What Is PSD3? 4 Ways It Impacts Fraud Prevention
Understand the impact of PSD3 and the key changes it creates for fraud prevention specialists
The Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR) are the latest evolutions in the European Union's efforts to harmonize the payment market and enhance security measures. These new regulations bring significant changes to fraud prevention strategies, ensuring better protection for consumers and more robust mechanisms for financial institutions.
Here are the top four ways PSD3 impacts fraud prevention:
1. Mandatory Fraud Prevention Measures
PSD3 mandates that financial institutions implement stronger fraud mitigation strategies (both through a requirement for real-time transaction monitoring solutions to be in place as well as expansion of the SCA to support various mechanisms that cater to all customers, not just those using the mobile channel).
This requirement not only helps in building customer trust but also provides a competitive advantage to institutions that excel in fraud prevention. By adopting advanced fraud detection technologies and continuously updating their security protocols, banks can significantly reduce the risk of fraud and enhance the overall security of their payment systems.
The regulation also reinforces that banks must reimburse customers for unauthorized fraud unless they can prove the customer authorized the transaction or was complicit. Banks need to provide this proof within 10 business days.
2. Liability Shift for Impersonation Scams
One of the most notable changes under PSD3 is the shift in fraud liability. Banks and payment providers now bear greater responsibility for social engineering scams. This shift means that financial institutions must take more proactive measures to prevent fraud, as the burden of proof now lies with them. Consumers are better protected, as they can expect refunds for fraudulent transactions, provided they report the fraud promptly.
PSD3 introduces specific provisions for liability in cases of impersonation scams. If a victim is manipulated by a fraudster pretending to be an employee of the victim's payment service provider (PSP), the PSP must refund the victim the full amount of the fraudulent transaction, provided the victim reports the fraud promptly. This regulation aims to reduce the impact of impersonation scams and ensure that victims are compensated.
3. Expanded Data Sharing
A welcome change is the introduction of the legal basis under which PSPs can share fraud-related information between each other (in respect of GDPR).
By sharing information about fraudulent IBANs, manipulation techniques and other relevant data, financial institutions can collectively improve their fraud prevention efforts and stay ahead of emerging threats. This lays the very important groundwork for further collaboration across the financial services, and in the future, hopefully, other industries such as Telcos and Big Tech too.
4. IBAN/Name Matching Verification Service
PSD3 includes a provision for an IBAN/name matching verification service, expanding it from just Instant Payments in European Commission’s 2022 proposal to cover all transfers regardless of speed or currency.
When someone initiates a transfer, their payment provider can check if the recipient's name matches their IBAN. If there's a mismatch, the sender gets notified within seconds of the discrepancy and its severity. The sender can still choose to proceed with the transfer despite any warning. This verification service must be offered at no cost.
While not foolproof against social engineering (as fraudsters might persuade victims to ignore warnings), this verification helps combat scams where criminals trick people into sending money to accounts they falsely claim belong to trusted parties. It's a valuable additional security layer, though its effectiveness depends on users properly interpreting and acting on the warnings.
Adoption of PSD3
While at the time of this article there is no set implementation timeline for PSD3, it is expected that the adoption of PSD3 will happen at some point in mid to late 2025, meaning that organizations will have an 18-month transition period to comply with PSD3 requirements once it has been formally adopted. This puts the final compliance deadline in either 2026 or early 2027.
This might still feel like a long way away, but the amount of change for some institutions means that the time to act is now.
We are already seeing many businesses across the European Union evaluating and re-assessing their current processes, solutions and fraud projects to ensure that they build PSD3 compliance into their roadmap as early as possible.
The biggest challenges the PSPs will face is not around the questions of whether they have a transaction monitoring solution in place or not, or whether they are reimbursing customers for certain scam types, but how effective and efficient these systems and processes are in detecting as much fraud as possible, with the least amount of customer friction, and without opening the floodgates to abuse of certain processes and channels.
Lessons Learned from the United Kingdom
The United Kingdom has been leading the global charge when it comes to speed of action around new regulation in this area. On October 7 2024, the latest PSR measures focused on enhancing consumer protection came into effect, which include:
- Consumers being reimbursed within five business days of making their claim for a Faster Payment or CHAPS transaction within the UK, with the new rules seeing over 99% of claims by volume covered
- People being covered for up to £85,000 as standard
- All payment firms being required to split the cost of reimbursement 50/50 between the sending and receiving PSP
While it is all far too early to tell what sort of long-term effect these changes will have on effectiveness in combating scams, we can already observe few key trends and challenges.
