Article
Published:
7 Mins Read

New EU Payment Rules: PSR & PSD3 Fraud Compliance for PSPs

Katy Chrisler

The EU’s new Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3) mark a decisive shift in who carries the burden for payment fraud and how payment service providers (PSPs) are expected to manage risk. These rules do more than tweak PSD2; they tighten liability, expand responsibilities and raise the bar for real-time monitoring, customer authentication and data governance.

For fraud and risk teams, the question is no longer whether they can justify investing in better controls, but how quickly they can design a technology stack that is compliant, defensible and commercially sustainable.​

By combining stricter fraud obligations with measures that open up the market to more competition and data access, PSR and PSD3 create both pressure and opportunity. PSPs that treat the rules as a narrow compliance project will likely face higher losses, regulatory scrutiny and reputational damage when fraud cases hit the headlines. Those that use them as a catalyst to modernize fraud prevention can reduce chargebacks and refunds, protect customers from sophisticated scams and unlock new growth in high-risk but high-value payment flows.

Key Takeaways

  • PSR and PSD3 raise the bar on fraud prevention, pushing PSPs toward real-time monitoring, stronger authentication, and better data governance.
  • Liability is the headline change, including clearer refund expectations for impersonation scams and tougher standards for documenting decisions.
  • Day-to-day payments checks get stricter, like name and identifier matching and the ability to freeze suspicious transfers before money leaves the account.
  • To keep up, PSPs need modern, explainable fraud scoring and case management, plus a practical roadmap to close gaps over the next 6–12 months.

What PSR & PSD3 Changes for Fraud and Risk Teams

The most visible shift for fraud and risk teams is liability. Under PSR and PSD3, PSPs that fail to implement “appropriate fraud prevention mechanisms” are on the hook for customer losses, particularly where transactions are deemed unauthorized or where controls were clearly inadequate.

This includes a stronger safety net for victims of impersonation fraud: when scammers pose as bank or PSP staff and trick customers into initiating payments, PSPs are expected to refund the full amount provided the victim reports the fraud to the police and to their provider. This reverses the historic pattern where customers were often blamed for “gross negligence” when they succumbed to social engineering.

Daily operations also change around how payments are checked and monitored. PSPs must verify that the payee’s name and unique identifier (for example IBAN) match, and refuse or at least actively warn customers when there is a discrepancy. Receiving PSPs are required to be able to freeze transactions they deem suspicious, which implies robust real-time detection before funds leave the account.

Responsibility also extends beyond traditional PSPs. Large online platforms become liable to PSPs where they fail to remove fraudulent content after being notified, complementing the safeguards introduced by the Digital Services Act. This creates incentives for closer cooperation between payment teams, platform trust-and-safety teams and law enforcement to identify and shut down scam campaigns quickly. Moreover, all PSPs must participate in alternative dispute resolution mechanisms if consumers choose them, which raises expectations around documentation, evidence trails and the clarity of fraud decisions.

Why Legacy Fraud Tools Struggle Under PSR & PSD3

Legacy fraud solutions, especially those built around batch processing and static rules, struggle in the environment PSR and PSD3 create. Real-time payments and instant transfers leave no window for overnight reconciliation or manual review queues; fraud must be detected and stopped at the point of initiation. Traditional tools often depend on narrow data inputs — mainly card details and basic device information — and cannot reliably pick up the subtle behavioral cues that signal impersonation or coercion, making it much harder to meet regulators’ expectations that PSPs prevent scams, not just unauthorized card usage.​

Another problem is explainability and auditability. When disputes escalate to regulators or ombudsmen under the strengthened alternative dispute resolution regime, PSPs must show how a risk decision was made at a specific moment in time. Blackbox systems with opaque machine learning models, or fragmented logs scattered across multiple internal tools, make that task extremely difficult. Legacy case-management processes built on email chains and spreadsheets also struggle to handle the higher volume and complexity of PSR-era disputes.​

Finally, older platforms lack the flexibility to keep pace with evolving fraud patterns and regulatory clarifications. PSR and PSD3 sit within a broader ecosystem — Digital Services Act, MiCA and upcoming technical standards — that will continue to evolve, and fraud tactics will adapt accordingly. Static rule sets that require weeks of developer time to update are poorly suited to that environment. PSPs need architectures that let fraud teams iterate quickly on models and rules, test changes safely and deploy targeted defences as soon as new threats emerge.

