The EU's regulatory stack just got a lot heavier. The Instant Payments Regulation entered into force in April 2024, and by October 2025, every payment service provider offering SEPA Credit Transfer must also send instant payments and run name-IBAN checks on every transaction. That's not a soft nudge. That's a hard mandate, and it arrives years before PSD3/PSR enforcement begins. The engineering question is no longer "when do we start?" It's "are we building a platform or another compliance patch?"
What Changed in the EU Regulatory Stack
- •January 2025: Euro-area PSPs must receive instant payments and charge fees equal to or lower than standard SEPA Credit Transfer rates, collapsing the pricing premium that previously suppressed instant payment volumes.
- •October 2025: Sending instant payments becomes mandatory for all PSPs offering SEPA Credit Transfer, and name-IBAN verification (payee verification) must warn payers when the beneficiary name doesn't match the IBAN.
- •April 2026: COREPER endorsed the PSD3/PSR trilogue texts, with European Parliament approval expected mid-2026 and full operational compliance obligations landing approximately 21 months after Official Journal publication, pointing to 2028.
Why This Matters Beyond the Compliance Checkbox
Most commentary frames this as a cost story: banks lose fee income on instant payments, absorb new liability exposure under PSR's extended technical-provider accountability, and fund multi-year remediation programmes. That framing is accurate but incomplete. The more important story for engineering leaders is structural. The October 2025 mandate for instant sending and payee verification doesn't exist in isolation. It arrives alongside the PSD3/PSR requirement for multiple SCA methods offered free of charge, expanded SCA triggers covering contact-detail changes and spending-limit modifications, and direct liability for technical service providers when their failure causes financial damage. These aren't parallel workstreams. They are the same platform problem. Consider what each requirement actually demands at the infrastructure layer:
| Regulatory Requirement | Infrastructure Implication |
|---|---|
| SEPA Instant send/receive (24/7/365, ≤10 seconds, up to €100,000) | Sub-second event processing, always-on SLOs, no batch-window tolerance |
| Name-IBAN payee verification | Real-time directory lookup, matching logic, payer-facing notification path |
| Expanded SCA triggers | Consent and session-state management across more user actions |
| Multiple SCA methods (including accessibility options) | Auth orchestration layer that isn't bolted onto a single channel |
| Direct liability for technical providers | Observability, audit trails, and incident response at production grade |
| Open banking API harmonisation under PSR | Stable, versioned, monitored API gateway with fine-grained consent |
A bank that builds these as six separate projects will spend more, ship slower, and end up with a worse platform than one that treats the list as a single set of shared services.
The Three Bets Engineering Leaders Should Make Now
Bet 1: Build the Fraud and AML Stack as a Streaming Platform
The payee verification requirement under the Instant Payments Regulation is structurally identical to the UK's Confirmation of Payable programme. UK banks that built CoP as a point solution in 2020 are now re-plumbing it to feed machine-learning risk models. EU banks have the advantage of watching that mistake in real time. The right architecture treats name-IBAN matching as one signal feeding a streaming fraud-detection service, not a standalone lookup. Design it with a well-defined event schema from day one: payer IBAN, payee IBAN, payee name, transaction amount, timestamp, channel, and session context. That schema becomes the feature store for anomaly detection, behavioural biometrics, and transaction risk scoring without re-engineering the core rails when ML teams need access. KPMG's analysis of the regulation confirms that the name-IBAN check is framed explicitly as an anti-authorised-push-payment (APP) fraud control. That means regulators are already conceptually linking payment execution to fraud detection. Your architecture should too. Engineers to hire: streaming platform engineers with Kafka and Flink production experience, not just Spark batch engineers. The latency requirements for a 10-second payment window and a synchronous fraud check are unforgiving.
Bet 2: Treat the SCA Orchestration Layer as a Product
PSR requires SCA options that work for users with disabilities, limited digital skills, or no smartphone. That's not an edge case; Eurostat data consistently shows 15-20% of EU adults have low digital skills. Building SCA as a single-channel flow with a fallback SMS OTP doesn't satisfy the regulation and doesn't serve a significant portion of your user base. The engineering implication is an auth orchestration layer that presents multiple SCA methods based on user capability signals, device context, and risk score. Think of it as an identity router: the same authentication event triggers different method offers depending on what the session context and user profile suggest. This is the same architecture pattern that makes SCA extensible when new methods (passkeys, biometrics, device binding) become viable without rewriting the payment initiation flow each time. This layer is also a commercial asset. A bank that exposes a well-documented, consent-aware SCA API to third-party PISPs operating under PSR's harmonised access rules is more attractive to fintech partners than one offering a brittle redirect-based flow. The PSR explicitly targets open banking enablement by tightening AISP/PISP registration and harmonising conduct rules. Banks that build to be good open banking platforms will attract better fintech partners.
