Regulatory Compliance

PSD3 & Open Banking: What Currency Exchange APIs Must Do to Comply by 2026

Regulatory Compliance•20 min read•March 11, 2026

The EU's Payment Services Directive 3 (PSD3) introduces mandatory FX transparency requirements that reshape how currency exchange APIs operate in Europe. Providers must disclose markups, offer real-time rate comparisons, and expose standardized APIs for third-party access. Companies that adapt early gain a 2-year compliance head start over competitors scrambling at the deadline.

PSD3 Compliance: What Changes and When

2026

Full Enforcement

EU-wide compliance deadline

3.0%

Max FX Markup

Proposed EU cap on spreads

100%

Rate Disclosure

Mandatory transparency

EU Member States

Affected jurisdictions

1. What PSD3 Is and Why It Matters for Currency APIs
2. PSD2 vs PSD3: What Changed for Currency Services
3. Mandatory FX Transparency: Rate Disclosure Requirements
4. Implementation: Building a PSD3-Compliant Currency API
5. Consent Management & Open Banking Security
6. Compliance Checklist: 12 Requirements to Meet
7. What Non-EU Currency API Providers Must Do
8. Frequently Asked Questions

1. What PSD3 Is and Why It Matters for Currency APIs

The Payment Services Directive 3 (PSD3) is the European Union's next regulatory framework for payment services, proposed by the European Commission in June 2023. While PSD2 (enforced in 2019) established the foundation for open banking through Strong Customer Authentication (SCA) and account access, PSD3 expands that framework to include stricter rules for currency conversion — directly affecting any API that provides exchange rates or conversion services to EU consumers.

PSD3 Timeline: Key Milestones

June 2023 — European Commission publishes PSD3 proposal

April 2024 — European Parliament adopts negotiating position

2025 — Trilogue negotiations and final text adoption

Late 2026 / Early 2027 — EU member states transpose into national law; enforcement begins

For currency exchange APIs, PSD3 introduces three critical obligations that don't exist under PSD2:

FX Transparency

Mandatory disclosure of exchange rate markups. Every conversion must show the mid-market rate, provider rate, and exact cost of the spread applied.

Open API Access

Currency conversion services must expose standardized APIs for licensed third-party providers to access rates and perform conversions on behalf of customers.

Markup Cap

PSD3 proposes a 3% cap on FX markups for consumer payments. This directly affects any API that applies spreads to mid-market rates before quoting conversions.

2. PSD2 vs PSD3: What Changed for Currency Services

PSD2 focused primarily on account access and SCA. Currency conversion was mentioned but not regulated in detail. PSD3 closes this gap with specific, enforceable requirements for any entity that converts currencies as part of a payment chain.

PSD2 vs PSD3: Currency Service Comparison

Requirement	PSD2 (2019)	PSD3 (2026)
FX Rate Disclosure	Not required	Mandatory
Markup Transparency	Not required	Mandatory
Mid-Market Rate Comparison	Not required	Mandatory
FX Markup Cap	None	Proposed 3%
Open API for FX Services	Not required	Mandatory
Strong Customer Authentication	Required	Required (enhanced)
Third-Party API Access	Account access only	FX + payments
Audit Trail Requirements	Limited	Comprehensive

3. Mandatory FX Transparency: Rate Disclosure Requirements

The most significant change for currency exchange APIs is the FX transparency requirement. Every conversion presented to an EU consumer must include three pieces of information: the mid-market (interbank) rate, the provider's applied rate, and the exact markup between them.

