Earlier this year, I wrote about the evolving negotiations around the European Commission’s payments package and the long path toward a finalized PSD3 framework. With 2025 rapidly drawing to a close, the landscape has shifted decisively: The European Parliament and the Council of the European Union have reached an informal political agreement on PSD3, the new Payment Services Regulation (PSR), and the associated consumer-protection and fraud-mitigation reforms.

As technical drafting and adoption stretch into 2026, the agreed direction offers clarity. This is a key moment: Fraud prevention, Open Banking, consumer protection, PSP operations, and the payments ecosystem now have clearer guidelines to follow. Against this backdrop, the following developments underscore just how fundamental the changes are for all market participants.

For institutions hoping PSD3 might slip quietly into the long grass, the message is stark: There is no time to wait. The next 12–18 months will determine Europe’s payments-security posture for the next decade. Immediate preparation is imperative.

PSD3: Evolution, but with teeth

Right from the start, the commission has referred to PSD3 as an evolution rather than a revolution. The final agreement reflects this. Yet, evolution can also be profound. The deal strengthens fraud protections, modernizes Open Banking, enhances transparency, and sets stricter operational expectations for all payment service providers.

Throughout the process, the commission, council, and parliament have been largely aligned on the big picture:

• Turn the tide on social-engineering-driven fraud.
• Strengthen consumer protection.
• Embed Open Finance foundations.
• Harmonize supervisory powers across all member states.
• Introduce greater transparency and fairness in pricing.
• Ensure cross-sector collaboration to tackle fraud upstream.

Taken together, the finalized political deal achieves each of these aims and does so more assertively than many industry stakeholders anticipated. This brings us to a pivotal development for payment security.

Mandatory reimbursement for impersonation fraud

The most consequential shift to come out of this deal relates to impersonation fraud liability.

The new agreement confirms:

• PSPs must reimburse consumers who are misled by criminals impersonating banks or trusted authorities.
• This applies when victims are manipulated into making a payment, believing the instructions came from a legitimate source.
• Consumers must notify their bank without undue delay and provide relevant evidence.
• Member states will apply harmonized complaint-resolution deadlines.

The EU has now moved past a patchwork of national standards varying from country to country, to a unified reimbursement rule. Although not identical to the UK’s 50:50 regime, Europe has clearly shifted liability for impersonation-driven fraud from consumers to financial institutions.

For PSPs, the operational implications are significant. They must:

• Strengthen mule-account detection, monitoring, and interdiction.
• Develop consistent reimbursement processes across markets.

At BioCatch, we see this as validation of a long-standing observation: You cannot solve fraud at the payment stage alone. You must detect the behavior, intent, and any coercion behind the transaction.

Key takeaway: PSPs must reimburse victims of impersonation fraud, thereby shifting the fraud risk from customers to PSPs.

A shared burden

Parliament secured another important win in this deal: Online platforms and digital intermediaries will now be required to cooperate.

This includes:

• Obligations for platforms to work with PSPs to remove or block fraudulent content
• Faster takedown expectations
• Information-sharing duties in fraud cases

Online platforms will be liable to PSPs who have reimbursed defrauded customers if those platforms are informed of fraudulent content on their platform and fail to remove it. This establishes the first EU-level mechanism recognizing that fraud often begins before payment initiation. While these provisions are welcome, it remains to be seen how readily liability can be evidenced and how willing tech organizations will be to accept that liability.

Key takeaway: PSPs should build a strategy to identify and share threats that originate on tech platforms. If customers incur losses because of such content, PSPs should identify it and consider the scope for a liability shift.

Mandatory Confirmation of Payee

A major gap between Europe and the UK has finally closed. The deal introduces:

• Mandatory Confirmation of Payee (CoP) for all euro credit transfers.
• Alignment with the Instant Payments Regulation (IPR), ensuring name-matching becomes a universal feature.

While this will undoubtedly reduce misdirected payments (as has been the case in the UK), there is little prospect of mandatory CoP having a meaningful impact on impersonation fraud. This change will instead shift customer expectations, making name-checking standard across the EU.

