Payment services deal: More protection from online fraud and hidden fees

​Parliament and Council have struck a deal on a more open and competitive EU payment services sector, with strong defences against fraud and data breaches.

in a few words

On Thursday 25 morning, Parliament and Council negotiators agreed on the Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3).

René Repasi (S&D, DE), rapporteur for the regulation said: "Consumers will benefit from new harmonized rules on the payment services regulation. Mandatory fraud preventive measures will be applied and lead to less payment fraud. Banks have to share more of the burden if they fail to do their part."

"Today’s deal is a win for the Parliament by establishing a liability provision for online platforms where fraud started. In certain cases, they now have to reimburse banks who have reimbursed defrauded customers."

Morten Løkkegaard (Renew, DK), rapporteur for the directive said: “This deal is a significant step toward a more open and resilient single market for payments. By updating outdated rules, we ensure Europe stays competitive in a rapidly evolving financial sector.”

“With today's deal, we have secured better access to cash for citizens across Europe. Besides ATMs, people will now be able to withdraw money in a shop without being forced to make a purchase, ensuring cash remains a genuine and convenient payment option.”

​

Protecting customers from fraud

If a PSP fails to implement appropriate fraud prevention mechanisms, it will be liable for covering customers’ losses. PSPs will be required to check that a payee’s name and unique identifier match. In cases of discrepancies, the PSP will have to refuse the payment order and inform the payer. PSPs will also have to ensure strong customer authentication and conduct a risk assessment.

MEPs confirmed that PSPs have to offer spending limits and blocking measures to reduce the risks of fraud.

If a fraudster initiates or changes a transaction, it will be treated as unauthorised transaction and the PSP will be liable for the full fraudulent amount. Additionally, the receiving PSP will have to freeze any transaction it finds suspicious.

To protect customers from impersonation fraud, where a scammer pretends to be a PSP employee and tricks the customer into approving a payment, the PSP must refund the full amount as long as the customer reports the fraud to the police and informs their PSP.

Online platforms will be liable to PSPs who have reimbursed defrauded customers if they are informed of fraudulent content on their platform and fail to remove it. This builds on and adds to the protection in the Digital Services Act.

In addition, advertisers of financial services must show very large online platforms and search engines that they are legally allowed (or officially exempt) in the relevant country to offer those services, or that they are advertising on behalf of someone who is.

MEPs also ensured that users must have access to human customer support (not only chatbots) and that public resources should be devoted to educating people on how to avoid fraud.

Transparent charges

Customers should be properly informed about all charges prior to the initiation of a payment. They should receive, for example, information about currency conversion charges or any fixed fees for cash withdrawal at automatic telling machines, regardless of who operates them.

Better access to cash

To ensure better access to cash, especially in remote and rural areas, retail stores will be able to provide cash withdrawals of maximum €150 but minimum €100, without the customer having to buy anything.

Improving competition

The negotiators agreed to reduce market barriers for “open banking services” (account information and payment initiation services) and to prevent account-servicing payment service providers (ASPSP) (usually a bank or other financial institution) from discriminating against them. Authorised open banking providers must be able to access payment account data and the legislation includes a list of prohibited obstacles to data access. Furthermore, payment service users will be given a dashboard to monitor and manage the permissions they have given to access their data. Banks will have to provide payment institutions with access to payment accounts on a non-discriminatory basis.

Manufacturers of mobile devices and electronic service providers will have to allow front-end service providers (such as apps or user interfaces) to store and transfer data needed to process payments, on fair, reasonable, and non-discriminatory terms.

Simplified authorisation

The negotiators also agreed to simplify the authorisation procedure for payment institutions. Authorisation should be subject to strong prudential and capital requirements, accurate own-funds calculations, reliable budget forecasts, and harmonised timelines, with initial capital scaled to the provider’s risk level and to the payment services provided. Crypto asset service providers already authorised under Regulation on Markets in Crypto-assets, would be subject to a streamlined procedure while keeping appropriate risk controls and providing only services specified in the application.

Quick dispute resolution

The Parliament’s negotiators insisted on requiring all PSPs to participate in alternative dispute resolution procedures if a consumer chooses it.

Next steps

The deal needs to be formally adopted by Parliament and Council before it can come into force.