PSD3/PSR: Strengthening fraud prevention and consumer protection in digital payments

Click here to view the German version

The proposed Payment Services Directive 3 (PSD3)¹ and Payment Services Regulation (PSR)² framework represents a significant step forward in the European Union’s ongoing efforts to enhance the security of digital payments. We explore the key fraud-related provisions of the PSR, which will be directly applicable across all EU member states without requiring transposition into national law. 

While PSD2 laid the groundwork for safer transactions, the emergence of sophisticated fraud schemes has necessitated further regulatory improvements. PSD3 and PSR seek to address gaps in consumer protection, fraud prevention and liabilities, ensuring a more resilient and transparent financial ecosystem³.

Digital payments fraud continues to rise due to rapid digitalization, the growth of online transactions, and evolving fraud techniques. For instance, Commerzbank reports that fraud rates in instant payments can be six to seven times higher than traditional payments⁴. Cyber criminals exploit vulnerabilities in payment systems, manipulating users through social engineering, and misuse digital identities. 

These risks call for tighter regulations, encourage collaboration between payment service providers (PSPs) and electronic communication services providers (ECSPs), and establish comprehensive fraud detection mechanisms. 

Below, we outline the key anti-fraud provisions within the PSR.

Enhanced security for credit transfers

The security of credit transfers is crucial for increasing consumer confidence. To reduce fraud and errors, consumers will benefit from a service that verifies discrepancies between the unique identifier of the payee (e.g. IBAN or other identifiers to be specified by the European Banking Authority (EBA)) and the name. If a discrepancy is identified, the payer will be informed. 

This extends the VoP (Verification of Payee) under IPR (Instant Payments Regulation), which becomes mandatory for banks in Eurozone countries as of October 9, 2025. Under PSR, this service will be further extended providing a comprehensive framework aimed at reducing fraud before it happens and protecting users afterwards. PSPs will bear financial losses if they fail to notify payers of detected discrepancies.

By verifying the payee’s identity prior to authorization, the regulation aims to prevent fraud scenarios such as impersonation scams, invoice fraud, and account takeovers. However, PSPs must develop robust real-time verification systems capable of handling large transaction volumes, likely requiring significant investment in IT infrastructure.

Strengthening consumer protection against fraud

Social engineering fraud is among the fastest-growing digital crimes. Fraudsters use phishing, ‘vishing’ (voice phishing) and ‘smishing’ (SMS phishing) to access sensitive financial data. They impersonate PSPs using emails, phone calls or text messages to deceive users into authorizing fraudulent payments. Under PSR, PSPs must refund victims of fraud, including authorized fraud, within 10 business days of notification and receipt of a police report – unless they provide a justified refusal supported by evidence and guidance on how to contest the decision. Additionally, PSPs must establish dedicated communication channels with payment service users for reporting fraudulent transactions, offering qualified advice, and resolving payment-related concerns. 

The PSR prescribes closer collaboration between PSPs and ECSPs ensuring measures like calling line identification and email security protocols are in place. Article 59 extends fraud liability to ECSPs, prompting criticism from telecom operators. They argue that this imposes unfair burdens on actors without direct control over financial transactions. 

There is a concern that such liability might dilute accountability for fraud prevention from those best positioned to act – namely, banks and digital platforms. Industry stakeholders are calling for clear, proportionate responsibilities and technically feasible obligations for all involved parties.

Mandatory data collection and information sharing

A major change under PSR is the requirement for PSPs to analyze customer transaction data for abnormal patterns and retain data for up to 10 years after the customer relationship ends. 
Sharing relevant fraud-related information (i.e. unique identifiers, fraud techniques, and related details) among PSPs is mandatory. Fraudulent transactions require evidence from at least two customers who report misuse of the same unique identifier. However, merely sharing fraud information is insufficient for withdrawing banking services without further investigation. The EBA is tasked with setting up a dedicated IT platform to support information exchange.

A centralized fraud database will help identify repeat offenders, detect new fraud patterns, and prevent financial losses. Nonetheless, the PSR emphasizes the importance of addressing data privacy concerns to ensure compliance with EU data protection laws. 

Compliance and reporting requirements

PSPs must report annual fraud statistics, including the number and value of reimbursed fraudulent transactions and reasons for rejected fraud notifications, to national authorities. These will then be aggregated and shared with the EBA and the European Central Bank (ECB).

PSPs are also tasked with increasing consumer awareness. They must run fraud awareness campaigns, with a focus on vulnerable customers, and organize annual training programs for employees on evolving fraud risks. The EBA will issue guidelines to standardize these initiatives across the EU. 

Conclusion

The PSR introduces a comprehensive regulatory framework designed to combat evolving fraud risks in digital payments. By enhancing security measures, mandating real-time fraud detection services, enforcing stronger cooperation between PSPs and ECSPs, and emphasizing consumer education, the new regulation significantly strengthens consumer protection across the EU.

At Capco, we support financial institutions in adapting to these regulatory shifts. From compliance strategy to fraud prevention implementation, we help you stay ahead of emerging risks. Contact us to discuss how we can help you prepare for the PSR and enhance your fraud prevention capabilities.

References
¹ Texts adopted - Payment services and electronic money services in the internal market - Tuesday, 23 April 2024
² Texts adopted - Payment services in the internal market and amending Regulation (EU) No 1093/2010 - Tuesday, 23 April 2024
³  https://finance.ec.europa.eu/consumer-finance-and-payments/payment-services/payment-services_en
⁴  Instant Payments: Fast and Secure Transactions | Corporate Clients - Commerzbank