Europe's regulatory moment has arrived

Most of the conversations I have with fraud leaders and C-suite executives about authorized push payment (APP) fraud still center on the same question: How do we stop it before the payment exits the would-be victim’s account?

It is the right question. Fraud teams understand that APP fraud begins with manipulation rather than the payment itself. Unfortunately, many of the controls institutions rely on today are still focused on the transaction.

Regulators, researchers, and practitioners are increasingly arriving at the same conclusion. By the time a manipulated customer reaches the point of payment, stronger authentication, additional payment checks, and generic warnings are often too late.

Europe's emerging regulatory framework is increasingly aligning with behavioral science. Both point in the same direction: earlier intervention, more personalized intervention, and less reliance on friction at the point of payment.

The question is no longer whether customer manipulation sits at the heart of APP fraud. The question is how institutions identify it early enough to intervene effectively.

APP fraud is not a payment problem

To answer that question, it helps to start with how regulators increasingly frame the problem. The industry term “authorized push payment fraud” describes the outcome: A customer authorizes a payment. The European Banking Authority (EBA) and European Central Bank’s 2025 Payment Fraud Report uses a definition that focuses on the cause: the manipulation of the payer to initiate a credit transfer.

This is more than a semantic distinction. It shifts attention from the payment event to the customer manipulation that precedes it.

That shift has important implications. If the fraud lies in the manipulation, rather than the payment itself, then a successful APP fraud transaction will often look entirely legitimate from the bank’s perspective.

A credit transfer under manipulation is, in every technical sense, an authorized, authenticated, legitimate transaction. The bank’s systems did what they were designed to do. The failure occurred upstream, in the customer's cognitive and emotional state when they commenced the payment.

The regulatory direction is now clear

The scale of the challenge is difficult to ignore. According to the EBA, manipulation of the payer now accounts for more than half the total value of fraudulent credit transfers across the EU, and that share continues to rise.

Regulators have taken notice. Two developments, in particular, are shaping the institutional response.

In the UK, Payment Systems Regulator (PSR) mandatory reimbursement has been in force since October 2024, transforming payer-manipulation fraud from a customer harm issue into a direct institutional liability. The initial results offered some cautious optimism. In 2024, payer-manipulation credit transfer losses fell 2% to just over £450 million, while case volumes declined by 20% to their lowest level since 2021. Many attributed the improvement to the anticipated impact of reimbursement rules and increased investment in fraud controls.

That optimism has not survived contact with 2025. According to UK Finance's Fraud Report 2026, APP fraud losses rose by 19% between 2024 and 2025 to £576.4 million. Investment scam losses increased by 40% to £221.5 million.

The lesson is a familiar one: As controls improve, criminals adapt. International payment fraud cases increased 81% in 2024, with losses nearly doubling. At the same time, fraudsters are increasingly concentrating their efforts on higher-value attacks, pushing average losses higher even when overall case volumes fluctuate.

Mandatory reimbursement has sharpened institutional focus, but it has not reduced the underlying threat. If anything, it has encouraged criminals to concentrate on the fraud types where customer manipulation is hardest to detect and losses are the greatest.

In the European Union (EU), Payment Services Directive 3 (PSD3) and the accompanying Payment Services Regulation (PSR), expected to take effect in 2027, make clear that payment service providers may be liable when customers are manipulated into authorizing payments and institutions fail to meet expected fraud-prevention standards.

For institutions operating across multiple jurisdictions, the message is increasingly difficult to ignore. Liability for payer-manipulation fraud is becoming a regulatory baseline across Europe and not just a UK-specific exception.

Alongside this, the EU Anti-Money Laundering Regulation (AMLR), also due to take effect in 2027, introduces a single rulebook for transaction monitoring and customer risk assessment across all member states. Its relevance extends beyond anti-money laundering. At its core is a risk-based approach that requires institutions to assess customers and transactions according to their individual characteristics rather than applying controls uniformly. That principle mirrors the growing body of research on behavioral economics, which consistently finds that interventions are most effective when tailored to the specific customer, transaction, and risk being presented.

Across reimbursement regulation, PSD3, and AMLR, the direction is remarkably consistent: Institutions are increasingly expected to identify risk earlier, understand it more precisely, and respond in ways that are proportionate to the circumstances of the individual customer.

Fraudsters target people, not payment systems

The regulatory direction is increasingly clear. The harder question is what institutions should do differently in their response to it.

One of the most detailed attempts to answer that question came from research published by Axiom Economics for the PSR in October 2025. The report provides one of the most rigorous publicly available examinations of why payer-manipulation fraud succeeds and what is required to stop it.

Its central finding is one the industry needs to internalize more fully: Payer-manipulation fraud exploits a cognitive vulnerability instead of a technical one.

The customer who initiates a fraudulent credit transfer is authenticated, using their own device, completing what appears to be a legitimate transaction. The manipulation that produced that payment happened before the banking session opened, during a phone call, in a messaging thread, or over weeks of carefully cultivated deception. Authentication controls, however sophisticated, cannot see what happened before login.

