In the first two blogs in this series, I examined the missed opportunities in PSD3 around the fraud liability policies and the inconsistencies and far too limited scope for the exchange of fraud-related data. In this third and final blog, I will take a closer look at what the European Commission (EC) is proposing related to vulnerable customers. One would expect politicians to pay special attention to the vulnerable as they need extra care and protection.

The PDS3 Payment Services Regulation (PSR) hits the nail on the head in one respect, but otherwise it hardly offers anything new and is too limited. More could have been expected from this proposal, especially when we see what is happening around us, across the EU’s borders.

The good part

The good part of the PSD3 proposal covers an important point: Banks and issuers must ensure that every customer can perform Strong Customer Authentication (SCA), whether disabled, elderly, having low digital skills, or having no access to digital channels or payment instruments. Furthermore, the possession of a smartphone shall not be required, and the means provided have to cater for the specific situation of the customer. (PSR article 88)

This goes a long way but is absolutely spot on. It ensures that vulnerable customers can fully enjoy the digital age and have the means to authorise a transaction when paying or purchasing remotely. For example, the elderly and those with impaired vision often do not like those tiny screens on smartphones and prefer a tablet or PC, so it is essential that a bank has this option available alongside the smartphone app for the internet-savvy generations.

The surprise

The surprise is that this is about the extent of what is mentioned concerning vulnerable customers. The proposal mentions vulnerability a few more times:

  • Consumers are considered more vulnerable than businesses. PSR (39)
  • “Fraudsters often target the most vulnerable individuals of our society”, and therefore transaction monitoring is required. PSR (100)
  • Customers need to be alerted and educated about new forms of fraud, taking into account the needs of the most vulnerable groups of customers. PSR article 84(1)

These additional mentions hardly offer any substance. Education is good, but transaction monitoring, really? This is also very much needed to protect the non-vulnerable as fraudsters are way too good at their job.

A leading example from across the border

What should we have expected? To answer this, it is good to have a look across the border, to what was, until a few years ago, an EU member: the UK. There, the Payment Systems Regulator (UK PSR) published its final regulation on scams last December. As is well known, the UK PSR goes much further with the requirement to reimburse all types of scams (Authorised Push Payment - APP). Looking at the requirements around vulnerable customers, we see two basic protections that are very applicable in the EU:

  • Gross negligence is not applicable
  • There is no excess on reimbursements up to £100

This means that if a vulnerable customer falls victim to fraud, they will be fully reimbursed even if warned, if it happens multiple times and/or reported late. This is if it is caused by the vulnerability of that particular customer. Banks will have to determine on a case-by-case basis whether the exemption for vulnerability applies. It is interesting to note that the UK PSR and the Financial Conduct Authority (FCA) explicitly state that a consumer’s financial resilience is also a factor when assessing vulnerability. In other words, someone who suffers financial hardship as a result of a £100 fraud should also be fully compensated.

The UK PSR provides a definition of what exactly a vulnerable customer is:

“Someone who, due to their personal circumstances, is especially susceptible to harm – particularly when a firm is not acting with appropriate levels of care. PSPs (like banks) should evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability, whether temporary or enduring, led them to be defrauded, and therefore whether they meet the definition of vulnerability.”

The PSD3 proposal also lacks such a definition.

Another interesting view from the UK PSR is that some additional friction for a small proportion of payments is an acceptable price for preventing scams and achieving increased customer protection, including additional protection for those most vulnerable to becoming victims. In a world focused on frictionless, this is a refreshing viewpoint, albeit one more often heard in the fraud detection world.

In the UK, there has clearly been a lot of thought given to what constitutes a vulnerable customer and how they can and should be better protected. The PSD3 proposal completely lacks that depth.

What else should have been expected?

Of course, there are other areas where vulnerable customers could and should receive more attention. In line with SCA, there is the accessibility of online banking. Not everyone has a smartphone or a computer. It is important that someone can bank easily and securely using shared computers.

There are banks that take very good care of the vulnerable, but unfortunately, this is not the case for all. It is important that the EU sets a good baseline in PSD3, and there is quite some room for improvement.


The PSD3 proposal takes vulnerable customers into account, and for SCA it does so perfectly. Unfortunately, our vulnerable fellow citizens are forgotten when it comes to fraud and its consequences, where the UK PSR sets an excellent example. The UK PSR also provides a clear definition of a vulnerable customer. Regulation on safe access to online banking could also be improved.

My summary: there is room and need for improvement.


Recent Posts