What PSD3-Compliant FX Disclosure Looks Like

Before PSD3, a currency API might return a single converted amount. After PSD3, the response must include full rate transparency:

Before PSD3 (Non-Compliant)

{
  "from": "EUR",
  "to": "GBP",
  "amount": 1000,
  "converted": 842.50
}

After PSD3 (Compliant)

{
  "from": "EUR",
  "to": "GBP",
  "amount": 1000,
  "converted": 842.50,
  "midMarketRate": 0.8510,
  "providerRate": 0.8425,
  "markupPct": 1.00,
  "markupCost": 8.50,
  "rateSource": "independent"
}

Why Independent Rate Sources Matter

PSD3 requires that the mid-market rate used for comparison comes from an independent source — not the provider's own rate feed. This prevents providers from manipulating the "mid-market" rate to make their markup appear smaller. Currency-Exchange.app provides rates sourced from global forex markets, making it a suitable independent reference for PSD3 compliance comparisons.

4. Implementation: Building a PSD3-Compliant Currency API

The following implementation shows how to build a PSD3-compliant conversion endpoint. It fetches the independent mid-market rate from Currency-Exchange.app, applies your markup, and returns full transparency disclosure in the response.

// PSD3-Compliant FX Transparency Endpoint
// Discloses markups and compares to mid-market rate
async function getCompliantConversionQuote(
  fromCurrency: string,
  toCurrency: string,
  amount: number,
  providerMarkup: number // e.g. 0.015 = 1.5%
) {
  // 1. Fetch mid-market rate (independently sourced)
  const midMarketResponse = await fetch(
    'https://currency-exchange.app/api/v1/convert',
    {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'x-api-key': process.env.FX_API_KEY,
      },
      body: JSON.stringify({
        from: fromCurrency,
        to: toCurrency,
        amount: amount,
      }),
    }
  );
  const midMarketData = await midMarketResponse.json();
  const midMarketRate = midMarketData.rate;

  // 2. Calculate provider rate with markup
  const providerRate = midMarketRate * (1 + providerMarkup);
  const providerAmount = amount * providerRate;
  const midMarketAmount = midMarketData.result;
  const markupAmount = providerAmount - midMarketAmount;

  // 3. Return PSD3-compliant disclosure object
  return {
    quoteId: crypto.randomUUID(),
    timestamp: new Date().toISOString(),
    source: {
      from: fromCurrency,
      to: toCurrency,
      amount: amount,
    },
    rates: {
      midMarketRate: midMarketRate,
      providerRate: providerRate,
      markupPercentage: providerMarkup * 100,
    },
    amounts: {
      midMarketAmount: midMarketAmount,
      providerAmount: providerAmount,
      markupCost: markupAmount,
    },
    disclosure: {
      rateSource: 'Currency-Exchange.app mid-market',
      markupApplied: true,
      PSD3Compliant: true,
      lastRateUpdate: midMarketData.timestamp,
    },
  };
}

Python Compliance Validator

For monitoring ongoing compliance, this Python validator checks whether your applied rates stay within the PSD3 markup cap by comparing against live mid-market data:

# PSD3 Rate Monitoring & Compliance Validator
import requests
from datetime import datetime
from decimal import Decimal, ROUND_HALF_UP

class Psd3ComplianceValidator:
    """Validates FX rate compliance with PSD3 requirements."""

    MAX_MARKUP_PCT = Decimal('3.0')  # PSD3 proposed cap
    STALE_RATE_MINUTES = 15

    def validate_conversion(
        self,
        provider_rate: float,
        from_curr: str,
        to_curr: str,
        amount: float
    ) -> dict:
        """Validate a conversion against PSD3 rules."""

        # 1. Fetch independent mid-market rate
        response = requests.post(
            "https://currency-exchange.app/api/v1/convert",
            headers={"x-api-key": self.api_key},
            json={"from": from_curr, "to": to_curr, "amount": 1},
        )
        mid_market = Decimal(str(response.json()["rate"]))

        # 2. Calculate markup
        provider = Decimal(str(provider_rate))
        markup = (provider - mid_market) / mid_market * 100

