Alongside the Payment Services Regulation (PSR), the Payment Services Directive 3 (PSD3) is regarded as a major restructuring of the EU’s regulatory framework for payment fraud prevention. It shifts the focus toward stronger fraud prevention measures, enhanced data security, and greater consumer control over their financial data.
Fraud Prevention Under PSD3 – Key Enhancements
Since the implementation of PSD2 in 2018, the global payment fraud landscape has changed dramatically. Fraud schemes have become more sophisticated, with increasingly complex impersonation and social engineering tactics. PSD3 was introduced to address the gaps exposed under PSD2 and to strengthen fraud prevention in a more holistic way, introducing significant changes across the payment value chain.
Stronger and More Inclusive Strong Customer Authentication (SCA)
Under PSD2, multi-factor authentication was largely treated as a binary requirement—either applied or not. PSD3 goes further by requiring payment service providers to support multiple SCA methods in parallel, ensuring that elderly users, people with disabilities, or those with limited digital skills can still access payment services safely. PSD3 also allows for delegated authentication, meaning that in certain scenarios, a trusted third party may perform authentication on behalf of the bank. This improves user experience without compromising security.
Mandatory Verification of Payee (VoP)
Before a credit transfer is executed, the system must verify whether the beneficiary’s name matches the International Bank Account Number (IBAN). If a mismatch is detected, the payer must be clearly warned and given the choice to proceed or cancel the transaction. Crucially, if a payment service provider fails to issue a warning or allows the transaction to proceed despite a mismatch, it may be held legally liable. This measure directly targets misdirected payments and scam-induced transfers, which have caused significant financial losses in recent years.
Real-Time Transaction Monitoring and Fraud Detection
Instead of identifying fraud after funds have already left the account, PSD3 requires fraud monitoring mechanisms to operate in real time, before transactions are executed. These systems must analyze multiple signals simultaneously, including user behavior, device data, location, transaction history, beneficiary information, and signs of compromised authentication. As a result, financial institutions are compelled to move away from static, rule-based controls toward advanced analytics powered by AI and machine learning to detect complex and evolving fraud patterns.
Shifting Liability for Impersonation Fraud from Customers to Financial Institutions
Under PSD2, customers often had to prove they were not negligent when falling victim to fraud. PSD3 changes this approach. If a customer is deceived by fraudsters impersonating bank staff and is tricked into transferring funds, the payment service provider is required to reimburse the customer, provided the incident is reported according to proper procedures. This reflects the reality that modern social engineering scams are highly sophisticated and cannot simply be blamed on user carelessness. At the same time, it creates strong incentives for institutions to invest more seriously in fraud prevention technologies and customer education.
A Clear Legal Framework for Sharing Fraud Data
PSD3 enables payment service providers to share fraud-related data with each other without breaching GDPR. When multiple customers report fraud linked to the same beneficiary or scam method, this information can be rapidly shared across the ecosystem, enabling earlier and more effective interbank fraud detection.
Mandatory Tools for Customer-Controlled Risk Management
PSD3 requires financial institutions to provide customers with tools to actively manage their own risk. These include spending limits, time- or location-based transaction blocking, instant account freezing, and real-time fraud alerts. Such tools must be easy to find and simple to use, pushing banks to invest meaningfully in user-centric design and customer experience.
PSD3 also mandates that customers must be able to reach real human support staff—not just chatbots—especially in complex fraud cases or when dealing with vulnerable users.
Comprehensive Upgrades to Fraud Prevention Infrastructure
Payment service providers are required to upgrade their fraud prevention infrastructure end to end. This includes real-time behavioral analytics, transaction monitoring, risk management, verification of payees, impersonation fraud claims handling, and responsibility management when working with external platforms. These requirements are accelerating the shift toward Zero Trust architectures and real-time intelligence–driven fraud prevention models across banks and financial institutions.
With these changes, PSD3 does more than revise existing rules—it fundamentally reshapes how the EU addresses payment fraud. By redistributing liability, mandating real-time fraud detection, and strengthening payee verification, PSD3 establishes a robust legal framework that helps organizations reduce financial losses while offering stronger, more meaningful protection for users.
Savyint Fraud Prevention & Risk Management – PSD3 Compliance Built on Zero Trust
Built on a Zero Trust architecture, Savyint Fraud Prevention & Risk Management integrates Strong Customer Authentication (SCA), MFA and 3D Secure, AI/ML-driven fraud detection, and real-time risk management. It enhances transaction security through tokenization, Post-Quantum Cryptography (PQC), and a clear quantum-safe migration roadmap, while also meeting PSD3 requirements for TPP monitoring, Open API security, and ecosystem-wide risk control.
With a fraud-first approach, Savyint Fraud Prevention & Risk Management (FPRM) enables enterprises and financial institutions to proactively prevent fraud by combining risk management, transaction security, and effective user protection across the entire payment journey.
Connect with Savyint experts today to reduce fraud risk and strengthen regulatory compliance in the digital payments landscape.
