EU payment fraud regulations: The expected ripple effects of PSD3/PSR for Swiss banks
The payments landscape has evolved significantly since the European Union’s (EU) Revised Payments Services Directive (PSD2) came into force in 2016. Since then, several limitations in the regulations became apparent, for example, strict requirements for strong customer authentication conflicting with the customers’ desire for seamless processes, and scam payments authorised by the customer (authorised push payment fraud) had not been considered. To address these and other issues, with the aim of modernising and harmonising payments regulations, the EU is currently finalising a new legislative package.
This package comprises a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR). While the Directive has to be implemented by national legislation in each member state, the Regulation applies directly and uniformly across the EU, and will ensure stronger harmonisation. It is worth noting that the aspects relating to fraud and consumer protection are part of the Regulation (PSR), reflecting the importance of the issue. But why should Swiss banks and other payment service providers (PSPs) care about these EU regulations?
Importance for Swiss payment services providers
PSD3/PSR as EU regulation will directly affect an EU or EEA subsidiary of a Swiss organisation providing payment services. Beyond this direct impact on subsidiaries, it is expected that the new EU regulations will also influence Swiss payment service providers (PSPs) indirectly, as Switzerland is expected to seek equivalency with the EU. The example of the previous regulation PSD2 shows that, while it did not apply directly to Switzerland, it was nevertheless implemented by many Swiss banks and was also a driver for open banking initiatives in Switzerland.
The recent initiative by the Swiss Bankers Association, recommending measures to improve collaborative fraud prevention in the Swiss payments ecosystem, demonstrates that fraud is a major cause of concern in Swiss banking circles. It is to be expected that there will be pressure on Switzerland not to become a ’blank spot’ in the centre of Europe with regard to fraud prevention and detection.
Impact on anti-fraud measures and consumer protection
The following are the most important measures in the proposed EU legislative package for strengthening consumer protection and enhancing security measures.
- IBAN and payee verification: The mandatory Verification of Payee service (VoP) which was introduced in 2022 will now cover all credit transfers within the EU and must be offered to consumers at no cost. This service alerts payers, before completion of payment, to discrepancies between the payee’s name and a unique identifier.
- Changes to strong customer authentication (SCA): PSD2 introduced mandatory strong customer authentication, i.e. the use of multi-factor authentication. This created friction in payment systems, besides its beneficial security effects, and hindered the development of open banking solutions involving multiple parties. Under the new regulations, account providers will only need to apply SCA the first time a third-party payment provider (TPP) requests access to data. Otherwise, the onus will be on the TPP to apply SCA on their domain (e.g. app, website) at least every 180 days.
- Enhanced consumer refund rights: Consumers will obtain enhanced refund rights and place the burden on the PSP to prove that the consumer acted fraudulently or with gross negligence. It also places liability on the PSP if the consumer was manipulated by a third party. For example, consumers will be entitled to a refund for spoofing scams where fraudsters impersonate employees of PSPs.
- Transaction monitoring: PSPs must have transaction monitoring in place to detect and prevent fraud. These systems will also inform decisions about when strong customer authentication is required.
- Training and awareness: PSR also introduces a requirement to train employees regarding payment fraud risks and fraud trends. PSPs must also alert their customers by suitable means whenever new frauds schemes emerge.
- Legal basis for fraud data sharing: A new legal basis allows PSPs to share fraud-related data voluntarily under multilateral agreements supported by dedicated IT platforms. This regulatory clarity encourages data-sharing programs to improve monitoring and prevention of financial crime. It is expected that there will be regulatory pressure to implement such initiatives.
The proposed changes mean an increase in the mandatory requirements for EU banks to strengthen their fraud defences, and an increased pressure on financial institutions in Switzerland to do something similar.
Currently negotiations between different EU institutions, the so-called trilologue negotiations, are expected to be finalised by the end of 2025 or beginning of 2026. The PSR, as a direct EU regulation, is then expected to come into force after an 18-24 month transition period, while PSD3 as a Directive must be enacted in national law by each member state. During this time window, regulation in Switzerland is likely to be influenced, with direct consequences for Swiss banks and other PSPs.
Swiss PSPs should prepare now by identifying which aspects of PSD3/PSR are most likely affecting their business. They should consider their current fraud risk and consumer protection measures and assess where there might be gaps, for example in fraud detection, refund and complaint processes, and management information on payment fraud cases. And leading institutions should also consider how they can use fraud risk management as a competitive advantage by positioning themselves as secure and forward-looking in fraud prevention and consumer protection.
Authors
- Dr. Konrad Schwenke, Senior Manager, Forensic & Financial Crime
- Dr. Madan Sathe, Partner, Forensic & Financial Crime
- Dr. Michael Faske, Partner, Forensic & Financial Crime
