PSD3: Habemus Pactum
Quick summary: This article outlines the recent political agreement on the EU’s PSR and PSD3, which will overhaul digital banking and payments rules. It highlights major upcoming changes in fraud prevention, liability, and strong customer authentication. These updates aim to reduce authorized fraud and improve consumer protection across Europe. This is important for financial institutions because the reforms will significantly impact how they design security, compliance, and payment processes.
In the early morning of 27 November 2025, representatives of the European Commission, European Parliament, European Council, and the Danish presidency were gathered in a meeting room in Strasbourg, France. Although there was no white smoke coming out of the chimney, the European co-legislators reached a political agreement about the Payment Services Regulation (PSR) and the third Payment Services Directive (PSD3) around 1:25 AM. As such, they completed a critical stage towards the finalization of both PSR and PSD3.
The PSR and PSD3 will represent a major overhaul of the European digital banking and payments regulation, and in particular will change how financial institutions perform strong customer authentication (SCA) and fraud detection/prevention for their digital banking applications.
Although the final texts of the PSR and PSD3 are not yet available, this blog provides an update on the most important requirements related to SCA and fraud detection and prevention that are expected to be present in the final PSR. This blog is based on publications of the European Parliament and Council, as well as personal discussions with some of the co-legislators.
A brief history of PSR and PSD3 so far
In June 2023, the Retail Financial Services and Payments unit, headed by Eric Ducoulombier, the Directorate-General for Financial Stability, Financial Services, and Capital Markets (DG FISMA) of the European Commission, kicked off the regulatory process for the PSR with its draft proposal.
Subsequently, the European Parliament and Council review process began. In November 2023, the European Parliament’s Economic and Monetary Affairs Committee (ECON), chaired by Aurore Lalucq, published draft reports on the proposals with recommendations for amendments. ECON voted to adopt both texts on 14 February 2024. Finally, on 23 April 2024, the European Parliament voted to adopt both texts in plenary, closing the first reading.
In June 2025, the European Council published its position on the Commission’s proposal.
Next, the Commission, Parliament, and Council engaged in the so-called trilogue negotiations to hammer out a compromise text. These negotiations concluded at the political level with the agreement on 27 November 2025.
How the PSR helps prevent APP fraud
One of the main goals of the PSR is to prevent authorized push payment (APP) fraud, also known as authorized fraud.
What is authorized fraud?
Authorized fraud occurs when a fraudster tricks a victim into authorizing a payment to a fraudulent account. This is often done through sophisticated social engineering techniques, such as phishing emails, phone calls, or text messages. The fraudster may impersonate a trusted individual or organization, such as a bank, the police, or a government agency. They often create a sense of urgency, claiming that the victim needs to act quickly to avoid a negative consequence. Once the victim is convinced, they are instructed to transfer money to a specific bank account controlled by the fraudster.
The PSR will require payment service providers (PSPs) to implement the following measures that aim to prevent authorized fraud:
Fraud awareness, education, and reporting. PSPs will be required to educate their customers about emerging types of banking and payments fraud. They includes alerting their customers via all appropriate means and media; providing customers clear indications on how to identify fraudulent attempts; warning them as to the necessary actions and precautions to be taken to avoid falling victim; and informing customers about where they can report fraudulent actions and obtain fraud-related information.
These requirements certainly make sense, as well-informed users are less likely to succumb to fraud. On the other hand, it can be doubted that all users are “trainable” and that “trained” users will remain vigilant at all times, hence there is also a need for technical fraud controls that do not rely on the payer.
IBAN/name matching or verification of payee (VoP). The PSP of a payer, who initiates a credit transfer, can request that the PSP of the payee verify whether the name and IBAN of the payee, as provided by the payer, match. If they don’t match, the payer’s PSP must inform the payer about the discrepancy and the degree of the discrepancy, within a few seconds after entry of the payee information by the payer.
VoP was already mandated by the Instant Payments Regulation, but only for credit transfers in euros. The PSR will make VoP mandatory for all credit transfers (instant or not, euro or other currency).
