EU Payment Services Regulations: New Fraud Provisions

The latest fraud-related provisions under the incoming EU Payment Services Regulations introduce prescriptive requirements for prevention, monitoring, data sharing and reimbursement. They materially expand obligations on payment service providers (PSPs) and create new consumer protections with tight timelines. This article summarises the key measures and highlights practical steps for implementation.

Impersonation Fraud (Article 59)

Technical safeguards and liability to reimburse

PSPs must implement adequate and robust technical safeguards to prevent fraudsters from replicating or misusing the PSP’s communication channels, such as phone numbers and email addresses, to mislead users into making fraudulent transactions. A PSP must reimburse a consumer who is manipulated into authorising fraudulent transactions by a third party that impersonates the consumer’s PSP and uses communication channels attributed to that PSP.

Conditions, timing and exceptions

Reimbursement is mandatory within 15 business days. The customer must notify both their PSP and the police without undue delay upon discovering the fraud. A PSP may decline reimbursement if it has objectively justified reasons to suspect fraud or gross negligence by the consumer, subject to a prescribed process.

Allocation of loss between service providers and others

Member States or PSPs may grant more favourable refund rights. Where a PSP’s liability is caused by another PSP or an intermediary, the responsible party must compensate the PSP for the losses. A hosting provider may also be required to compensate a PSP for losses under Article 59, subject to certain conditions.

New Fraud Prevention Measures

Customer-set limits

PSPs must allow payment service users (PSUs) to set maximum amount limits per payment method and instrument. PSUs must be able to choose transaction-based or time frame-based limits. Limits must be modifiable at any time, with a four-hour delay and mandatory notification for remote changes. If a limit is reached, the PSP must block the transaction and notify the PSU immediately.

Blocking a payment instrument

A PSP may block a payment instrument (i.e. payment card, payment account) for security of the instrument, suspicion of unauthorised or fraudulent use, or a significant increased risk of payer default. The PSP must notify the payer of the block and the specific reasons. The PSP must review the blockage within two business days to ensure the reasons remain valid and the payment instrument must be unblocked or replaced immediately once the security or credit risk is resolved.

Suspending a transaction

The PSP must pause any transaction if there are objective grounds to suspect fraud. If the PSP fails to suspend a suspicious transaction, the PSU does not bear any financial loss. After suspension, the PSP must immediately notify the payer, review any additional information provided, and decide whether to execute the payment.

Transaction Monitoring

Mandatory live monitoring, liability and burden of proof

Live transaction monitoring is mandated before execution for the payer’s PSP and before funds are made available for the payee’s PSP. If a PSP fails to perform transaction monitoring and the payer suffers financial loss, the PSP is liable, with liability waived only if the PSP can prove the payer acted fraudulently. If the payer’s PSP cannot prove that both PSPs applied the required monitoring, it must refund the full transaction amount.

Prescribed data and risk factors

The list of data to be processed for transaction monitoring is prescribed and limited for both the payer’s PSP and the payee’s PSP. Monitoring mechanisms must take into account risk-based factors, including, for example, known fraud scenarios, signs of malware infection, and lists of compromised or stolen authentication elements.

Data Sharing to Combat Fraud

Sharing between PSPs (Article 83a)

PSPs must participate in data sharing arrangements with other PSPs and must exchange data where they have objectively justified reasons to suspect fraudulent behaviour by a PSU. The list of data to be shared is limited and prescribed, mirroring the data used for transaction monitoring. Information on environmental and behavioural characteristics typical of the payer cannot be shared. Information shared on such platforms cannot be the sole basis for terminating an account or refusing onboarding if the information has not been assessed by the PSP. The European Payments Council (EPC) has launched a project, FRIDA, to create a data sharing platform accessible by all PSPs in the EU/EEA, and other similar initiatives are also underway.

Sharing with other actors (Article 59a)

Data may be exchanged for prevention and detection of fraudulent payment transactions, where there are objectively justified grounds to suspect fraudulent behaviour, between PSPs and providers of hosting services, and between PSPs and providers of electronic communication services. Providers of communications services, VLOPs and VLOSEs must establish dedicated communication channels to exchange data with PSPs or participate in an information sharing mechanism. PSPs should align the relevant data sharing mechanisms they use with applicable data protection requirements once the final text is available.

How FM can assist

If you would like to discuss what the new fraud provisions mean for your firm in practice, and how to be in a position to demonstrate compliance with these new provisions before your firm is subjected to PSD3 reauthorisation, please contact FM Legal for a confidential discussion.