European Agreement on Combating Banking Fraud: What PSD3 and PSR Actually Change

On 27 November 2025, the European Parliament and the Council of the European Union reached a political agreement on the revision of payment services legislation, a package known as PSD3 (Payment Services Directive) and PSR (Payment Services Regulation). This “deal” marks a significant milestone in the legislative process, which primarily aims to strengthen consumer protection and reduce persistent fraud, considered a major concern that was not sufficiently addressed by the current PSD2.

This new legislative framework is a direct response to the rise of sophisticated fraud, particularly social engineering, which has managed to circumvent PSD2’s Strong Customer Authentication (SCA).

Here are the major implications of this agreement in the fight against banking fraud:

1. Strengthening the Liability of Payment Service Providers (PSPs)

One of the most radical changes is the shift of part of the financial loss burden from consumers to PSPs, thereby requiring them to implement more robust security measures.

Identity Spoofing Fraud (Spoofing)

The PSR introduces specific rules regarding identity spoofing fraud (or spoofing), a type of fraud where a malicious third party manipulates the customer into authorising a fraudulent payment, often by impersonating an employee of the consumer’s PSP (using the PSP’s name, email address, or phone number).

In this identity spoofing scenario:

1. The PSP must fully reimburse the consumer for the amount of the fraudulently authorised payment transaction.
2. To obtain this reimbursement, the consumer (who must be a consumer, not a business) must have reported the fraud to the police without delay and notified their PSP.
3. The right to reimbursement does not apply if the consumer committed fraudulent conduct or gross negligence.
4. However, the burden of proving the existence of fraudulent conduct or gross negligence on the part of the consumer falls on the PSP.
5. If a fraudster initiates or modifies a transaction, it will be considered an unauthorised transaction, making the PSP liable for the fraudulent amount.

It is important to note that the Council had proposed limiting this reimbursement obligation solely to cases where the fraudster impersonates the PSP itself, rather than extending liability to the impersonation of any private or public entity (which was the Parliament’s initial proposal).

Cooperation of Communication Services

Given that identity spoofing often uses communication channels (telephone, email), electronic communications service providers will now be required to cooperate with PSPs to prevent such fraud, particularly by acting swiftly to implement appropriate technical and organisational measures to preserve the security and confidentiality of communications, in accordance with Directive 2002/58/EC.

2. Mandatory Payee Verification (IBAN/Name)

To combat transfer fraud (where funds are sent to a different account than intended) and to correct errors, the PSR introduces the obligation to extend verification of the match between the unique identifier (IBAN) and the payee’s name (IBAN/name matching verification services).

• Scope: This service is extended to all credit transfers, including regular transfers, and not only instant payments in euros. It must be offered free of charge to consumers.
• Alert and Notification: If the unique identifier (IBAN) and the payee’s name do not match, the payer’s PSP must notify the payer of the detected discrepancy and its degree before the payer authorises the transaction. The payer retains the freedom to disregard this warning and proceed with the transfer, but must be informed of the potential consequences.
• New Liability: If the payer’s PSP fails to notify a detected discrepancy (in violation of Article 50(1) of the PSR) when it should have done so, it will be held liable for the financial loss arising from the authorised transfer.
• Right of Recourse: If the payer’s PSP’s liability is attributable to the payee’s PSP, the latter must compensate the payer’s PSP for the loss suffered.

3. Strengthening Authentication (SCA) and Transaction Monitoring

The framework maintains and enhances Strong Customer Authentication (SCA), while introducing more sophisticated detection mechanisms for online payments.

• Transaction Monitoring Mechanisms (TMMs): PSPs will be required to implement sophisticated transaction monitoring mechanisms to prevent and detect fraud, going beyond the mere application of SCA. These mechanisms must be based on the analysis of past transactions and take into account the behavioural and environmental characteristics typical of the user (such as location, time of the transaction, device used, spending habits, and online merchant).
• Technical Liability: Technical service providers and payment scheme operators are liable for any financial loss caused if they failed to provide the services necessary to enable the application of SCA within the framework of their contractual relationship.
• SCA and Tokenised Cards: The application of SCA is required when issuing or replacing a payment instrument token (for example, registering a card in a digital wallet) to prevent fraud risks.
• Inclusion: PSPs will be required to ensure that their SCA methods are accessible to vulnerable users, such as persons with disabilities or those with limited digital skills, in order to guarantee financial inclusion and fraud protection for all.

4. Information Sharing and Collective Awareness

The evolving nature of fraud (social engineering, manipulation techniques) requires a collective and proactive approach.

• Fraud Data Sharing: PSPs will be authorised to voluntarily exchange personal data, including the unique identifier (IBAN) of payees, when they have sufficient grounds to presume that a fraudulent payment transaction has occurred.
  • This sharing must be carried out within the framework of multilateral information-sharing arrangements (often via specialised IT platforms).
  • Before adopting such arrangements, PSPs must jointly carry out a Data Protection Impact Assessment (DPIA) under the GDPR, and consult the supervisory authority if the assessment reveals a high risk.
• Customer Awareness: PSPs are required to alert their customers through training programmes and awareness campaigns about new forms of fraud and associated risks, taking into account the needs of the most vulnerable groups. They must provide clear guidance on how to identify fraudulent attempts and the precautions to take.

Implementation Timeline

The political agreement between the Parliament and the Council gives the green light to finalise the text. After legal and linguistic review, the text will enter into force, probably by the end of the first or beginning of the second quarter of 2026. A transition period of 21 months is planned before the regime begins to apply. However, certain essential anti-fraud provisions, such as the application of the IBAN/name verification service, will apply 24 months after the date of entry into force of the regulation.

In conclusion, PSD3 and the PSR fundamentally change the approach to fraud in Europe. Instead of relying solely on technical defence measures (SCA) and leaving the victim to bear the burden of manipulation, the new legislation imposes a duty of vigilance and prevention on financial institutions (PSPs) and technical operators. By extending the reimbursement obligation in cases of spoofing and making IBAN/name verification mandatory for all transfers, the legislative framework seeks to build a payment ecosystem where security relies on cooperation and proactive technical mechanisms.

If PSD2 aimed to build a vault (SCA), PSD3/PSR acknowledges that fraudsters have become masters of persuasion. From now on, not only must the bank improve the lock, but it is also liable if a criminal succeeds in impersonating a bank employee to steal money, forcing the institution not only to lock up better, but also to actively monitor who receives the funds and to actively educate its customers against the most cunning schemes.