What to expect from the Final PSD3 Legislation

Back to overview
26/05/2025
Wiebe Fokma

PSD3 is the European Union’s third Payment Services Directive. It is the successor to PSD2, and aims to make European payments even more secure, innovative and competitive.

Read below the blog of Fraud Detection Strategist Wiebe Fokma, who discusses the expected PSD3 legislation.

Five predictions on the final EU Payment Service Directive, PSD3

It has been almost two years since the PSD3 proposal on 28 June 2023. At the time, it was expected that the final version would be published within a year. However, almost two years later, the market is still waiting. In the meantime, other countries have taken steps that are likely to influence the final version. Let’s take a look and make some educated guesses.

1. Customer reimbursement for all fraud and scams

Unfortunately, I don’t have any inside information, but you occasionally hear something. Like that there is a hefty lobby from eu parliamentarians and consumer organisations to increase the banks’ liability in cases of fraud and scams. Logically this would mean that the EU is to follow the UK Payment Systems Regulator (UK PSR) in reimbursing all unauthorised and authorised (APP) fraud, including romance and investment scams. The PSD3 proposal deemed this to be too high a risk for the payment ecosystem, despite substantiating this with flawed calculations. Meanwhile, the UK has proven that this isn’t a risk at all. So, my first prediction is that the final version of PSD3 will be much closer to the UK PSR with regard to customer reimbursement, if not identical.

2. Equal liability split between customer’s and payee’s bank

The UK has found a great solution to a long-standing frustration in the payments industry: banks hosting many mules are not at risk and have no incentive to address the issue. The UK PSR proposed a 50:50 liability split between the payer’s and payee’s bank. This sparked heated discussions about whether it could also be 30:70 or vice versa, depending on which bank performs better. Ultimately, it was set at 50:50 always. My second prediction is that the EU will also decide on a 50:50 liability split between the payer’s and payee’s banks. However, I do not expect Europe to follow the UK in naming and shaming mule banks.

3. Improved exchange of information to fight fraud

The PSD3 proposal is a bit inconsistent on the exchange of information, to put it mildly. In two considerations (103 and 105), it talks about the exchange of all relevant information including identifiers (plural). However, the consideration right in the midst limits this to the IBAN, and the IBAN only (singular). The proposal does not seem to be aware of innovative payment methods and a large proportion of the world not using IBANs. Another inconsistency is that it talks about information exchange to prevent and detect potentially fraudulent transactions, yet the exchange is only permitted if two customers have confirmed the fraud (Art. 83(1) and (3)), rendering the exchange too little too late. Finally, it also limits information exchange to that between PSPs, like banks, whereas the Anti-Money Laundering Regulation (AMLR), adopted last year, allows an exchange of all relevant data, and also with other types of institutions.

Is it a good idea to again look at the UK again for this? Actually, no. With its Enhanced Fraud Data (EFD), Pay.UK has developed an architecturally thorough fraud exchange system that fully takes privacy into account. The issue is that ‘architecturally thorough also means ‘complex’ in this case. That is clearly not what the market is waiting for, already leading to delays in its implementation. The chances of it being implemented seem slim.

Better look at the Netherlands, where the banks use the VOP rails to exchange additional information in order to prevent and detect fraud, in a privacy-preserving manner, just like VOP itself. The VOP results are typically fed into the fraud and money laundering detection systems. As VOP uses a flexible API, additional data fields can easily be added with no adverse effects, and the information will be instantly available in the fraud detection system. This makes it an almost cost-free way to exchange fraud prevention information.

To my prediction: If we combine what is seemingly intended in the PSD3 proposal, with the ideas in the AMLR, we get: exchange of all relevant information including multiple identifiers to prevent and detect potential fraud. The exchange to be allowed with PSPs and all other institutions, both public and private, when necessary to achieve this goal.

Somehow, I feel like being too optimistic, but PSD3 should improve the fight against fraud, rather than limiting the possibilities. Combatting fraud and money laundering should be integrated, making it crucial to align PSD3 and the AMLR.

4. Privacy

We touched on the subject of privacy in the previous prediction. The limitations on information exchange – only an IBAN and only after two customers confirmed fraud – give the impression that they are based on privacy concerns, especially as there is no other reasonable explanation.

It is positive that PSD3 has attempted to explicitly state the limits, as the market needs clarity. It is positively surprising as politicians typically do not even want to touch the subject with a ten-foot pole. Too bad that these proposed limitations render the information exchange almost useless.

It would be great and important for the whole industry to strike a well-thought-through and substantiated balance between fraud prevention and privacy in the final PSD3. However, I fear this is a bridge too far.

My prediction for privacy is that the aforementioned limitations will be removed and that the reference to the GDPR will remain: carry out a Data Protection Impact Assessment (DPIA). This would leave it to the industry and lawyers to find the balance. This is definitely not optimal, but it would be much better than the current proposal. If any limitations remain, I hope they are well coordinated with industry experts.

5. Vulnerable customers

The subject of vulnerable customers is conspicuous by its absence from the PSD3 proposal. While the UK’s Financial Conduct Authority (FCA) published a 57 page guidance, and the Payment Systems Regulator (PSR) published another one on the caution exception, just the word vulnerable is already hard to find in the PSD3 proposal. I cannot imagine that this is still the case in the final version. Therefore, I predict that vulnerable customers will receive the attention and protection they deserve in the final version, to safeguard them in an increasingly complex online world, with the caution exception and no claim excess, where the customer’s vulnerability is to be assessed on an individual basis.

Summary of the predictions for the final version of PSD3

Reimbursement of all scams, including all types of APP scams (e.g. romance and investment scams), to better protect consumers.
A 50:50 liability split between the customer’s bank and payee’s bank to solve the current market frustration that ‘mule banks’ have no incentive to detect mules.
Data sharing possibilities between PSPs (banks) and public and private companies will be possible in line with the AMLR to emphasise the importance of an integrated fight against fraud and money laundering. Less would mean that banks should better use the AMLR as a basis for information sharing.
Either the current privacy-based limitations on the exchange of data are removed, or a well-thought-through limitation is introduced. If the limitations remain as unworkable as they are at present, then banks better use the AMLR.
Vulnerable customers should be given the protection they deserve: caution exception and no claim excess. The internet is increasingly fast and complex and the vulnerable shouldn’t pay the price.