On June 18, the Council of the European Union outlined its approach to establishing a mandate for the Third Payment Services Directive (PSD3) – the next update to the EU’s regulatory framework overseeing financial services and electronic payments. Inevitably, this doesn't mean we've yet reached a settled position, but it marks the start of a negotiation that will result in a mandate covering both PSD3 and the companion Payment Services Regulation (PSR).

For those unfamiliar with the process, the PSR will effectively result in the operational and consumer-facing rules from PSD2 becoming binding regulations. Notably, the PSR will not encompass the licensing and supervision rules, as well as the authorization of payment institutions (PIs) and electronic money institutions (EMIs). The logic behind this omission is that it provides more flexibility at a national level concerning authorization and supervision.

A focus on fraud

The agreement places significant focus on the need for PSD3 to facilitate stronger anti-fraud measures. Notably, the framework recognizes the need for electronic communications providers to have greater involvement in measures to prevent fraud.

The commission’s proposed PSR aims to hold payment service providers (PSPs) accountable for authorized payments made by deceived consumers, where the criminal sought to impersonate the PSP (commonly referred to as impersonation fraud). The British Parliament’s April 2024 text proposed a substantial expansion of this liability to payments resulting from “any other relevant entity of a public or private nature.” Notably, the council had not proposed any such extension of liability.

The council’s approved texts also propose extending the time limit for PSPs to refund victims of impersonation fraud from 10 to 15 business days. Addressing the time limit may signal the council's desire for PSD3 to incorporate lessons from the UK's adoption of a broader reimbursement regime. It also seeks to clarify that consumers are obliged to provide their PSP with relevant information on the events leading up to the disputed payment, as is the case in the UK.

Big tech in the crosshairs

In the context of electronic communications services providers (ECSPs), the council's amendments appear designed to capture big tech within the regulatory framework. While this aligns with the objective of the parliament’s text, the council’s amendments focus on several measures aimed at fostering cross-sectoral cooperation for the purpose of preventing and detecting fraud. In contrast, the parliament’s approach seeks to hold ECSPs liable to public service providers if they failed to remove fraudulent or illegal content upon being notified of its existence.

The council’s proposed amendments include ensuring that ECSPs are obligated to establish dedicated communication channels with PSPs, enabling them to participate in a system for effective communication and the sharing of information to counter fraud risk.

Broad reach, subtle shifts

In a move akin to those seen in the UK, which established a series of sectorial charters, the council also calls for the establishment of a voluntary code of conduct in the EU to promote prevention, enhance security, and combat payment fraud and financial scams.

While the reach of the UK’s reimbursement scheme is significantly broader, it has provided evidence that 76% of authorized push payment (APP) fraud cases originate online. The proposed scope of PSD3 excludes purchase scams that account for 30% of total losses in the UK. However, it is notable that 16% of APP fraud cases in the UK originate through telecommunications, the majority of which are captured by PSD3’s reimbursement provisions, which tend to be of higher value and account for 43% of total losses in the UK.

Crypto isn’t ignored, with the council seeking to place crypto assets in scope. This means PSD3 will also focus on e‑money tokens, authorization rules covering crypto PSPs, and anti-money laundering (AML) oversight for crypto payment services.

There aren’t any real surprises in the council’s position, but there are implications for PSPs of all sizes.

A tipping point for consumer rights?

With reimbursement rates in the EU lagging behind those seen elsewhere, there is an increased focus at the national level on customer treatment. Regulators, such as the Banque de France, have signaled that PSPs need to consider whether a transaction was consented to, even when the consumer authorized it.

The council appears committed to reinforcing that the burden of proof lies with the PSP (already stipulated in PSD2 Art. 72), requiring the PSP to prove that the transaction was authenticated, recorded, and not affected by a technical fault or compromise.

In summary, the council appears determined to ensure victims of fraud are not left out in the cold due to PSPs relying on technicalities surrounding negligence and that regulators adopt a more consistent approach to consumer protection.

In the UK, we've seen the Financial Ombudsman rule against PSPs on the basis that their controls failed, resulting in liability for the consumer's losses even when they've been, to some degree, negligent in the eyes of the PSP.

The view is that consumers should not be penalized for sophisticated frauds they couldn’t reasonably be expected to prevent. It is likely to gain further traction as threat actors embrace the opportunities presented by artificial intelligence, which appears poised to enhance the quality of their fraudulent schemes while also offering them the scope to automate their execution.

The risk associated with such technology also arises alongside the push for real-time payments throughout the eurozone. Providing criminals with the means to disperse their criminal gains across borders in 10 seconds or less.

Inevitably, we must ask ourselves if a perfect storm is brewing: Do the pace of technological change, the scale of data breaches, and the ingenuity of criminals mean that the provisions of PSD3 may struggle to contain, let alone reduce, fraud in the European Union?