Despite no specific date yet, the stakeholders affected by the new directive expect it to come into force in 2025 and are focusing on implementing the necessary resources and measures to ensure compliance.
What is PSD3
The Payment Services Directive 3 (PSD3) is a revision of the previous directive (Payment Services Directive 2 or PSD2) carried out in 2022, approved by the European Commission in 2023, and adopted by the European Parliament in 2024. Although there is no specific date for its entry into force, it is estimated to come into effect this year or the next.
While PSD1 (adopted in 2001) aimed to establish a harmonized legal framework for creating an integrated European payment market, and PSD2 set the rules for all retail payments—euro and non-euro, domestic and cross-border—PSD3 arises from the need to assess whether the current directive is sufficient following the growth of electronic payments, which surged during the COVID-19 pandemic, and the recent advancements in innovation and technology, particularly impacting the financial sector (contactless payments, instant payments, etc.).
After the evaluation conducted in 2022, it was concluded that PSD2 had achieved positive results in areas such as fraud prevention through the implementation of Strong Customer Authentication (SCA), as well as increased efficiency, transparency, and consumer choice regarding payment instruments, and Open Banking. However, it fell short in other areas, such as access to key information systems for emerging and growing non-financial players like non-financial payment service providers, information service providers, or payment initiation service providers.
Special focus on online fraud
Despite the implementation of Strong Customer Authentication (SCA), online fraud has developed new tactics in recent years to bypass this barrier — such as increasingly common social engineering and impersonation techniques, which lead users to willingly disclose sensitive data to third parties. This information allows attackers to access user accounts, make card payments, or authorize charges via money transfer systems. As a result, PSD2 has become outdated in this area.
Beyond the evident issue (the crime itself), there is the added concern that all responsibility falls on the user. As recent cases have shown, cybercriminals often possess information about their victims that could suggest a data breach at the bank itself. Additionally, they use techniques like Caller ID spoofing, where the phone number shown on the screen during a fraudulent call appears identical to the bank’s official number.
PSD3 therefore aims to shift part of the liability for online fraud (with specific conditions and exceptions) away from the user and onto the banks and service providers.
The new anti-fraud measures of PSD3
The following are the measures incorporated into PSD3 to increase user security against online fraud.
Extension of IBAN/Name Verification for Instant Payments
The directive proposes a new service for instant payments, applicable to all credit transfers within the EU and free of charge for consumers, which will detect discrepancies between the recipient’s name and the recipient’s unique identifier. The recipient’s PSP will be required to verify, at the request of the payer’s PSP, that the IBAN and the recipient’s name match. If they do not, the payer’s PSP will be obliged to notify the payer of the discrepancies, and the payer will have the option to authorize or reject the transfer with the detected discrepancies. Users will have the right to opt out of this service.
Mejora de la Strong Customer Authentication (SCA)
Already familiar with SCA (Strong Customer Authentication), the double authentication required from users when making payments, PSD3 introduces the following improvements:
-
It clarifies in which situations SCA may not be applicable, such as when the payer uses alternative payment methods that do not involve electronic platforms or devices, and incorporates safeguards to ensure user protection against fraud in these cases.
-
It specifies that the amount and the payer must be linked to the transaction to be authorized by the payer.
-
It facilitates access to bank account data by payment account information services through a single SCA request during the first connection, except in cases of suspected fraud.
-
It promotes the use of direct-transfer digital wallets by implementing SCA at the time a new payment instrument is added, under the responsibility of the PSP managing it.
-
It protects users at a technological disadvantage by requiring payment service providers to offer alternatives that do not rely on a single technology for double authentication, such as owning a smartphone.
Right to reimbursement for fraud victims
Two scenarios are foreseen in which victims of online fraud will be able to claim reimbursement of the amount lost due to online fraud:
In the event of a failure in the IBAN/name verification, meaning discrepancies between the data were not detected, and therefore the user was not notified of them.