New Fraud Opportunities
When one door closes, another one opens in the world of fraudsters. We have already been seeing shifts in fraud as preventative measures and barriers are put up, such as migration of some scams from real-time payments to E-wallets.
On top of that, our clients have been highlighting the challenges they face in their investigative and reimbursement teams around false claims – scenarios such as fraudster or an opportunists purchasing the goods or services, and then claiming that to be a scam.
Some Friction Is OK
Historically, banks had more time to investigate outbound payments before they left the bank. Certain due diligence checks and investigative tasks could be performed to mitigate risks.
Now, the speed, finality and around-the-clock element means that there is more chance of something getting missed. Similarly, fraudsters enjoy less risk to their activities, where their scam or fraudulent activity can be concluded quickly, and money moved on further instantly.
This is evident from recent measure deployed by the regulators in the UK, where they have introduced an exception to the rule and now extended the period of time for which the financial institution can “hold” the payment to carry out necessary fraud checks. Speed is a benefit to the consumer but sometimes slowing it down if fraud is suspected can be a hindrance to the fraudster.
The recent FICO Scams Survey found that 72% of UK consumers would feel positive about their bank if it proactively declined a payment that had been identified as part of scam.
The Fight Against Scams Will Take More Than Just Banks
We believe that the main intent behind the regulatory changes across the globe is to stimulate action. For now, the focus has been on banks, but we don’t expect every regulator to go as far as the UK in forcing all financial institutions to refund nearly 100% of scams.
We have already seen some of the burden of scam prevention being shifted from banks to telcos (for example the Singapore’s Shared Responsibility Framework), and we expect the next target will be the Big Tech (social media companies, Internet Service Providers), to stimulate action in those industries too (the UK government has already announced their plans to tackle that next).
The good news is that we are already seeing a lot of proactive collaboration between the financial institutions and telcos in identifying relevant data points and building out API that allows PSP to make more informed decisions at the point of transaction. Scam Signal, a collaboration between FICO and Jersey Telecom in the UK, is a great example of that.
This Will Not Be One and Done for PSD3
With how quickly other regulators are advancing with their further measures and amendments, we do expect the new PDS3 and the associated PSR regulation to continue evolving over time, bringing more responsibility on financial institutions (especially around money mule profiling), allowing more data sharing opportunities for fraud prevention, and eventually addressing (most likely through separate legislation) the other industries that are part of the scam journey.
Detection + Confirmation + Intervention = Scams Prevention
PSD3 not only creates an impetus for banks to deal more effectively with fraud, it also mandates it. But scams prevention is complex and difficult to achieve. Merely identifying that a scam is likely to be happening is insufficient. Banks must leverage further data insights so that they have enough evidence to build a convincing case to intervene with the customer. After all, customers making legitimate payments do not like to have their transactions disrupted. Banks must then intervene with the customer to persuade them that it is in their best interests not to send the payment.
FICO takes a unique approach in detecting, confirming and intervening when transactions are likely to be scam payments.
- Detect: Advanced transaction monitoring techniques using AI and machine learning detect fraudulent activities by analyzing patterns and anomalies in transaction data.
- Confirm: Incorporating data from third-party providers such as behavioral biometrics and telco data, brings in additional contextual information that can be combined with transaction data to make the decision as to the likelihood of a scam significantly more accurate.
- Intervene: FICO's omni-channel engagement solution allows for real-time intervention with customers across multiple channels such as SMS, email, and mobile apps. This proactive approach helps prevent money from being sent to fraudsters by alerting customers to the likelihood of a scam and tailoring messaging to be persuasive in preventing them from making the transaction.
How FICO Can Help You Stop Scams and Comply with PSD3
- Review the FICO 2024 Global Scams Impact Survey
- Learn more about FICO’s award-winning scam detection model
- Engage in real time with FICO’s Customer Communications Services for Fraud
Popular Posts
Business and IT Alignment is Critical to Your AI Success
These are the five pillars that can unite business and IT goals and convert artificial intelligence into measurable value — fast
Read more
Average U.S. FICO Score at 717 as More Consumers Face Financial Headwinds
Outlier or Start of a New Credit Score Trend?
Read more
FICO® Score 10 T Decisively Beats VantageScore 4.0 on Predictability
An analysis by FICO data scientists has found that FICO Score 10 T significantly outperforms VantageScore 4.0 in mortgage origination predictive power.
Read moreTake the next step
Connect with FICO for answers to all your product and solution questions. Interested in becoming a business partner? Contact us to learn more. We look forward to hearing from you.