PSD3 and Fraud Prevention: The Ultimate Guide
With a political deal now reached on PSD3 and the PSR, the EU is entering a decisive phase for payments security. The coming months will reshape how institutions detect fraud, protect customers, and share intelligence across the industry. Banks and PSPs need to understand what’s coming—and prepare now.
The European Parliament and Council have now struck a deal on PSD3, marking the end of negotiations and the start of the EU’s next major shift in payments regulation. The reform package aims to modernize European payment rules and address key challenges, particularly in fraud prevention.
What changes should payment service providers and consumers expect?
What Is PSD3?
PSD3 is the latest Payment Services Directive, currently being finalized by the European Union. The goal is to update and modernize the existing Payment Services Directive (PSD2), as the European payment services market has undergone significant changes in recent years.
What is commonly referred to as “PSD3” is actually a shorthand for a broader legislative package. Alongside the Third Payment Services Directive (PSD3) that updates PSD2, the EU is introducing a separate Payment Services Regulation (PSR). Together, these measures address a wide range of topics, from consumer rights to open banking and cash access.
This article cuts straight to the PSD3/PSR changes that will reshape how institutions prevent fraud and manage liability, and what they mean for staying ahead of rapidly escalating threats.
What Is the Difference Between PSD3 and PSR?
While “PSD3” is widely used as a convenient label, the new framework actually consists of two separate legal instruments.
- The Payment Services Directive 3 (PSD3) sets out the rules governing the authorization and supervision of payment service providers and e-money institutions.
- The Payment Services Regulation (PSR) contains the operational and conduct obligations for banks and other payment service providers (PSPs), replacing most of the functional rules previously covered under PSD2.
But why isn’t everything just covered in the directive? Why is there a new regulation? Unlike a directive, which sets certain goals to be achieved and allows Member State legislators to decide on the form and means, a regulation has binding legal force. It takes effect across all Member States simultaneously. National authorities don’t need to transpose regulations into domestic law; they can be immediately enforced as law, just like any piece of local legislation.
Shifting from a directive to a regulation aims to foster a more unified marketplace, reducing disparities between Member States.
Why Is PSD3 Being Implemented?
PSD2 was adopted in 2015, eight years after PSD1 (2007). While PSD1 established a harmonized legal framework to create an integrated EU payments market, PSD2 aimed to address barriers to new types of payment services and enhance consumer protection and security.
It is only logical that in 2022, after another seven years, the time had come to evaluate PSD2. In addition to feedback from public consultations and an independent consultant, the European Commission also collaborated with the European Banking Authority (EBA).
The evaluation highlighted a major shift in the fraud landscape. While PSD2 strengthened authentication, it became clear that Strong Customer Authentication (SCA) alone could not prevent the rise of social-engineering scams, impersonation attacks, and other manipulation-based fraud techniques. These forms of fraud, now among the most common across the EU, often involve legitimate customers being tricked into authorizing payments, falling outside the original scope of PSD2’s protections.
Alongside these fraud-related challenges, the review also identified broader structural issues: an uneven playing field between banks and non-bank PSPs, persistent barriers to data access for AISPs and PISPs, and nationally fragmented payment systems that limited the full benefits of open banking.
Based on these findings, the Commission initiated amendments to PSD2 to reflect recent trends in the payment market, particularly regarding the rise of digital payment methods and other changes accelerated by the pandemic. PSD3 should therefore be seen as an evolution, rather than a revolution.
PSD3 and Fraud Prevention: What to Expect?
Fraud prevention and liability are key focuses of PSD3. The legislation presents multiple new measures to further enhance consumer protection in areas where PSD2 couldn’t keep up with the fast-evolving post-pandemic situation. According to the European Commission, “any changes to the PSD2 liability framework should contribute to reducing fraud, without creating moral hazard (if the consumers believe that they will always be compensated).”
PSD3/PSR aims to strike that balance through a combination of tighter controls, broader protections, and clearer obligations for all players in the payment ecosystem.
IBAN/Name Verification (Verification of Payee)
To curb the sharp rise in scams and Authorized Push Payment (APP) fraud, the EU has made the Verification of Payee a core part of its fraud-prevention framework. The service checks whether the payer-entered name matches the unique identifier (IBAN) of the intended recipient. Under Regulation (EU) 2024/886, all euro-area PSPs must provide this check free of charge by 9 October 2025.
With the latest political agreement on PSD3 and the PSR, the requirement is being strengthened: In addition, if the payer’s input does not match the verified account holder name, the PSP must refuse the payment order and inform the customer. This moves the EU beyond warnings and into a more proactive prevention model, designed to stop misdirected or manipulated transfers before they leave the customer’s account.
Changes in Fraud Liability
The latest political agreement strengthens and clarifies liability rules to address modern fraud schemes, especially social engineering and impersonation attacks. Under the agreed framework, PSPs must reimburse victims in three confirmed situations:
– If the PSP fails to implement appropriate fraud-prevention mechanisms.
When a provider does not put adequate security and monitoring measures in place, it becomes liable for covering the customer’s losses. PSPs must ensure Strong Customer Authentication (SCA) and carry out proper risk assessments to meet this obligation.
– If a transaction is initiated or altered by a fraudster.
In such cases, the operation is treated as an unauthorized transaction, and the PSP is fully liable once the customer reports it.
– If the fraud involves impersonation of the customer’s PSP.
In impersonation or “spoofing” scenarios the PSP must refund the full amount, provided the customer reports the case without delay to law enforcement and the PSP. If the PSP challenges the reimbursement, it must be able to prove that no impersonation took place.
These measures reflect a significant shift from PSD2, acknowledging that many modern scams fall outside the traditional definition of unauthorized transactions and require dedicated liability protections.
New Liability for Online Platforms
The agreement also targets a major source of fraud: online platforms such as digital marketplaces or forums. If a platform is notified by a PSP about fraudulent financial content and fails to remove it, it can be held liable for the resulting harm. This closes a long-standing loophole where scam ads and impersonation pages could circulate unchecked.
Financial advertisers face new obligations as well. Anyone promoting financial services on large platforms or search engines will have to prove they are authorized to operate in the relevant Member State. This is meant to stop unlicensed or fraudulent providers from buying visibility and reaching consumers at scale.
Freezing Suspicious Funds at the Receiving PSP
The new rules also strengthen the role of receiving PSPs in breaking fraud chains. If an incoming payment appears suspicious, the receiving PSP will be required to freeze the funds immediately, preventing the money from being moved further across accounts or cashed out.
Strengthening SCA
PSD3/PSR reinforces SCA with stricter rules and expands its application to more use cases and channels.
PSPs will need reliable, flexible, and future-proof authentication methods to meet these requirements without adding friction for legitimate users.
Continuous Behavioral Biometrics is a proven (and increasingly expected) technique that uses behavioral signals to detect manipulation and confirm user identity not only at login or payment initiation, but continuously throughout the session. It can serve as an inherence factor in SCA while also enabling PSPs to improve real-time detection of social engineering and account takeover attempts.
Sharing Fraud-Related Information Between Financial Institutions
PSD3/PSR encourages PSPs to share fraud-related intelligence (including scam patterns, relevant identifiers, and emerging modi operandi) to strengthen collective detection capabilities across the ecosystem.
Meeting these expectations will require PSPs to adopt dedicated, privacy-centric platforms for secure and compliant data exchange, sooner rather than later.
Additional Consumer Protection Measures
The agreement also introduces several supporting measures aimed at reducing fraud risk and improving the overall customer experience. PSPs will have to provide tools such as customizable spending limits and transaction-blocking options, giving consumers more direct control over their exposure to fraud.
To ensure proper assistance during fraud incidents, customers must also have access to human support, not just automated chatbots.
Finally, Member States are encouraged to devote public resources to fraud education, recognizing that awareness and timely recognition of scams remain essential elements of a comprehensive fraud-prevention .
What Is the Timeline?
The legislative process is now in its final stretch. Parliament adopted its position in April 2024, the Council agreed its mandate in June 2025, and trilogue negotiations between the three EU institutions have since concluded with a political agreement on the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) in November 2025.
There is no final application date yet. What remains is formal adoption and legal-linguistic review. Once the legislation is adopted, the regulation and directive will set phased application deadlines. The package will also empower the EBA to issue technical standards and guidelines on SCA, transaction monitoring, and data sharing.
What Does It All Mean for Banks and PSPs?
For banks and financial institutions, PSD3 opens up access to a broader payments ecosystem. However, it also introduces new requirements, particularly around fraud prevention. Many banks will need to upgrade their legacy systems to meet the demands for enhanced fraud detection, security, and data sharing.
The shift in fraud liability highlights the need for improved detection mechanisms—not just for unauthorized fraud, but especially for authorized fraud, much of which is driven by social engineering. This comes amid growing competition from non-bank payment service providers.
Payment service providers will have more opportunities to expand across borders and enter the European market. They’ll also find it easier to develop innovative services. However, they’ll face strict security requirements and need to implement advanced technology to comply with new regulations, technical standards, and enhanced security protocols.
Once finalized, the PSR (a regulation) will apply directly across the EU, while PSD3 (a directive) will need to be transposed into national law by Member States. Both will be monitored and enforced by the relevant authorities, and failure to comply could result in hefty fines or, in severe cases, the loss of a license.
How Banks Can Prepare for PSD3
Navigating PSD3 requires not only compliance but also a clear strategy for managing new fraud risks that are already surging across Europe. For banks and PSPs, this means strengthening their fraud defenses to tackle growing sophistication and the increasing share of Authorized Push Payment (APP) Fraud. With PSD3 placing liability on banks for impersonation and “fake banker” scams, financial institutions will need advanced tools that can spot and stop manipulation early.
At the same time, PSD3 underscores the importance of educating and empowering customers, recognizing that informed users, not just stronger controls, are essential to reducing fraud losses.
Adopting Behavioral Intelligence
To meet PSD3’s heightened expectations for fraud prevention and transaction monitoring, banks should adopt behavior-based and AI-powered tools such as ThreatMark’s Behavioral Intelligence Platform. By combining contextual data from transactions, devices, and user behavior (such as typing rhythm, mouse movement, and navigation patterns), it continuously verifies identity and detects anomalies in real time. This helps banks uncover social-engineering and APP fraud even when transactions appear fully authorized and both the device and credentials are legitimate.
By giving institutions visibility into manipulation patterns, device signals, session anomalies, and behavioral red flags, the platform enables proactive intervention before money moves, aligning with PSD3’s requirements for enhanced authentication, continuous monitoring, and laying the groundwork for future fraud-data sharing.
Sharing Fraud-Relevant Data
ThreatMark’s FraudIntel is a GDPR-ready, privacy-preserving platform for sharing fraud intelligence in line with PSD3 requirements, allowing institutions to collaborate without exposing customer data. Powered by a global intelligence model, FraudIntel aggregates patterns and signals across markets to help banks spot emerging scams and money mule activity earlier.
As PSD3 raises expectations for cross-industry cooperation, FraudIntel provides not only a compliant but also a highly effective way for banks to strengthen their fraud prevention.
Learn more about behavioral intelligence
Empowering Customers for Safer Banking
As liability for impersonation scams shifts toward financial institutions, banks can no longer rely on awareness campaigns alone. Experience shows that people often forget what they’ve learned in the heat of manipulation. What’s needed are tools that assist customers in real time, helping them recognize deception before it leads to an authorized payment.
Integrated directly into the banking app (either as a standalone module or a chat window that activates when a payment is flagged as high-risk), ThreatMark’s ScamFlag does exactly that. It lets users upload suspicious messages, screenshots, or payment requests and instantly receive an AI-driven assessment. Along with a clear verdict on whether the content is fraudulent, ScamFlag explains the reasoning in plain language, highlighting red flags and manipulative tactics.
By unveiling scam attempts and capturing real-time data, ScamFlag helps banks strengthen fraud-intelligence capabilities and educate users, both aligned with PSD3 expectations. It also helps customers effectively recognize impersonation and other types of scams, mitigating potential liability risks for banks and reinforcing their institutional credibility.
Related Articles
-
June 16, 2025
Six Months of the UK’s APP Scam Reimbursement: Lessons for Banks
It’s been six months since the UK’s new reimbursement rules came into effect.
A bold move that’s drawn attention...
-
January 17, 2025
What You Need to Know About Fraud Liability in 2025
Over the past year, significant changes have reshaped the landscape of fraud liability. What drove these shifts, and...
-
October 7, 2024
What the UK PSR Liability Shift Means for Banks and Fraud Prevention
As of October 7, 2024, the UK Payment Systems Regulator (PSR) introduced a liability shift that requires banks...