Who will the burden of financial fraud fall on? Regulations on the threshold of the revolution

Victims of fraud should be protected – this principle is not questioned by any of the financial market participants. Legal regulations decide how far it is to reach and who incurred the consequences of successful criminal attacks. On the occasion of the discussion on changes in the EU law, you can see what controversy the details enclosed in paragraphs arouse.

The tenth birthday will be celebrated by PSD2, the EU Directive on payment services. It brought with it several new products important for the market, including sanctioning open banking services. The key for her purposes, however, was to increase the security of transactions and to impede the actions of criminals. Exactly 6 years ago, changes resulting from the EU regulation entered into force in the Act on payment services.

The new requirement of strong authentication (SCA) forced many operations for forced banks to change habits, but put the tangle the least sophisticated phishing scam. At the same time, the limit of consumer liability for unauthorized payment transactions was reduced, strengthening protection in the event of e.g. theft. Time was also shortened for a response in complaints.

In a review of the effects of PSD2, the European Commission drew attention to the “aging” of regulations published in 2022. One of the factors that required reaction was evolution in fraud aimed at consumers. The document indicates, among others on the growing importance of social engineering attacks. The scope of consumer protection should be increased – such a conclusion was in the study.

At the end of June 2023, the first outline of the new regulation, called PSD3, was published. It included both the renovated directive focusing on the issues of the functioning of payment service providers and PSR (Payment Services Regulation) with a more technical nature. In June 2025, we met a new version of the document, accepted by the EU Council.

The proposals included a lot of new products aimed at the fraud epidemic. Some of them apply to processes taking place somehow “in the back”, invisible to payers. Payment institutions are undertaken to exchange information on threats, and also allows them to play the role of the so -called “Trusted Flaggers”, i.e. entities reporting to internet platforms, hosting providers and other financial fraud brokers. Such entries from trusted players are to be under regulation (including DSA, Digital Services Act) treated priority. There were also elements particularly important for consumers, victims of criminal practices.

Manipulated payer covered by extended protection

In the proposed version of the regulation there is a reference to a specific scenario, the so -called Impersonation Fraud. We are talking about situations in which the payer is manipulated by criminals pretending to be a payment service provider. The proposal indicates widely to the “third page pretending to be a payment service provider through communication channels assigned to this supplier.” Therefore, not only the undercoat under the employee, but also for internet banking service would be included in this.

If the effect of such persuasion is a transaction (such as in fraud “on a bank employee”), the company would be required to return the funds to the client within 15 business days. However, there are several conditions to which extended protection depends on. If the client realized that he had fallen victim to fraud and immediately informed the payment service provider, he provided all relevant information that he may have about the incident, as well as reported the case to the police.

Payment service providers are left to refuse to pay funds, but there must be a solid basis for suspected attempt to mislead or “gross negligence”. The consumer should also then receive a justification along with information about the options for further investigation of his rights.

Ireland proposes – let the platforms sink fraudsters

During the work on the new package, the problem of fraud based on impersonating trusted institutions turned out to be one of the points generating the most controversy. There have been proposals for extended protection to cover a wider category spofingnot only payment service providers, as well as that internet platforms that emit criminal ads take financial responsibility for consumer losses.

In May 2025, Ireland reported a suggestion of amendment that would force large platforms to verify whether the advertiser is a licensed financial institution. Fraud based on impersonating a well -known supplier usually initiates on social networking sites or search engines. It is there that potential victims usually go to the “offers” of criminals.

The European Commission pointed out that such a requirement would argue with the ban on broadly monitoring content on the platforms provided for in DSA. On the other hand, the exit from the stalemate could be strengthening the data exchange between Big Technia and the financial sector.

It is worth emphasizing that Ireland's initiative is part of a wider plan outlined by the central bank. It includes the creation of the database of known frauds common for mass service providers, banks and payment institutions, as well as launching the SMS filtering mechanism.

Unauthorized transaction with a new look

One of the points on the map of disputes on the consumers-banks in Poland are the issues of the so-called unauthorized payment transactions. The definition contained in PSD2 has not been uniformly included in the law of individual member states. In the new version of the PSR project, a fragment has been added that refers to this matter.

“A payment transaction is not considered authorized if the transaction has been initiated or changed by a third party, which works without the consent of the user of payment services, including using personal data authenticating the user of payment services obtained in a manner bearing the signs of fraud” – this is the new element of the legal “puzzle” in translation.

In addition, the premises for recognizing the transaction as authorized when the payer questions the circumstances of its order has been clarified. “(…) The fact that the payment transaction has been authenticated, including, in appropriate cases, with a strong customer authentication, correctly registered, written on accounts and notified by a technical failure or other disadvantage of the service provided, in itself does not have to be sufficient to prove that the payment transaction was authorized by the payer or that the payer was acting in dishonest problems or He did not fulfill at least one of the duties intentionally or as a result of gross neglect (…) “.

The sound of these fragments in their current form can be treated as a strengthening of payers' position. For payment service providers, however, it means that it will be necessary to collect additional information about the circumstances of transactions that will be able to support the thesis about possible responsibility or co -responsibility of the user.

The protective period is to protect against fraud

The PSR project provides a new mechanism that slows down the movements of criminals who will break the payment of the payment account. The framework agreement should include information about the maximum transaction amount for each payment instrument. The new PSR sound shows that the user will be able to change these limits himself, and in the case of a remote order (e.g. in mobile banking) it will be required to use strong authentication.

The change of limits made remotely, however, will have the “protective period” provided. It will enter into force after a minimum of 4 hours, and a maximum of 12 hours after the order. However, it will be possible to give up in this mechanism, in the intention of protecting the payer against the consequences of fraud. And here you will need a strong authentication or personal appearance at the facility. Importantly, such a change will also be covered by the delay currently applicable. Similar rules are expected to activate the mobile application that allows you to manage the payment account.

What will the fate of the projects be?

The next stage of work on the “PSD plus PSR” package is the so -called Trilog, i.e. three -sided negotiations between the European Commission, the European Parliament and the EU Council. The final text of the laws can be finalized in 2025. Considering any delays along the way, probably PSR regulations will come into force in the second half of 2026. It can be expected that the issues of strengthening consumer protection and the prevention of fraud will be particularly discussed if the package is to become an “anti -phrane constitution” for the following years.

Source: