BioCatch blog channel

Browse topics

If PSD3 is a board-level risk, why is ownership still fragmented — and who is accountable?

photo of Nicolas Strömbäck

Written by:

Nicolas Strömbäck

If PSD3 is a board-level risk, why is ownership still fragmented — and who is accountable? featured image

Join our upcoming webinar, PSD3: What We Know, What We Don’t, and What Comes Next, on April 23, 2026.

PSD3 is poised to be more than just another regulatory update. It represents a structural shift in the financial industry, with the potential to reshape how banks compete. To dive deeper into what’s changing and what it means for fraud, liability, and customer experience, hear from industry thought leaders. Register now.

Register Now

As experienced risk managers and compliance professionals, most of us have lived through a period when things still, broadly, made sense. In the early days of compliance, regulations were manageable, teams were small, and it was possible to focus on one issue at a time and actually resolve it.

Then, around 2018, something shifted. Regulators in the European Union (EU) seemed to wake up and decide it was time to flex their muscles. Or at least, that’s how I like to think it happened.

 

The regulatory wave that changed everything

 

First came the Fourth Anti-Money Laundering Directive (AMLD4), which fundamentally reshaped how anti-money laundering and counter-terrorist financing (AML/CTF) work is conducted, a shift that still defines the field today. Then came the General Data Protection Regulation (GDPR), and suddenly personal data became the key issue.

Even in Sweden, where strict data protection laws already existed, this was different. Awareness exploded, and compliance became a visible, organization-wide concern. It’s hard to recall another regulation that generated as much attention, and as much marketing.

And then there was the Second Payment Services Directive (PSD2).

At the time, I was with the Swedish Financial Supervisory Authority (FSA), handling authorizations for institutions below the banking threshold, including payment institutions, e-money institutions, and consumer credit firms. PSD2 changed how we viewed payment services entirely, introducing the concept of open banking.

On paper, open banking sounded great: Open the gates, share the data, let innovation flourish. And it did. New players entered the market at speed. But it also created confusion.

What actually qualified as a payment service?

More than once, I counselled firms seeking authorization they didn’t really need, since they were simply providing technical solutions.

It was, in many ways, uncharted territory.

 

PSD3 and PSR: Same road, new risks

 

With the Third Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), we’re taking another step down the open banking path. But the focus has shifted. This time, it’s about fraud and how to manage it.

Key elements include verification of payee, liability for spoofing (when fraudsters impersonate trusted entities), and expanded data sharing for fraud prevention. While PSD2 helped reduce fraud in some areas — European Banking Authority (EBA) data showed remote card fraud dropped by 70% to 80% due to strong customer authentication — criminals adapted. Authorized push payment (APP) fraud, where customers are tricked into sending money to fraudsters, has grown significantly.

PSD3 is designed to address these newer threats.

 

The danger of regulatory complacency

 

So why does it matter now? Management teams and boards across financial institutions have invested significant time and effort implementing PSD2. That creates a risk of complacency, especially when the latest updates appear minor on the surface. But in this case, that assumption would be a mistake.

In Sweden, developments around spoofing liability have already taken an interesting turn. Courts are placing greater responsibility on banks to prevent and respond to these cases. One simply cannot consider this a low-risk area.

Which raises a fundamental question: Who actually owns this risk?

 

Fragmented ownership, blurred accountability

 

In most firms, responsibilities are split. Payments sit in one function. Financial crime is handled across several teams. The outputs of these teams are aggregated for management reporting, and then someone is expected to make sense of it all.

In theory, this works. In practice, it often doesn’t.

Add poor data quality, unclear ownership, and a board that may struggle with moral hazard, and you have a ticking time bomb.

I recall a case during an FSA site visit where a firm was asked to produce data linking payments, transaction monitoring, and know-your-customer (KYC) information. What sounded straightforward quickly became a nightmare. It took weeks to produce reliable outputs — not an ideal situation during a regulatory visit.

The lesson was clear: Understand how customer data is structured, how it connects to payments data, and who owns what. Just as important, senior management gained a clearer sense of what control actually means.

 

What boards and senior management must do now

 

At the board and senior management level, oversight and a genuine sense of control are essential, especially when dealing with emerging risks.

Preparation for PSD3 and PSR will require several things:

  • A review of how the payments function operates, and whether it can deliver reliable, usable data
  • A clear understanding of how payments data integrates with financial crime processes
  • Defined ownership of PSD3-related risks, with accountability for reporting and escalation
  • Ongoing monitoring of how these risks evolve, and how they impact the business

PSD3 is not just another compliance exercise. It cuts across payments, fraud, data, and customer protection. That makes it inherently a board-level issue.

But if ownership remains fragmented, accountability will remain unclear, and that’s where the real risk lies.

At the end of the day, someone needs to own this. The question is: Who?

Key takeaways:

 

  • PSD3 elevates fraud risk to a board-level priority: Unlike PSD2’s focus on access and innovation, PSD3 centers on fraud prevention, liability, and data sharing, requiring executive oversight.
  • Regulatory complexity has increased fragmentation: Responsibilities across payments, financial crime, and data functions are often siloed, creating gaps in ownership, coordination, and accountability.
  • Fraud typologies are evolving faster than controls: While PSD2 reduced certain fraud types (e.g., card fraud), threats like authorized push payment (APP) fraud have grown, requiring new detection and prevention strategies.
  • Data integration is a critical weakness: Effective PSD3 compliance depends on linking payments, KYC, and transaction monitoring data. This is something many institutions struggle to do reliably and quickly.
  • Clear ownership and governance are essential: Firms must define who owns PSD3-related risks, ensure accountability for reporting and escalation, and enable boards to have a true sense of control.

 

Resources:

 

Recent Posts

Claude Mythos: Hype or reality? Why the real threat lives in the behavioral gap Fraud Prevention
April 19, 2026 Claude Mythos: Hype or reality? Why the real threat lives in the behavioral gap
Read article
How technology can protect your wallet from Brazilian tax scams
April 16, 2026 How technology can protect your wallet from Brazilian tax scams
Read article
What mule accounts are really costing banks Mule Accounts
April 16, 2026 What mule accounts are really costing banks
Read article