PSD3 and PSR: Preparing for the Next Wave of Payments Regulation

The next wave of payments regulation is no longer a distant policy debate. In the EU, PSD3 and the accompanying Payment Services Regulation (EU PSR) have moved from proposal to a much clearer implementation track. Following political agreement in November 2025, the Council of the EU published final compromise texts in April 2026. Formal adoption and Official Journal publication still need to complete, but banks now have enough visibility to move from watching the regulation to actively preparing for it.

For UK banks, the direction of travel is even more immediate. The UK Payment Systems Regulator’s APP scam reimbursement regime has been live since 7 October 2024, Confirmation of Payee is now a market-wide safeguard for Faster Payments and CHAPS, and the FCA has set out how firms should communicate with customers where payments are delayed due to suspected fraud. These UK developments are a useful signal for EU banks: fraud-related communications are becoming measurable, evidence-led controls, not just customer service messages.

For banks operating across the UK and EU, the practical challenge is clear. They must be able to show that customers received the right warning, at the right time, through the right channel, with a clear record of what was said, how the customer responded and what action followed. That is why banks should act now, before regulatory deadlines harden and delivery windows compress.

Why PSD3 and the EU PSR Matter Now

PSD2 reshaped European payments by improving security, enabling open banking and strengthening customer authentication. PSD3 and the proposed EU PSR go further. They are designed to harmonise payment conduct rules, strengthen fraud prevention, clarify liability and create a more consistent customer experience across Member States.

The structural change matters. PSD3 will continue to deal with areas such as authorisation and supervision, while the EU PSR is expected to become a directly applicable single rulebook for many customer-facing conduct, transparency, open banking, fraud prevention and payment execution requirements. This reduces the room for divergence across member states and raises the importance of having repeatable, scalable operating controls.

The final calendar is still dependent on formal adoption and entry into force. However, the current compromise structure points to a general application window around 21 months after entry into force, with key payee-verification and related liability provisions expected around 27 months after entry into force. That may sound like time, but for banks with fragmented payment cores, multiple brands, legacy fraud systems and decentralised communications stacks, it is already an implementation planning window, not a reason to wait.

What Is Changing for Customer Communications and Warnings?

PSD3 and the EU PSR make customer communications more specific across the payment lifecycle. Banks will need to consider how they communicate around payee verification, fraud and security notifications, mobile-app activation, spending-limit changes, transaction information, impersonation fraud, complaint handling, consent and customer support.

A particularly important area is payee-name and identifier verification. The emerging EU framework expects customers to receive the relevant verification output before authorising the payment, and it creates clearer liability consequences where required verification controls are not applied correctly. This brings customer messaging much closer to payment execution and fraud decisioning.

The EU framework also strengthens the position around impersonation fraud. Where a consumer is manipulated by someone pretending to be their payment service provider, the customer journey, notification process, police reporting, reimbursement decision and complaint route all become operationally important. The communication record may become part of the evidence base if the decision is later challenged.

The UK regime reinforces the same principle. APP scam warnings cannot rely on passive or generic boilerplate if the bank later needs to evidence that it took appropriate steps. Interventions need to be relevant to the customer, the transaction and the suspected scam. Where a payment is delayed, the customer must be told what is happening, why the payment has been delayed and what action may be needed, subject to financial-crime and tipping-off constraints.

For banks, this creates six practical requirements:

• Event-driven communications: messages triggered from payment, fraud, authentication, device and case-management events.
• Risk-sensitive wording: content that reflects the customer, transaction, fraud signal, jurisdiction and channel.
• Two-way engagement: customers can confirm, challenge, cancel, provide information or request support in the moment.
• Evidence capture: clear records of message version, timestamp, channel, delivery, response and outcome.
• Accessible alternatives: support for vulnerable, digitally excluded and non-smartphone customers.
• Jurisdiction-specific policy logic: UK and EU rule sets aligned in architecture but tailored in timing, scope, wording and claims treatment.

Why the Cost of Waiting Is Increasing

For many banks, the hardest part will not be drafting new wording. The harder challenge is connecting payment systems, fraud decisioning, customer profiles, channel preferences, case management and audit evidence into one governed communication flow.

A bank may already have fraud alerts, servicing messages and complaint letters. But regulatory readiness requires more than message volume. It requires explainable trigger logic, controlled content, consistent routing, customer-response capture, SLA monitoring and fast retrieval of evidence. These capabilities usually span payments, fraud, operations, legal, compliance, customer experience, technology and complaints.

The financial exposure is also becoming more concrete. In the EU, the proposed framework points toward stronger refund and liability expectations for unauthorised payments, payee-verification failures and impersonation fraud. In the UK, reimbursement obligations are already live and the PSR has demonstrated that it will enforce payment-protection requirements where firms miss implementation deadlines. The cost of delay is therefore not only programme cost; it is fraud loss, remediation cost, customer harm, complaints, regulatory scrutiny and reputational impact.

What Should Banks Do Now to Prepare for PSD3 and PSR?

