sanctions screening is applied (e.g., for cross-border flows). Sanctions Evasion: VoP makes it harder for bad actors to solicit payments under false pretenses (e.g., giving a sanctioned entity's IBAN but asking the sender to write a generic company name). The VoP check would flag the mismatch, potentially preventing the flow of funds to the sanctioned account.
8. Business Impact: Who is Affected?
The scope of PSD3, PSR, and IPR is exhaustive, affecting the entire financial value chain.
8.1 Credit Institutions (Banks)
Banks face the heaviest burden. They must overhaul their legacy mainframes to support 24/7 instant processing. The removal of transaction screening requires a fundamental re-engineering of their financial crime controls. They are the primary targets of the IPR's "send and receive" mandates.
8.2 Payment Institutions (PIs) and E-Money Institutions (EMIs)
These entities are deeply affected by two forces:
Re-authorization: PSD3 requires them to re-apply or validate their licenses under the new merged regime.
IPR Compliance: PIs and EMIs are fully in scope for the Instant Payments Regulation. They must offer instant payments to their users and adhere to the same screening prohibitions as banks. This is a significant technological leap for many smaller fintechs that relied on batch processing or third-party banking partners.
8.3 Third-Party Providers (TPPs)
Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) benefit from PSD3's improved open banking interfaces (APIs) but must comply with stricter fraud reporting and liability rules. PISPs, in particular, must integrate with the VoP systems of the banks they initiate payments from.
8.4 Corporates and Merchants
While not directly regulated as PSPs, large corporates are affected operationally. Their Treasury Management Systems (TMS) and Enterprise Resource Planning (ERP) systems must be upgraded to handle instant payment formats (ISO 20022) and to respond to VoP checks. They benefit from improved cash flow but face stricter requirements for data accuracy in their payment files.
9. Conclusion: The Compliance Officer as Data Guardian
The transition culminating in November 2025 marks the end of "compliance as a gatekeeper" and the beginning of "compliance as a data guardian." The regulatory framework of PSD3, PSR, and IPR has made a clear value judgment: speed and liquidity are paramount, and the friction of traditional transaction monitoring is no longer an acceptable cost of doing business within the Eurozone. For the compliance officer, this necessitates a strategic pivot. The safety net of the transaction filter has been removed for instant payments. Security now relies entirely on the integrity of the client database. If the database contains a sanctioned entity, the system will not stop them from transacting; only the daily batch screen will catch them—potentially hours later. Therefore, the rigor of onboarding (using real-time API screening) and the hygiene of client data (daily batch screening) are the new front lines of defense. The "stop-and-scan" era is over; the "know-your-data" era has begun.
Detailed Compliance Checklist for 2026
| Area | Action Item | Deadline/Status |
|---|---|---|
| Sanctions | Disable Transaction Screening for intra-EU SCT Inst flows to comply with Art 5d IPR. | Immediate (Must be active now) |
| Sanctions | Implement Daily Batch Screening of the full client database against EU lists. | Active (Daily requirement) |
| Sanctions | Establish capability for "Immediate" Re-screening upon list updates (Official Journal). | Active |
| PEPs | Update PEP screening policies to reflect SMO guidance (risk-based vs. mandatory). | Ongoing |
| Onboarding | Implement Real-Time API Screening for all new customers (Sanctions + PEPs). | Critical (Primary control) |
| Fraud | Ensure Verification of Payee (VoP) is active for outgoing payments. | Active (Oct 2025 deadline passed) |
| Governance | Conduct PSD3 Gap Analysis regarding re-authorization (for PIs/EMIs). | Q4 2025 Priority |
| Ops | Verify IT systems can handle 10-second settlement 24/7/365 without timeouts. | Active |
Continue reading AML batch screening