Bet 3: Structure Capex Around a Platform Vision, Not Compliance Milestones
Here is where most banks get this wrong. The January 2025 receive-only mandate passes. A small team ships a point solution. The October 2025 send mandate approaches. A different team ships a different point solution. PSD3/PSR enforcement lands in 2028. A third team discovers the first two solutions don't compose. The right budget structure for 2026 through 2028 is a 2-3 year capex programme with four shared platform components:
API gateway layer: versioned, monitored, with fine-grained consent and rate-limiting that satisfies both PSR's open banking access requirements and internal product teams.
Consent and authorisation service: manages SCA, session state, and delegated access for AISPs and PISPs under PSR's harmonised rules.
Real-time payments engine: handles SEPA Instant execution with 24/7 SLOs, integrated with the fraud-signal pipeline.
Risk services layer: name-IBAN verification, transaction risk scoring, and AML event streaming, designed as internal APIs that can be productised externally.
The ECB has been explicit about the linkage between instant payments infrastructure and open banking adoption. Banks that build the real-time rails and then expose them through stable open banking APIs are positioned to capture the B2B revenue that fintechs currently capture by sitting between banks and their corporate clients.
The Revenue Case Is Real, But It Requires Intentional Architecture
The ACI Worldwide analysis of PSD3/PSR and J.P. Morgan's assessment both acknowledge the compliance cost burden. What neither fully prices in is the new revenue surface. A bank with a production-grade, PSR-compliant open banking gateway can:
- •Offer white-label instant-payout infrastructure to marketplaces and gig-economy platforms that need sub-10-second settlement.
- •Sell IBAN/name verification as a risk API to merchants who need APP fraud protection without building their own SEPA connectivity.
- •Price premium account-status and balance-check APIs for corporate treasury clients who need real-time cash visibility.
- •Attract fintech partnerships that currently route around banks because PSD2 APIs were too unreliable to build on.
The fee-compression story on instant payments is real: equal-or-lower pricing means volume grows, but per-transaction margin shrinks. The offset is higher-value services layered on top of the same rails. That offset only materialises if the rails and the APIs are product-grade from the start.
What to Prioritise in the Next 18 Months
The 2028 PSR enforcement date creates a false sense of runway. The instant payments mandates are already live or landing this year. The architectural decisions made in 2026 will determine whether the PSD3/PSR build in 2027 is incremental or a ground-up rework. Three prioritisation calls that matter:
Commit the event schema now. Define the canonical payment event format that fraud, SCA, open banking, and audit all share. Changing this later is expensive. Changing it after ML models are trained on it is very expensive.
Hire for latency, not throughput. Banks that built batch-centric fraud and AML pipelines for PSD2 compliance will find them structurally inadequate for 10-second payment windows with synchronous risk checks. The hiring profile needs to shift toward engineers with experience in low-latency, event-driven systems.
Treat Plaid as infrastructure, not integration. For European fintechs and banks building on top of open banking rails, Plaid's data connectivity layer handles the complexity of multi-bank account data normalisation and consent management in ways that would take years to replicate in-house. Using Plaid to abstract the AISP data layer frees your engineering team to focus on the payments execution and risk layers where differentiation actually lives.
The EU regulatory cycle from PSD2 to the Instant Payments Regulation to PSD3/PSR has taken a decade to produce this moment: a synchronised mandate for instant rails, verified payees, modernised authentication, and harmonised open banking access. Banks that treat it as three separate compliance projects will spend the next decade catching up to fintechs that built on the resulting infrastructure. Banks that build the platform now will be the infrastructure.
Ready to power your app with secure financial data?
Join leading fintechs leveraging Plaid APIs to simplify onboarding, drive compliance, and deliver next-level user experiences.
Read More Blog Posts
Plaid vs MX: Building Production-Grade Financial Agent Workflows
Plaid and MX both connect fintech applications to financial institutions, but they model the problem differently—and that difference matters when building agent
Build production-grade agent workflows with Plaid data access
Enterprise AI agents accessing financial data require sandboxed tool access, deterministic fallbacks, and auditable workflows to meet regulatory and reliability