PSD3 And The PSR: Rewriting Fraud Liability In EU Payments Law

The EU's proposed third Payment Services Directive ("PSD3"), together with the accompanying Payment Services Regulation ("PSR"), represents a fundamental shift in the legal architecture governing fraud liability in payment services.

The reforms respond to a perceived failure of the PSD2 framework to allocate risk clearly or fairly in cases of increasingly prevalent deception-based fraud, particularly social engineering and impersonation scams. From a legal standpoint, the central issue is no longer whether a payment was authorised, but who should bear the loss where authorisation has been procured by fraud.

PSD3 materially recalibrates liability by extending mandatory reimbursement rights beyond unauthorised transactions to specific categories of authorised push payment fraud. In impersonation scenarios—such as where a fraudster poses as a payment service provider employee using unlawfully appropriated identifiers—the default legal position shifts decisively in favour of the consumer.

This shift is anchored in Article 59 of the PSR, which introduces a standalone liability regime for impersonation fraud. Where a consumer is manipulated by a third party impersonating the consumer's payment service provider ("PSP") and that manipulation results in fraudulent authorised payment transactions, the consumer's PSP is required to refund the full amount, provided the fraud is reported without delay to both the competent authorities and the PSP. Reimbursement must occur within ten (10) business days unless the PSP can demonstrate reasonable grounds to suspect consumer fraud or gross negligence, in which case it must provide a reasoned refusal and direct the consumer to the applicable redress mechanisms. The burden of proof therefore, rests squarely on the PSP.

This represents a marked departure from the PSD2 model, under which authorised transactions induced by deception typically fell outside mandatory refund protections. Article 59 of the PSR effectively collapses the traditional distinction between authorised and unauthorised payments in impersonation cases, replacing it with a consumer-centric loss allocation rule. The evidentiary threshold for alleging customer fault is raised materially, with liability presumptively attaching to the PSP unless fraud or gross negligence by the consumer can be established.

Article 60 of the PSR complements this framework by tightly constraining payer liability for unauthorised payment transactions more generally. Consumer exposure is capped at EUR 50 and is extinguished entirely in a wide range of circumstances, including where the loss was not detectable prior to payment, where it was caused by the acts or omissions of PSP personnel or outsourcing partners, or where strong customer authentication ("SCA") was not properly applied. Critically, where a PSP fails to require SCA, the payer bears no financial loss unless they have acted fraudulently. Compliance with authentication obligations is thus embedded directly into the liability analysis, transforming preventive duties into outcome-determinative risk allocation rules.

Article 60 also displaces losses within the payment chain. Where exemptions from SCA are applied, or where technical systems necessary to support SCA are deficient, liability is shifted between PSPs and payees through mandatory reimbursement mechanisms. Consumer protection is front-loaded, with disputes between service providers relegated to downstream recourse.

Together, Articles 59 and 60 move fraud risk decisively away from consumers and towards PSPs. They combine strict reimbursement obligations, low liability caps, and a reversed burden of proof with explicit links between regulatory compliance and financial exposure. The result is a framework in which fraud prevention is no longer merely a supervisory expectation, but a core determinant of legal liability.

The only material carve-out is contained in Article 79 of the PSR, which excludes liability in cases of abnormal and unforeseeable circumstances beyond the control of the invoking party, or where compliance is prevented by overriding legal obligations. This exception is narrowly framed and is unlikely to provide meaningful shelter in the context of routine fraud scenarios.

For PSPs, the implications are immediate and structural:

• Expanded exposure to reimbursement claims, including in authorised impersonation fraud;
• Increased litigation and complaints risk;
• Heightened scrutiny of strong customer authentication, incident response, and evidentiary records; and
• Greater operational dependence on cooperation with electronic communications service providers.

By embedding fraud prevention into the core of liability rules, PSD3 and the PSR systematically transfer risk away from consumers and onto payment service providers, signalling a significant shift in the internal market's payment services ecosystem.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.