Almost three years after the first draft, the final text of the 3rd Payment Services Directive (PSD3)
and its Payment Services Regulation (PSR) was finally published on 23 April 2026.
Although little has changed since the draft of June 2025, there are nevertheless a few notable changes.
Disappointment is expected within the industry over the forced changes to fraud detection. While this may be good for privacy, it will have a significant impact, including for consumers.
The three key points of the PSR regarding fraud, with each point explained below:
- Banks are to redesign their fraud detection and rely heavily on mutual cooperation. This is enforced more strictly than in the 2025 concept, but another EU regulation provides a sound workaround to carry on virtually
unchanged.
- Banks become liable for bank spoofing. Despite attempts to extend their liability beyond UK levels, this is as far as it will go.
- Social media platforms must act on fraudulent content. The 2025 concept set out various effective more ways for banks and platforms to collaborate, but little of that remains. A missed opportunity.
Equally interesting is what is not in the PSR Not a word about third-party vendors assisting banks with fraud detection, such as cyber, session and device monitoring. These vendors typically combine loads of information over banks and other institutions to improve their
effectiveness. Is this an intended loophole, one wonders!? |
1. The desired way of fraud detection
The most effective method of fraud detection currently is the holistic approach. This involves using models that assess all of the bank’s available data. However, the PSR makes this impossible. The new approach can
be summarised in three points (Articles 83 and 83a):
- Banks are only allowed to consider information on the customer involved, nothing else, except for the account number of the counterparty.
- Fortunately, if fraud is suspected, information on the counterparty can be shared, eliminating the need to guesstimate. This sharing is mandatory: banks are required to participate in sharing agreements and must actually
share information.
- Banks are mandated to monitor both outgoing and incoming transactions for fraud.
Considerably more international transactions will be blocked.
The consequences are significant. Banks will have to overhaul their fraud detection in order to comply. Although the intention is clearly to improve privacy protection, this will backfire. With less data available, any deviation is more likely to be flagged as suspicious, and data on both customers must be shared. Currently, banks keep their data in-house, where it is thoroughly secured. However, under the PSR they will be required to shared it with other banks. If no data-sharing agreement has been reached with a foreign bank, decisions will have to be made on the basis of far less data, so the number of transactions blocked, especially international ones, will rise considerably.
Privacy is important, but will consumers be happy with this? Their data will be shared with all kinds of other banks, where it will be stored for ‘only’ five years. They will likely need to contact their bank to authorise unusual transactions.
The workaround: continue detection as usual with a few improvements
The PSR must be seen as a coherent whole with the Anti-Money Laundering Regulation (AMLR). According to AMLR Article 69(2), banks “shall assess transactions or activities carried out by their customers on the basis of and against any relevant fact and information known to them or which they are in possession of”.
The AMLR concerns money laundering, terrorist financing and predicate offences; fraud is a predicate offence. The holistic approach that the PSR no longer allows is an obligation according to the AMLR. Interesting, isn't it?
Banks can continue to carry out fraud detection as normal. They could perhaps relabel it as ‘predicate offence detection’ for the regulator. They could then add a simple model to detect possible fraud, using the resulting shared information in the detection model to improve its assessment. The shared data will, of course, improve the detection of money laundering, thus improving detection in both areas!
Banks that already carry out their AML detection in real time are well placed. However, they may need to improve their detection of incoming transactions and incorporate data sharing. The latter was already an option under Article 75 of the AMLR, so combining these measures makes sense. Combining them may broaden the possibilities for sharing.
I have been advocating for years that fraud and money laundering detection should be combined. A few banks are already doing this, and this presents a wonderful opportunity for others to follow suit.
2. Banks become liable for bank spoofing, but nothing extra
Banks become liable for bank spoofing, if the victim is a consumer. The payer’s liability is capped at € 50. While the UK reimburses up to £ 85,000, the PSR has no upper limit. The usual exception is gross negligence, meaning that Italian consumers are likely to be left out in the cold (Article 59).
Proposals to extend the banks’ liability to UK levels – liability for all scams (APP fraud) – were discussed but did not make it to the final text. Unlike in the UK, there is also no liability sharing between the payer's and payee's bank. It is probably thought that the latter is covered in a gentler way by obliging banks to monitor incoming transactions and share information.
3. Social media platforms must act on fraudulent content
The June 2025 PSR proposal outlined various effective methods for getting banks and platforms to work together, but little of that remains. This is especially concerning given that studies consistently show that around 75–80% of fraud originates on social media platforms. It seems that those platforms have mounted an effective lobbying campaign. Or could it be that the EU is afraid of sanctions if social media platforms were finally forced to take responsibility? A missed opportunity. (Articles 59a and 59b).