Building a PSR-Ready Fraud Prevention Stack

To comply with PSR and PSD3 and turn them into an advantage, PSPs need a fraud stack built for real-time, data-rich decisioning. At the base is a strong data and signal layer that consolidates device intelligence, digital footprints (email, phone, IP), behavior and transactional history from every channel where customers interact. This unified view should span onboarding, login, payment initiation, changes to payee details, withdrawals and payouts, so that suspicious patterns can be spotted early and acted on decisively.​

On top of that, PSPs need a decision engine capable of evaluating each event in milliseconds, combining rules and machine learning to produce an explainable fraud score. That engine must be tightly integrated with payment gateways and orchestration platforms so it can drive concrete actions: approve, decline, step up SCA, freeze a transaction pending investigation or route to manual review. Crucially, this logic should encode PSR/PSD3 obligations such as freezing suspicious transfers, enforcing customer-set limits and logging the rationale for every risk-based decision.​

Governance and analytics complete the picture. Fraud and risk teams need case-management tools that provide a clear timeline of each customer and transaction, along with the signals and rules that influenced decisions. This supports not only internal optimization, but also regulatory reviews, platform-liability disputes and alternative dispute resolution cases. Providers like SEON can act as partners in this transformation: API-first, real-time and modular capabilities that help PSPs integrate data enrichment, transaction monitoring and dynamic SCA orchestration into a single, PSR-aligned stack.

Practical Steps PSPs Can Take in the Next 6–12 Months

Over the next year, PSPs should start by mapping PSR and PSD3 obligations onto their current fraud capabilities. A structured gap analysis should assess readiness around impersonation-fraud refunds, name-identifier checks, SCA and TRA, suspicious-transaction freezing, dispute handling and cooperation with platforms and law enforcement. This makes it easier to prioritise initiatives that address the biggest liability exposures, such as authorized push payments, instant credit transfers and high-risk customer segments.​

The next step is to modernize monitoring and data enrichment. PSPs should move away from batch reporting to continuous, real-time monitoring of transactions and customer behaviour, underpinned by device intellligence and digital footprint analysis. Integrating fraud prevention directly into payment gateways and orchestration layers ensures that payment gateway fraud detection is applied consistently across all acquirers, schemes and payment methods. In parallel, authentication journeys should be redesigned to support dynamic, risk-based SCA that reduces friction for low-risk users while applying stricter checks where risk scores are high.​

Finally, PSPs should invest in governance, documentation and partnerships. Clear playbooks for impersonation fraud, refund handling and cooperation with platforms will help teams respond consistently and defensibly when cases arise. Centralized logs, strong case management and regular internal reviews will make it easier to participate in ADR processes and respond to regulatory queries. By partnering with specialist vendors to implement real-time risk scoring, transaction monitoring and SCA orchestration, PSPs can accelerate their journey to PSR readiness and turn compliance into a competitive edge rather than a cost center.

Share
Share
Share

Table of Contents

You Might Be Interested In

Take the First Step Toward Transformative Fraud Prevention

“SEON significantly enhanced our fraud prevention efficiency, freeing up time and resources for better policies, procedures and rules.”

Chief Compliance Officer, Soft2Bet

  • Automate 95% of fraud checks
  • Reduce fraudulent registrations by 90%
  • Accelerate manual reviews by 90%

Trusted by 5,000+ Global Organizations:

Revolut logo
Afterpay logo
Soft2bet logo
Wise logo

Book Time With Our Experts

This form may not be visible due to adblockers, or JavaScript not being enabled.