VoP can indeed be helpful to address social engineering fraud, as fraudsters may try to convince victims that a certain IBAN belongs to a trusted beneficiary, while in reality it belongs to a money mule. However fraudsters might convince payers to ignore the warnings presented by VoP, effectively bypassing it.
Further, payers might get tired of VoP warnings if they are generated too frequently for bank accounts used in genuine, non-fraud cases, and therefore also ignore the VoP warnings in actual fraud cases.
Cooling-off period for changes to spending limits. Dutch banks already use cooling-off periods, whereby changes to spending limits only become effective after 4 hours. The PSR is expected to follow this approach and introduce it at the European level. It provides people time to think twice (or more) when coerced by fraudsters into changing their spending limits.
Improving transaction monitoring mechanisms. The PSR will require PSPs to enhance their transaction monitoring mechanisms beyond what is currently required under PSD2. In particular, the PSR will require PSPs to include additional information about payers into their transaction monitoring systems, namely information about the environmental and behavioral characteristics of the payer. In practice, this information will consist of the following:
- Environmental or device intelligence relates to information about the devices (e.g., smartphones and PCs) that the payer uses to access digital banking or payment applications. In order to detect fraud, it is important for PSPs to know whether the payer uses different devices, whether malware is present on these devices, whether remote access tools (such as AnyDesk or TeamViewer) are present on the devices, or whether a device is engaged in a phone call during a banking or payment session.
- Behavioral intelligence focuses on analyzing the behavior of the payer and detecting changes to the normal behavior of the payer during banking or payment sessions. These changes can indicate that the payer is acting under duress. Relevant behavioral signals that PSPs should look for include the payer's typing pattern, the way they touch the screen of a mobile device, and the speed between successive operations in a web or mobile app.
Sharing fraud-related data among PSPs. To improve the protection of payers against fraud in credit transfers, PSPs should be able to perform transaction monitoring based on information as comprehensive and up-to-date as possible. For this reason, PSPs should share fraud intelligence, such as IBANs of suspicious payees and manipulation techniques, among each other. This requirement will not only apply to PSPs, but also to social media platforms, telecommunications providers, etc.
Obligation for PSPs to block suspicious transactions. If the transaction monitoring system of a PSP detects that a certain transaction is likely fraudulent, it will be obliged to block the transaction under certain circumstances. To avoid false positives, PSPs will need to have transaction monitoring systems that use high-quality data, including trustworthy device intelligence and behavioral intelligence.
Verification of PSP license by social media platforms. Finally, social media platforms will need to check whether companies that want to run ads on their platforms for financial services actually have a license to act as a PSP in the European Union. If not, the social media platforms should prohibit these companies from advertising.
Who is liable for APP fraud?
An important topic addressed by the PSR is: If a payer falls victim to authorized fraud, who is liable – is it the payer, the PSP, or someone else?
In the European Commission’s original proposal from June 2023, the payer would be liable, except in case of bank employee impersonation fraud, i.e. fraud whereby the fraudster impersonates an employee of the PSP. In that case the PSP would be liable instead of the payer. The Parliament’s position from April 2024 broadened this to impersonation fraud in general, covering cases where the fraudster pretends to be an employee of the victim’s PSP or any other entity (e.g., the police).
In the final political agreement, the basic rule remains that the payer, who becomes the victim of authorized fraud, is liable for that fraud. In other words the payer carries the losses resulting from the fraud. There are two exceptions to this basic rule, under which liability does not reside with the victim:
- PSP impersonation scams. If a payer becomes the victim of authorized fraud where the fraudster impersonates the PSP, and if the payer promptly reports the fraud to the PSP and police, then the PSP will be held liable. This approach differs slightly from the Commission’s original proposal, which only covered impersonation of employees of PSPs, not PSPs themselves. On the other hand, the agreed-upon approach does not go as far as the Parliament’s proposal.
