PSD3 and PSR: turning regulatory obligations into opportunities

The European Union's forthcoming Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR) are set to significantly reshape the financial sector's approach to combating payment fraud, particularly authorized push payment (APP) scams. These regulations, anticipated to take effect by late 2025, introduce mandatory fraud intelligence sharing among payment service providers (PSPs), marking a pivotal shift in the industry's fraud prevention strategies.

The Escalating Threat of Authorized Push Payment and Instant Payments Scams

APP fraud has surged across Europe, presenting a critical challenge for financial institutions. In 2022, the European Economic Area (EEA) reported payment fraud losses totaling €4.3 billion, with €2.0 billion lost in the first half of 2023.

Notably, credit transfers accounted for €1.131 billion of fraudulent transactions during this period, underscoring the severity of APP scams. The rise in fraud cases is attributed to increasingly sophisticated social engineering tactics, including impersonation and manipulation of payers.

These methods have evolved rapidly, exploiting vulnerabilities in existing fraud detection systems and highlighting the need for a more collaborative and proactive approach to fraud prevention.

A Closer Look at What PSD3 and PSR Actually Require

The new PSD3 and PSR frameworks aren’t just an update—they’re a regulatory overhaul that brings both stricter obligations and wider responsibilities for payment service providers (PSPs). One of the most critical updates? A stronger stance on liability for fraud.

Under Article 59 of the PSR, PSPs—as well as electronic communications service providers—will be on the hook to reimburse customers who fall victim to impersonation scams. That’s provided the customer reports the incident promptly to both the bank and the police. This shift sends a clear message: responsibility for fraud protection is no longer just a consumer burden—it’s a shared one.

But the reforms go further. For the first time, the PSR formally introduces the possibility for PSPs to share payment fraud data with each other. This includes sharing identifiers like a payee’s name, behavioral patterns, or suspicious transaction metadata—essential tools in identifying fraud patterns early.

This data sharing isn’t ad hoc; it’s expected to be structured through dedicated IT platforms and governed by detailed agreements between participating institutions. To align with GDPR, PSPs must also carry out a data protection impact assessment before joining any of these data-sharing arrangements. If risks are identified, they may even need to consult their national data protection authority.

At its core, this framework is about enabling smarter, more collective fraud detection. By pooling transaction insights—such as location, device type, spending behavior, or timing—PSPs can spot anomalies that would go undetected in isolation.

While these data-sharing arrangements are voluntary for now, they clearly signal the direction the industry is heading: toward cross-institution collaboration as a core component of fraud prevention.

Leveraging Compliance for Competitive Advantage

While PSD3 and PSR establish clear regulatory requirements, forward-thinking institutions can view these mandates as opportunities to strengthen their market position. By embracing collaborative fraud detection solutions and investing in advanced technologies, PSPs can not only ensure compliance but also enhance their risk management capabilities and reduce fraud-related losses.

Adopting secure, privacy-preserving technologies such as encrypted data analytics and secure multi-party computation allows institutions to share critical fraud intelligence without compromising sensitive data. This proactive approach not only bolsters cybersecurity resilience but also builds trust among customers and partners, positioning institutions as leaders in fraud prevention.

Conclusion: Embracing Collaboration for Sustainable Growth

The implementation of PSD3 and PSR signifies more than a regulatory overhaul; it represents a strategic shift towards a collaborative financial ecosystem. Institutions that proactively adapt to these changes can transform compliance obligations into opportunities for growth, operational efficiency, and competitive differentiation.

In an era where payment fraud is increasingly sophisticated and pervasive, embracing secure collaboration is not merely advisable—it is essential for long-term success and resilience in the financial sector.