        # 3. Check PSD3 compliance
        is_compliant = markup <= self.MAX_MARKUP_PCT

        return {
            "compliant": is_compliant,
            "mid_market_rate": str(mid_market),
            "provider_rate": str(provider),
            "markup_bps": str(
                round((provider - mid_market) / mid_market * 10000, 2)
            ),
            "markup_pct": str(round(float(markup), 3)),
            "max_allowed_pct": str(self.MAX_MARKUP_PCT),
            "rate_source": "Currency-Exchange.app",
            "validated_at": datetime.utcnow().isoformat(),
            "recommendation": (
                "PASS" if is_compliant
                else "EXCEEDS PSD3 MARKUP LIMIT"
            ),
        }

Testing PSD3 Compliance with cURL

# Fetch mid-market rate for PSD3 compliance check
curl -X POST https://currency-exchange.app/api/v1/convert \
  -H "Content-Type: application/json" \
  -H "x-api-key: your-api-key" \
  -d '{
    "from": "EUR",
    "to": "GBP",
    "amount": 1000
  }'

# Response:
# {
#   "result": 851.00,
#   "rate": 0.8510,
#   "from": "EUR",
#   "to": "GBP"
# }
# Use "rate" as the independent mid-market reference

5. Consent Management & Open Banking Security

PSD3 extends open banking access to include currency conversion services. Licensed third-party providers (TPPs) can request access to your FX conversion API on behalf of their customers, but only with explicit consent and SCA validation.

// PSD3 Consent Management for Currency API Access
import { NextRequest, NextResponse } from 'next/server';

export async function handleCurrencyApiAccess(
  request: NextRequest
) {
  // 1. Validate Strong Customer Authentication (SCA)
  const authToken = request.headers.get('authorization');
  const consentId = request.headers.get('x-consent-id');

  const isAuthValid = await validateSCA(authToken);
  const consent = await getConsent(consentId);

  if (!isAuthValid || !consent?.active) {
    return NextResponse.json(
      { error: 'SCA validation failed' },
      { status: 401 }
    );
  }

  // 2. Check consent scope matches request
  const requestedCurrencies = await request.json();
  const allowedCurrencies = consent.scope.currencies;

  const isScopeValid = requestedCurrencies.every(
    (c: string) => allowedCurrencies.includes(c)
  );

  if (!isScopeValid) {
    return NextResponse.json(
      { error: 'Consent scope exceeded' },
      { status: 403 }
    );
  }

  // 3. Fetch rates with audit trail
  const rates = await fetchCompliantRates(
    requestedCurrencies,
    consent.accountId
  );

  // 4. Log access for PSD3 audit requirements
  await logApiAccess({
    consentId: consent.id,
    providerId: consent.providerId,
    currencies: requestedCurrencies,
    timestamp: new Date().toISOString(),
    scaMethod: consent.scaMethod,
  });

  return NextResponse.json({
    ...rates,
    compliance: {
      standard: 'PSD3',
      consentId: consent.id,
      accessedAt: new Date().toISOString(),
    },
  });
}

SCA Requirements

• Two-factor authentication for every API access request
• Dynamic linking to specific conversion amounts
• Exemptions only for low-value transactions (<EUR 30)
• Biometric or hardware token as second factor

Consent Scoping

• Granular currency pair permissions (not blanket access)
• Time-limited consent with renewal workflow
• Revocation support with immediate effect
• Full audit trail of all TPP access events

6. Compliance Checklist: 12 Requirements to Meet

Disclose mid-market rate for every conversion quoteTransparency

Show provider-applied rate and exact markup percentageTransparency

Display monetary cost of FX markup to the consumerTransparency

Use an independent rate source for mid-market comparisonTransparency

Keep FX markups within the proposed 3% capPricing

Provide real-time rates (not stale or end-of-day data)Technical

Expose standardized API endpoints for licensed TPPsOpen Banking

Implement OAuth 2.0 / FAPI 2.0 for TPP authenticationSecurity

Require SCA for every conversion request from TPPsSecurity

Support granular consent management with revocationConsent

Maintain comprehensive audit logs for 7 yearsCompliance

Use ISO 20022 messaging format for cross-border paymentsTechnical

7. What Non-EU Currency API Providers Must Do

PSD3 has extraterritorial reach. If your currency exchange API serves EU-based customers — even if your servers are in the US, Singapore, or elsewhere — PSD3 compliance applies. This affects major API providers and every SaaS platform that displays prices in EU currencies.

