Europe's New Payments Law Reassigns the Cost of Fraud

The European Union's long march toward a modern payments rulebook reached its quietest and most consequential milestone on 23 April 2026, when the Council of the EU posted the final compromise texts for the Third Payment Services Directive and the new Payment Services Regulation to its public register. There was no fanfare. There rarely is at this stage. Yet the documents, identified as ST-8222-2026-INIT for PSD3 and ST-8221-2026-INIT for the PSR, settle questions that have hung over Europe's banks, fintechs, merchants, and platforms since the European Commission first tabled the package in June 2023. Together, they redraw the lines of liability, identity verification, open data access, and supervisory authority across the world's largest single market for retail payments.

A €4.2 Billion Problem

Why does this matter beyond the small caste of payments lawyers who can recite article numbers from memory? Because the system the new rules replace is leaking money at an accelerating rate. The 2025 joint report from the European Banking Authority and the European Central Bank put EEA payment fraud losses at €4.2 billion in 2024, up from €3.5 billion the year before. Credit transfers alone accounted for €2.2 billion of that figure, a 16 percent year-on-year increase, and roughly 85 percent of those losses fell on consumers rather than on their banks.

The cause is no longer the kind of card-cloning or stolen-credential attack that strong customer authentication was designed to neutralise. It is the social engineering of human beings: authorised push payment scams, spoofed bank numbers, deepfaked voices, fake invoices, romance fraud, and impersonation calls that produce a technically valid, customer-approved transfer to a criminal's account. The legal architecture that PSD2 built, which presumes that an authenticated payment is an authorised one, has stopped reflecting how Europeans actually lose money.

One Rulebook, Two Instruments

PSD3 and the PSR are Brussels' structural answer. The most important thing to understand about the package is not any single provision but the rebuild of the framework into a hybrid two-instrument regime. PSD3 remains a directive, which means member states will transpose it into national law and which preserves their flexibility over authorisation, prudential supervision, and the merger of the e-money institution regime into a single payment institution licence. The PSR is a directly applicable regulation that fixes conduct-of-business rules in a single rulebook across all 27 member states. Customer information, transaction execution, strong customer authentication, liability, fraud prevention, and the open banking interface now sit in the regulation rather than in 27 separate transpositions. The Commission has concluded, with some justification, that PSD2's promise of a single market was undone by the fragmentation of its national implementations, and that incremental amendment is no longer sufficient.

A New Bargain on Liability

The liability shift is the part that will move balance sheets. The PSR introduces a verification-of-payee obligation for credit transfers, requiring banks to check that a beneficiary's name matches the IBAN before execution, with a refund right for the customer if the check fails. That obligation already applies in the euro area for SEPA Instant Payments under the Instant Payments Regulation, which took effect in October 2025, and the PSR now extends the principle across the broader credit-transfer rail.

More consequentially, the regulation creates a refund right for victims of so-called PSP impersonation fraud, the increasingly common scam in which a fraudster spoofs a bank's caller ID, email, or domain to manipulate a customer into authorising a transfer. Under the agreed text, the payment service provider must reimburse unless it can prove the customer acted with gross negligence or in collusion with the fraudster, and falling for a convincing spoof of a bank's verified number does not automatically meet that bar. For an industry whose lobbyists spent the past two years warning of moral hazard, this is a serious recalibration.

The other novelty is liability for large online platforms. As the European Parliament confirmed when the political deal was struck on 27 November 2025, platforms that fail to remove fraudulent content after being notified can be required to reimburse banks that have already compensated defrauded customers. René Repasi, the German Social Democrat who served as rapporteur for the regulation, framed the breakthrough this way:

"Today's deal is a win for the Parliament by establishing a liability provision for online platforms where fraud started. In certain cases, they now have to reimburse banks who have reimbursed defrauded customers." European Parliament

It is the first time EU financial regulation has formally embraced a polluter-pays logic for the digital surfaces on which scams are advertised and propagated.

Open banking, cash, and transparency

On open banking, the new framework is evolutionary rather than disruptive. The PSD2 architecture of dedicated APIs, account information service providers, and payment initiation service providers survives, with sharper teeth. Account-servicing banks must justify access restrictions in documented form, third-party providers must re-authenticate users every 180 days, and consumers must be given a dashboard to monitor and revoke data permissions. These changes dovetail with the upcoming Financial Data Access regulation, which is still in trilogue and will eventually extend the open data model into insurance, investments, and pensions.

For cash users, often older citizens or those in remote areas, the package secures a right to withdraw between €100 and €150 in shops without making a purchase. Morten Løkkegaard, the Danish Renew MEP who served as rapporteur for PSD3, put the political case plainly:

"With today's deal, we have secured better access to cash for citizens across Europe. Besides ATMs, people will now be able to withdraw money in a shop without being forced to make a purchase, ensuring cash remains a genuine and convenient payment option." European Parliament

The Compliance Sprint

What the texts do not do is take effect tomorrow. After the expected European Parliament approval in May, legal-linguistic review, and publication in the Official Journal, the PSR will apply roughly 21 months later, with the verification-of-payee provisions phased in over 27 months. PSD3 transposition will run on a similar timetable. Realistic firms are planning for full effect across 2027 and into early 2028. The intervening period is not a grace window so much as a compliance sprint. The European Banking Authority is expected to produce around 40 technical standards filling in the operational detail, from API performance metrics to fraud reporting taxonomies. Existing payment institutions and e-money institutions will need to refile under the merged licence regime within 24 months of entry into force.

For the industry, the practical question is no longer what the law will say but who is ready. Banks face investment in real-time name-matching, expanded fraud monitoring, and contractual reviews of indemnities with platforms and technical service providers. Payment institutions and e-money institutions inherit a simpler licensing perimeter, improved passporting, and a clearer route into crypto-linked services where the rules touch the Markets in Crypto-Assets framework. Merchants gain a cash-handling role and stronger transparency obligations on currency conversion, including a requirement to disclose conversion costs as both a monetary amount and a percentage mark-up over the mid-market rate. Consumers gain a framework whose default assumption is that the burden of preventing modern fraud belongs to the firms that profit from modern payments.

The political theatre is essentially over. The implementation work, which is where regulations succeed or fail, has just begun.