The research identifies four cognitive biases that fraudsters systematically exploit: vulnerability to scarcity, willingness to trust, the representativeness heuristic, and the dominance of fast, emotional System 1 thinking (to borrow from Daniel Kahneman’s “Thinking, Fast and Slow”) amid manufactured urgency.

These are not isolated vulnerabilities. They are the documented operating principles of every major fraud typology the EBA report identifies, from bank impersonation scams to investment fraud to invoice manipulation.

A successful fraudster rarely relies on a single tactic. They combine multiple forms of manipulation, creating an opportunity or a crisis that appears credible, resembles something familiar, and demands immediate action. The goal is simple: Prevent reflection long enough for the customer to authorize the payment themselves.

Why generic warnings fail

The implications for intervention design are clear, and the research is specific about what works and what does not.

Generic warnings applied across the payment journey are largely ineffective. Over time, customers become accustomed to seeing them and learn to treat them as friction rather than information. The more frequently they appear, the easier they are to ignore.

What works is targeted intervention. The most effective prompts are delivered at the point of highest risk and designed to address the specific type of manipulation taking place. A warning intended to interrupt a bank impersonation scam looks different from one designed to challenge the urgency of an investment scam.

The research also shows that susceptibility to manipulation varies significantly across the population. Factors such as age, financial literacy, and digital literacy influence how customers respond to fraud attempts and which interventions are most likely to be effective for each of those populations. This points toward a risk-based approach rather than a one-size-fits-all model. The same principle sits at the heart of the AMLR's customer due diligence framework: Controls should be informed by the characteristics of the customer, the transaction, and the risk being presented.

The technology challenge

The challenge is not understanding what effective intervention looks like. The research is increasingly clear on that point. The challenge is delivering those interventions consistently, in real time, and at the scale modern financial institutions require. That is where technology becomes decisive.

The interventions described in the research (and implicitly required through PSD3 and AMLR’s emphasis on risk-proportionate, evidence-based controls) cannot be delivered through rules-based systems or static warning frameworks. They require a real-time understanding of what is happening inside the customer’s session at both a cognitive and behavioral level.

Transactional data can tell you what payment a customer is trying to make. It cannot reliably tell you why. And that distinction matters. A customer moving quickly because they are confident can look similar, at the transaction level, to a customer moving quickly because a fraudster is coaching them through a credit transfer. The difference is visible in behavior: typing patterns that suggest dictated entry rather than recalled information, hesitation at the confirmation screen, or distraction signals consistent with a simultaneous phone call.

Only continuous, in-session behavioral intelligence can surface those signals at the speed and specificity required.

Historically, the barrier has been scale. Detecting elevated session risk is one challenge. Delivering the right intervention, in the right language, at the right moment, across millions of customer journeys is another. Large language models change that equation.

When integrated with real-time behavioral scoring, an LLM can help generate a contextual intervention tailored to the manipulation risk present in that session. It can speak to the specific concern, in natural language, at the point in the journey when research suggests deliberation can still be recovered. That is what makes targeted intervention economically viable at institutional scale. It is also the only approach that satisfies the regulatory standard of targeted, proportionate, evidence-based intervention rather than generic friction applied indiscriminately.

The standard has changed

The regulatory timeline is fixed. PSD3 and the AMLR are expected to take effect in 2027. UK mandatory reimbursement is already in force.

At the same time, the evidence continues to build. The EBA's data shows payer manipulation is now the dominant fraud threat facing the European payments ecosystem. Behavioral economics research, which provides a clearer understanding of why these scams succeed and what types of intervention are most likely to stop them, is now published and on the record.

The implication is difficult to ignore. Institutions that continue to rely primarily on authentication controls and transaction monitoring to address payer-manipulation fraud will find themselves increasingly exposed to the risk of increased operational costs, direct financial costs (reimbursement), and regulatory risk. It is also becoming harder to explain those failures to regulators, boards, and customers when the payment itself was never the real point of failure.

Regulators are raising expectations. Customers are bearing the consequences when controls fail. And fraudsters continue to adapt. The obligation now is to respond at the standard the evidence demands.

—

Key takeaways:

APP fraud is fundamentally a customer manipulation problem. The fraud often occurs before the banking session begins, when a customer is persuaded to make a payment they believe is legitimate.
Regulation and behavioral science are converging on the same conclusion. PSD3, AMLR, and the UK's reimbursement regime all point toward earlier, more targeted intervention rather than greater friction at the point of payment.
Transactional data can show what a customer is doing, but not why. Understanding intent requires behavioral signals that reveal whether a customer is acting independently or under manipulation.
Institutions that continue to rely primarily on authentication controls and transaction monitoring will face growing operational, financial, and regulatory exposure as expectations around payer-manipulation fraud continue to rise.