In the case of identity impersonation of the bank through sophisticated deception techniques, such as a call from a person pretending to be a bank employee who asks the user to perform actions (like data verification or login) that result in financial loss. However, to exercise the right to reimbursement, the case must not show “gross negligence” on the part of the victim, meaning the victim must not have fallen multiple times for the same scam, and the scam must be convincing, such as the phone call spoofing the legitimate number of the bank.
Improvement of information sharing on fraud
While PSD2 laid the groundwork for the fight against fraud with measures such as the implementation of Strong Customer Authentication (SCA), cybercriminals have managed to exploit the weaknesses of an integrated framework still in development: the fragmentation of communications between payment service providers (PSPs).
This article from Paymerix provides very clear examples:
-
Isolated fraud data. PSPs generate and maintain their information independently, so all the knowledge they create about fraud is not shared. This isolation also prevents large-scale pattern analysis, so only part of the overall reality is seen.
-
Reactive sharing. The sharing of these analyses happens reactively, that is, after an attack has already taken place. This delay allows cybercriminals to continue exploiting vulnerabilities.
-
Lack of standardization. Sharing information and collaboration are complicated by the absence of standardized systems across countries and agents.
-
Regulatory gaps. The lack of joint regulation including fraud prevention has encouraged isolated and reactive analysis, especially for PSPs.
Therefore, the objectives of PSD3 focus on creating a collaborative environment with all stakeholders based on preventive information sharing.
To achieve these goals, it proposes the following measures:
-
Create real-time exchange networks of fraud-related information. This would include sending alerts upon detecting fraud so that other agents can quickly update, and the creation of a shared database with patterns, flagged accounts, or compromised credentials.
-
Standardization of fraud data formats, fostering an agile sharing environment independent of technologies, agents, and countries.
-
Collaboration between countries. Fraudulent attacks are often carried out from foreign countries, involving multiple jurisdictions. Coordinating actions would improve and facilitate fraud investigation and prevention.
-
Integration of AI and machine learning. AI-based systems would allow defining patterns at scale, predicting new fraud techniques based on historical data, and automating responses to attacks.
-
Legal protection for information sharing. PSD3 includes provisions to encourage PSPs to share information without risking violations of data protection laws.
The objectives and measures proposed by PSD3 are no small matter and will undoubtedly bring many benefits to the fight against fraud, creating a space for prevention and rapid response that protects and fosters user trust.
However, it is not without major challenges that the main sector players will have to face, such as technological integration, coordination between governments and regulatory frameworks, safeguarding user privacy, and the potential loss of competitive advantage for PSPs.
Open banking and Data Protection
All these measures fall within the EU’s broader commitment to Open Banking, a framework in which customers securely share their financial data with third parties (fintechs, other banks, or service providers) to promote new, innovative, and value-added services.
To achieve this, however, it is essential to create a regulatory framework that prioritizes customer privacy above all, starting by giving users full access to and control over all shared data. This is, precisely, one of the core objectives of PSD3.
The current starting point is as follows: in the absence of specific regulation on data sharing, little is known about which data is being shared, beyond payment-related data. This situation creates risk and uncertainty and prevents customers from managing which data they allow to be shared.
The measures included in PSD3 to build the ideal framework for Open Banking include the creation of a dashboard with high-quality interfaces from which customers can manage all permissions related to data sharing, based on the premise that such sharing will always be optional and never mandatory.
Thus, with PSD3, customers will have the right to access all data that data holders have about them at no additional cost. This requires a standardization process to make data sharing between institutions and providers a reality.
The main challenges foreseen for PSD3 are providing sufficient incentives for involved parties to standardize their systems and offer such interfaces, and overcoming the liability risks associated with data sharing.
In short, PSD3 aims to foster innovation through a customer-centric approach aligned with the GDPR.
Do you need help against online fraud?
Write to us with your inquiry, and we will get in touch with you soon.