- Incorrect application of fraud controls by PSP. Second, if the fraud resulted from the PSP not properly using Verification of Payee, failing to perform transaction monitoring, or not blocking a suspicious transaction, then the PSP is held liable. For example, if the PSP failed to notify the payer of a discrepancy between the payee’s bank account number and the payee’s name provided by the payer, then the PSP will be held liable. Since PSPs will be held liable for not blocking suspicious transactions, they may err on the safe side, resulting in higher false positive rates.
The above exceptions do not apply if the victim demonstrated gross negligence. It will be up to the PSP to prove gross negligence and ultimately up to a judge to determine whether a payer acted with gross negligence or not.
If a PSP is held liable for a certain fraud case, it will be possible for the PSP to transfer liability to an electronic communications provider (e.g., social media platform, telecommunications provider) if the fraud originated with the electronic communications provider, and if the provider did not remove fraudulent content from its platforms. For example, if the fraud started with an ad on a social media platform or via SMS message received through a telecommunications provider, then the PSP could transfer liability to the electronic communications provider. According to Revolut’s most recent Financial Crime and Consumer Security report, about 75% of authorized fraud originates on social media platforms, such as Facebook, Instagram, WhatsApp, or Telegram.
When comparing the PSR’s liability model against that of the United Kingdom, we see the following major differences:
- European PSPs can only be liable for PSP impersonation scams, while PSPs in the UK are liable for all types of authorized fraud, including impersonation scams, investment scams, purchase scams, and so on;
- In the UK, PSPs have a maximum liability of £85000 per fraud case, while there is no limit under the PSR;
- European PSPs can transfer liability to electronic communications providers, while no such possibility currently exists in the UK.
Strong customer authentication (SCA)
Strong customer authentication, introduced in PSD2, provides protection against unauthorized fraud, where the fraudster steals credentials of a digital banking or payments account and then accesses the victim’s account to transfer money to an account under their control.
The proposal of the European Commission from June 2023 contained various new requirements related to SCA, including:
- A change to the definition of SCA, allowing SCA mechanisms to be constructed from two authentication elements from the same category (possession, knowledge, inherence), while under PSD2 the elements had to come from different categories;
- The possibility for Account Information Service Providers (AISPs) to perform SCA in an open banking context;
- PSPs have to ensure that all payers can perform SCA, including persons with disabilities, older persons, people with low digital skills and those who do not have access to digital channels or payment instruments;
- PSPs must not use a single SCA mechanism, such as a mechanism based on smartphones, but instead support various authentication mechanisms.
The political agreement between the European co-legislators did not focus on SCA, hence at this moment few details about the final requirements related to SCA are available on this topic. Nevertheless, some information has been shared about the changes to the definition of SCA.
PSR redefines SCA to include biometric authentication
The final PSR is expected to only allow two authentication elements from the inherence (or biometric) category, and not allow two elements from the possession or knowledge categories. This change opens the possibility for PSPs to use an SCA mechanism constructed from a combination of physiological biometrics and behavioral biometrics. Physiological biometrics include physical traits like fingerprints and face, while behavioral biometrics includes patterns of action, such as typing and screen touch patterns.
Next steps for PSR and PSD3
The political agreement between the European Parliament and the European Council is not the end of the legislative process for PSR and PSD3.
After reaching the political agreement, representatives of the European Commission, Parliament, and Council have started technical trilogues to translate the political agreement into concrete requirements and finalize the texts.
Once the texts are ready, they need to be formally adopted by the Parliament and Council. This will probably happen sometime between January and March 2026. After that, the PSR will be published in the official Journal of the European Union (EUR-Lex).
Finally, 20 days after publication, the PSR and PSD3 will enter into force. Given the formal adoption timeline, the PSR is likely to enter into force sometime between February and April 2026.
Once the PSR has entered into force, the European Banking Authority (EBA) will start developing the PSR requirements in more detail, for example in the areas of SCA and fraud detection/prevention.
Contact us
Talk to a cybersecurity expert
We're happy to answer your questions and get you acquainted with our solutions.
Contact usThe information contained on this page is for information purposes only, provided as is as of the date of publication, and should not be relied upon as legal advice or to determine how the law applies to your business or organization. It is recommended that you seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. OneSpan does not accept liability for the contents of these materials or for third parties.