Who Needs to Comply?

PSD3 Applies To

• Any currency API with EU-based customers
• Payment processors converting EUR to other currencies
• E-commerce platforms displaying prices in EU currencies
• SaaS billing systems charging EU customers in local currency
• Marketplaces with cross-border EU transactions

What Non-EU Providers Need

• EU legal entity or authorized representative
• Registration with relevant national competent authority
• PSD3-compliant API endpoints for EU traffic
• Data residency for EU customer records
• Real-time, independent rate sourcing for transparency

How Currency-Exchange.app Helps with PSD3 Readiness

• Independent rate source: Rates sourced from global forex markets serve as PSD3 mid-market reference
• Real-time updates: Rates update every second during market hours, meeting PSD3 freshness requirements
• 150+ currencies: Covers all EU currencies plus emerging market currencies that EU cross-border payments touch
• 99.9% uptime: SLA-backed reliability ensures your compliance layer never depends on unavailable rate data
• ISO 4217 compliant: Standard currency codes required by PSD3/ISO 20022 messaging

8. Frequently Asked Questions

What is PSD3 and when does it take effect?

PSD3 (Payment Services Directive 3) is the European Union's updated regulation for payment services. It was proposed in June 2023 and is expected to be fully enforced across EU member states by late 2026 or early 2027, after a 18-24 month transposition period following final text adoption.

How does PSD3 affect currency exchange APIs?

PSD3 introduces mandatory FX transparency, requiring every conversion quote to disclose the mid-market rate, the provider's applied rate, and the exact markup. It also requires standardized API access for licensed third-party providers and proposes a 3% cap on FX markups for consumer payments.

What is the difference between PSD2 and PSD3 for currency services?

PSD2 focused on SCA and open banking foundations for account access. PSD3 expands scope to include currency conversion transparency, stronger consumer protection against unfavorable FX rates, mandatory markup disclosure with independent rate comparison, and broader open finance API access for payment service providers.

Do non-EU currency APIs need to comply with PSD3?

If your currency API serves EU-based customers or processes payments involving EU currencies, PSD3 likely applies regardless of where you're headquartered. Non-EU providers need an EU legal entity or authorized representative, registration with national authorities, and PSD3-compliant API endpoints.

What happens if I don't comply?

Non-compliance carries significant penalties under PSD3: fines of up to EUR 5 million or 10% of annual turnover (whichever is higher), potential license revocation, and exclusion from the EU payment market. Beyond regulatory penalties, non-compliant providers lose access to banking partnerships and payment scheme participation.

What role does an independent rate provider play in PSD3 compliance?

PSD3 requires that the mid-market rate used for comparison comes from an independent source, not the provider's own feed. Currency-Exchange.app provides independently sourced, real-time rates from global forex markets. These rates serve as the objective reference point against which your applied markup is measured and disclosed to consumers.

Prepare Your FX API for PSD3 Compliance

Start building your PSD3-compliant currency conversion layer today. Currency-Exchange.app provides the independent, real-time rate source you need for mandatory FX transparency.

Test Rate Transparency View API Documentation

Currency API Security & Compliance

Complete guide to PSD2, SOC2, and PCI-DSS compliance for currency exchange APIs. Achieve 94% fewer security incidents and 100% audit success.

Advanced Caching Strategies

Enterprise-grade caching techniques for currency APIs that reduce latency by 73% and infrastructure costs by 67% while maintaining real-time accuracy.

Cross-Border Payment Orchestration

How payment orchestration with currency APIs reduces settlement times by 47%, cuts costs by 38%, and enables real-time multi-currency routing.

SaaS PPP Pricing Localization

How SaaS companies use PPP pricing with currency exchange APIs to boost international conversions by 94% and expand into 50+ markets.