A practical readiness programme should start with a communications inventory. Banks should identify every customer-facing message connected to payment initiation, payee verification, authentication, fraud alerts, payment delays, refusal, reimbursement, complaints and customer support. Each message should be mapped to its trigger event, customer segment, legal entity, channel, timing requirement, owner and evidential record.

From there, banks should define a common UK/EU control framework. The objective is not simply to send more messages. The objective is to orchestrate the right action in real time and prove the full decision trail afterwards.

• Create a UK/EU regulatory rule map for payment communications, warnings and claims.
• Define the event taxonomy that determines when a customer must be warned, notified, delayed, refused, reimbursed or escalated.
• Standardise message templates with approved legal wording, plain-language variants, vulnerability considerations and jurisdiction tags.
• Implement audit capture for content version, delivery status, customer response, fraud signal and next action.
• Monitor outcomes such as warning effectiveness, response rates, false positives, claim turnaround and vulnerable-customer treatment.
• Test communications for comprehension, accessibility and operational resilience before the regulatory countdown tightens.

From Compliance Burden to Customer Trust

The strongest banks will not treat PSD3, the EU PSR and UK APP reimbursement purely as compliance exercises. They will use these requirements to modernise how they protect customers in real time.

Done well, a payment warning should not feel like a generic legal disclaimer. It should feel like relevant, timely and trustworthy guidance at the point of risk. A customer who is being socially engineered may not recognise the scam, but they may still respond to a clear, specific and well-timed intervention from their bank.

Better communications can reduce operational cost, improve digital resolution, protect vulnerable customers, strengthen auditability and create a more consistent customer experience. They can also help banks evidence that they acted fairly, proportionately and with appropriate care when fraud risk was identified.

How FICO Can Support Banks with PSD3 and PSR

FICO customer communication solutions are well aligned to this shift because they connect decisioning, analytics and omnichannel engagement. In a PSD3, EU PSR and UK APP fraud context, the value is not simply that a bank can send a message. It is that the bank can use intelligence to determine when to intervene, what to say, which channel to use, how to capture the customer response and how to evidence the outcome.

With FICO^® Platform and FICO Omni-Channel Communications capability, banks can move from static warning templates to dynamic, decision-led interactions. Fraud signals, payment context, customer profile data and channel preferences can inform tailored messages that are delivered through digital and assisted channels. Customers can then respond in the moment, helping the bank confirm legitimate activity, stop suspected fraud, request further information or route the case to human support.

This is particularly relevant for APP scams and social engineering. The customer may be authorising the payment, but the bank may still see risk signals that require intervention. A communication strategy that is timely, personalised and two-way can help the bank protect the customer without creating unnecessary friction for genuine payments.

FICO Omni-Channel Communications capability (OCE) provides a best-in-class solution to meet these evolving requirements — blending compliance with customer engagement to protect both the institution and the consumer.

1. Real-Time, Omni-Channel Communication

FICO OCE delivers real-time, interactive intelligent messaging across SMS / RCS, voice, email, push notifications and secure in-app channels — ensuring customers receive timely, relevant alerts through their preferred method. In mobile-first markets, this flexibility is essential for meeting high expectations around speed, security, and convenience.

Beyond basic delivery, OCE enables two-way communication and can be tailored to individual customer preferences — including accessibility considerations for those with specific needs, such as visual or cognitive impairments which further highlights the requirement for organisations to employ omni-channel strategies. This ensures compliance with PSD3’s emphasis on meaningful, consumer-specific engagement while reinforcing trust and inclusivity across the digital banking experience.

2. Contextual Authentication and Proactive Scam Intervention

FICO OCE enables financial institutions to embed real-time, interactive customer messaging directly into Strong Customer Authentication (SCA) flows and post-payment engagements — delivering tailored fraud warnings, confirmation prompts, and scam-specific interventions based on transaction type, risk indicators and customer behavior.

This contextual approach allows institutions to comply with PSD3’s more stringent SCA and fraud reimbursement requirements while preserving a seamless, low-friction user experience — essential in digitally advanced European markets. By leveraging real-time data points such as payment purpose codes, merchant details and behavioral risk signals, OCE can ingest these signals and provide Scam & Fraud specific dynamic customer dialogues that can:

• Warn customers of potential scam tactics at the point of interaction
• Ask targeted questions to verify payment legitimacy
• Provide a critical pause or "second chance" to cancel or review suspicious transactions
• Change strategy sequencing to escalate customers suspected to be at risk of APP fraud to specialised call centre queues for further guidance and support

Already embraced by several Tier 1 banks, this approach is proving instrumental in strengthening regulatory compliance and elevating customer protection. By enabling more personalised, context-aware engagement, institutions are not only reducing liability but also fostering greater trust and transparency with their customers. Notably, when deploying intelligent conversational strategies where OCE delivers a  four-message scam intervention sequence, response data reveals that 50% of customers who ultimately reconsider their payment decision respond by the 2^nd verification message, with an additional 17% responding after the 3^rd, and another 17% after the 4^th.

This reinforces that single verification messages are no longer suitable and directly supports the direction of PSD3, which encourages firms to move beyond generic warnings by adopting more persuasive messaging strategies that prompt genuine customer reflection and behavioural change.

