The European Union has just taken a significant step to strengthen payment security and consumer protection in an increasingly digital environment. The European Parliament and the Council have reached a political agreement on two key pieces of legislation: the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3).
The goal: a more open and competitive payments sector, with less fraud, more transparency in fees, and better access to cash, especially in rural areas.
More responsibility for banks and payment providers
One major change is that if a payment service provider (PSP)—banks, fintechs, technical platforms, etc.—does not implement appropriate fraud prevention measures, they will have to bear the customer’s losses.
Among the reinforced obligations are:
- Verification that beneficiary name and account number (unique identifier) match before executing a transfer.
- If there is a discrepancy, the PSP must reject the payment order and notify the sender.
- Mandatory use of strong customer authentication and conducting risk assessments on payments.
- Allowing users to set spending limits and preventative blocks to reduce the impact of potential fraud.
- Obligation for the receiving bank to freeze suspicious transactions.
Additionally, when a scammer manages to initiate or modify an operation, it will be considered unauthorized, and the provider must refund the full amount to the customer.
Fraud through impersonation: the bank must return the money
One of the rapidly growing issues in Europe is impersonation of bank or payment service employees, where scammers call or message customers pretending to be the bank to authorize transfers or share sensitive data.
Under the new agreement:
- If the customer has been a victim of fraud via impersonation and
- reports the case to the police and informs their provider,
the PSP must refund the entire defrauded amount. This marks a significant change from previous situations where users were often blamed for “authorizing” the fraudulent payment.
Online platforms and «big tech» are also under the radar
The legislation enhances the responsibility of online platforms and major search engines:
- If a platform is notified that it hosts fraudulent content (e.g., ads for fake financial services) and does not remove it, it must compensate the payment provider that refunded the customer.
- Financial service advertisers will need to prove to these large platforms that they are legally authorized to operate in the relevant country, or that they act on behalf of an authorized entity.
These obligations complement and strengthen what is already outlined in the Digital Services Act (DSA), adding a specific layer for the financial sector.
More transparency in fees and currency conversion
Another key aspect of the agreement concerns cost clarity:
- The user must be informed of all fees before initiating a payment.
- Clear information will be provided about:
- Currency conversion costs, for international payments or transactions in other currencies.
- Fixed fees for cash withdrawals at ATMs, even if the ATM is not from their bank.
The aim is to minimize “surprise” charges or unclear conditions.
Better access to cash… also in stores
Although digital payments are growing, European institutions insist that cash should remain a genuine option.
Therefore, the agreement envisions that merchants can offer cash withdrawals without requiring a purchase, under these conditions:
- Maximum withdrawal amount: 150 €
- Minimum amount that must be available: 100 €
This measure aims to especially protect those living in rural or remote areas, where closing bank branches and ATMs makes physical cash access difficult.
Boosting “open banking” and increased competition
The PSR and PSD3 also aim to broaden market access to new entrants, particularly in open banking services:
- They lower barriers for account information services and payment initiation (the so-called “open banking services”).
- Banks and other account-holding entities (ASPSPs) may not discriminate against authorized providers.
- Explicitly prohibiting certain obstacles to accessing account data.
- Users will have a dashboard to see and manage which third parties access their data and easily revoke permissions.
- Banks will be required to provide access to payment accounts to these entities on non-discriminatory terms.
It also mandates mobile manufacturers and electronic system providers to enable other front-ends (apps, user interfaces) to store and transfer the necessary data for processing payments under fair, reasonable, and non-discriminatory conditions.
Simplified authorization and dispute resolution
The regulations also streamline the authorization processes for new payment entities, aligning capital and prudential requirements with the service type and risk level. For already authorized crypto providers under MiCA, a more agile process is anticipated, maintaining appropriate risk controls.
Furthermore, all payment service providers must:
- Participate in alternative dispute resolution mechanisms when the consumer opts for them.
- Ensure that users can access human support, not just chatbots or automated systems.
- Contribute to financial and digital literacy by allocating public resources to teach citizens how to avoid fraud.
What remains to be seen?
The agreement between Parliament and the Council is a political pact. For the new rules to take effect, both institutions must:
- Formally approve the texts.
- Publish the legislation in the EU Official Journal.
After that, a transposition and implementation timetable in member states will commence.
What is clear is the direction: less fraud, less fine print, and more competition in payments—at a time when online scams, banking digitization, and technological new entrants are changing how Europe moves its money.
via: europarl.europa.eu