Key takeaway: Consumers will now expect name verification for all euro transfers.

Open Banking becomes Open Finance

PSD3 builds upon PSD2’s legacy but adds the rigor and accountability for which the industry’s long been asking. The deal mandates:

• Standardized Open Banking APIs across member states
• SLA (Service Level Agreement) equivalence: Third-party provider (TPP) access must meet the same standards as customer interfaces.
• Anti-obstruction rules: Banks cannot redirect or slow down TPP journeys.
• Customer dashboards: Clear, standardized interfaces for consumers to manage account permissions
• Enhanced transparency on API uptime, outages, and performance

This is a major win for Open Banking. However, it also expands the attack surface.

Key takeaway: As Open Banking grows, fraud risk will increase. This underscores the need for behavioral intelligence to effectively combat social engineering threats in Open Banking journeys.

SCA: Broader, stricter, and behavior-ready

Strong Customer Authentication (SCA) is not just here to stay. It’s expanding. The deal confirms SCA will now apply to:

• Online account access
• Remote creation or replacement of payment credentials
• Device onboarding/app activation
• Changes to transaction limits or high-risk settings
• Sensitive actions via remote channels

Two important developments in this regard:

1. SCA factors must come from different categories, closing the door on repeated possession-possession or knowledge-knowledge combinations.
2. Pro-consumer refinements for recurring payments and low-risk transactions to reduce friction.

Key takeaway: Behavioral intelligence is now vital for seamless, compliant Strong Customer Authentication without degrading the user experience. By their very nature, behavior-based solutions provide continuous, invisible authentication, which is ideal for protecting vulnerable users.

Greater transparency

The political agreement introduces a package of measures to address sources of consumer frustration. These include provisions that ban hidden fees for cross-border payments, and a harmonized currency-conversion disclosure that should address the Dynamic Currency Conversion (DCC) trap when merchants or ATMs convert a payment into your home currency at a worse rate, costing you more than you’d otherwise pay.

Key takeaway: Consumers will benefit from clearer, fairer pricing as new rules enforce transparent cost displays.

Alignment with the EU’s AML Framework

The payments deal dovetails with the EU AML Regulation and the new Anti-Money Laundering Authority (AMLA). PSPs must now:

• Strengthen account and transaction monitoring.
• Detect and act on mule activity earlier.
• Share fraud-relevant intelligence more readily.
• Implement consistent, EU-wide reporting practices.

These changes are both necessary and overdue. With the Instant Payment Regulation (IPR) creating new risks for PSPs, especially in cross-border payments, the need for real-time data sharing is more important than ever.

The shift in liability for credit transfers due to impersonation fraud makes earlier mule detection crucial.

Key takeaway: Early fraud detection, intelligence sharing, and preventing mules from receiving and sending the proceeds of crime are now top operational priorities.

A new era, not quite a New Year’s resolution

The political agreement does not end the work. 2026 will bring:

• Secondary legislation (RTS)
• National transposition where relevant
• Implementation deadlines for PSPs and platforms
• Increased supervisory expectations

The direction is set. Key takeaway: Institutions should act now in line with the agreed direction and deadlines.

For a professional New Year's resolution, consider focusing on these six areas:

1. Expand fraud operations and incident-response capabilities, particularly for impersonation fraud.
2. Reassess Open Banking infrastructures against new API, SLA, and transparency obligations.
3. Update authentication strategies to reflect SCA’s broader scope and multi-factor requirements.
4. Strengthen model governance, especially for behavioral, device, and cross-channel risk models.
5. Invest in cross-ecosystem collaboration, including real-time behavioral-intelligence exchanges and consortium models aligned with the EU’s direction of travel.

Immanuel Kant famously valued principle over outcome. Were he to pen a payments directive today, he might write: “Fraud prevention must be grounded in principle, not reaction.”

As PSD3 ushers in a new era of liability, transparency, and collaboration, the principle that matters most is simple: Protecting consumers requires that PSPs understand their customers’ behavior. Relying purely on transaction monitoring will leave you exposed.