3. Built-In Fraud Defences Designed for the PSD3/PSR Era

FICO OCE is underpinned by decades of fraud innovation, specifically engineered to close the communication security gaps that fraudsters increasingly exploit in an automated, real-time environment. As PSD3 and the PSR shift greater liability to Payment Service Providers for fraud-related losses — particularly in cases of Authorised Push Payment scams — secure, intelligent communication is no longer optional; it’s essential!

Key OCE fraud prevention capabilities include:

• Short code + SMS/Voice carousel case matching techniques to protect against spoofing and impersonation attacks — a significant risk in digital-first markets globally.
• SIM swap detection to flag and respond to compromised devices before fraud can occur, preventing fraudster from controlling the customer responses
• Scams Signal behavioural analytics, leverages real-time network intelligence to dynamically assess contextual risk indicators—such as detecting unusually long inbound calls coinciding with payment attempts—to uncover signs of customer coercion or scam-related activity. When elevated risk is detected, FICO OCE automatically tailors the engagement strategy in real time, seamlessly shifting channels or escalating to human intervention to safeguard the customer. UK banks deploying Scam Signal in tandem with intelligent communication orchestration are seeing industry-leading outcomes: between 30% to 40% Average Detection Rate (ADR) across both Payments and Cards including up to a 55% reduction in false positives, and a reduction in scam-related losses exceeding 44%. This represents a genuine breakthrough in Authorised Push Payment (APP) fraud protection, combining advanced behavioural insight with intelligent customer engagement.

These advanced capabilities align directly with PSD3’s emphasis on real-time, consumer-specific fraud interventions and can be used as evidence to demonstrate the kind of secure, tailored and proactive approach regulators now expect from PSPs in mitigating APP fraud risk.

4. Comprehensive Auditability for Regulatory Assurance

FICO’s OCE maintains detailed, tamper-proof audit trails of every customer interaction — capturing timestamps, fraud risk signals, message content, delivery status, channel used and customer responses across the full engagement lifecycle. This level of traceability is critical under PSD3 and the PSR, which place greater emphasis on transparency, consent management, and accountability in customer communications.

Whether it involves authentication prompts, fraud warnings, or scam interventions, OCE provides institutions with the evidentiary framework needed to:

• Demonstrate adherence to SCA requirements and fraud prevention protocols
• Prove that timely, relevant communications were securely delivered and acknowledged
• Support regulatory investigations or customer reimbursement claims with auditable records
• Ensure consistency with data protection and consent obligations under GDPR
• Show that all decisions are evidenced, ethical and transparent to avoid any bias or discrimination.

This not only helps financial institutions meet evolving compliance standards but also strengthens operational governance and reduces legal exposure in high-risk scenarios, such as Authorised Push Payment fraud disputes.

5. Customer-Centric Compliance

FICO Platform is built with flexibility at its core, empowering business analysts to easily expand data models and integrate new data items. This enables organisations to rapidly re-design dynamic strategy flows and tailor message content with precision and at the speed of business. Instead of relying on passive disclosures or generic warnings, OCE supports personalised, timely communications that enhance customer trust and protect brand integrity — even during high-stakes or time-critical interactions.

Real-World Insight: Lessons from the Field

Here at FICO, we see first-hand how well-executed communication strategies can significantly elevate both the customer experience and organisations operational efficiency. Whether it was a contextual fraud warning triggered during payment execution, or a dynamic authentication prompt embedded within a mobile banking journey, the results were consistent: increased customer engagement, reduced fraud losses, and a measurable uplift in trust.

In practice, FICO OCE regularly delivers digital engagement rates exceeding 70%, with institutions adopting the full breadth of OCE capabilities now achieving up to 95% automated resolution. These results translate directly into bottom-line value—clients have reported fraud loss reductions of over 30% and a return on investment as high as 39:1 – highlighting the significant opportunities available to Institutions who implement the right solution and approach.

OCE is uniquely positioned to help organisations meet these evolving expectations. It brings together advanced fraud protection, omni-channel orchestration, and the ability for business analysts to tailor communication strategies — all within a single platform. This empowers institutions to present regulators with a complete, auditable view of the circumstances behind every customer decision and response whilst offering confidence to regulators that robust and adequate fraud controls were in place.

In today’s PSD3 environment — where liability is shifting and consumer expectations for seamless, secure interactions are rising — communication security can no longer be an afterthought. Tailored, real-time engagement isn’t just a value-add; it’s a strategic necessity.

Turning Regulation into a Competitive Advantage

PSD3 introduces new pressures — but also new possibilities. Financial institutions that embrace proactive, real-time customer engagement will not only meet compliance obligations but deliver better outcomes for their customers.

FICO OCE empowers European banks and PSPs to move beyond compliance — to lead with innovation, trust, and operational excellence.

Learn How FICO Omni-Channel Engagement Can Support Your PSD3 Strategy

• Explore FICO Customer Communications Services for Fraud
• Read What Is PSD3? 4 Ways It Impacts Fraud Prevention
• Review the FICO 2024 Global Scams Impact Survey
• Learn about FICO’s award-winning scam detection model and award-winning Scam Signal 

Note: This is an update of a post from 2025.