PSD3 is nearly here – but where is the focus on APP fraud?

The much-anticipated Payment Services Directive 3 (PSD3) is set to revolutionize Europe’s payments landscape. Designed to enhance consumer protection, bolster competition, and ensure the financial system keeps pace with technological innovation, PSD3 builds on the foundation laid by its predecessor, PSD2.

Among its key objectives is tackling fraud—a challenge that continues to plague the financial ecosystem. Yet, as PSD3’s implementation looms, a critical question arises: is it doing enough to address Authorized Push Payment (APP) fraud, one of the most pervasive and damaging forms of fraud?

The scale of APP fraud in the UK

APP fraud occurs when a scammer tricks individuals into transferring money to accounts under their control. Unlike other types of fraud, where unauthorized transactions can be refunded, APP fraud often leaves victims with limited recourse. The UK, in particular, has seen an alarming rise in APP fraud cases. According to The Payments Association, over 222,000 cases were reported in 2023 alone, with financial losses that exceeded £340 million in 2023.

Despite efforts to combat fraud, APP scams persist due to their sophisticated nature and the human element involved. Fraudsters exploit trust, urgency, and social engineering tactics, often impersonating trusted entities such as banks, government agencies, or even family members. The devastating financial and emotional impact on victims underscores the need for robust regulatory measures to tackle this issue head-on.

 PSD3’s approach to fraud

PSD3 introduces several promising measures aimed at reducing fraud. These include:

1. Enhanced Strong Customer Authentication (SCA): Building on PSD2’s requirements, PSD3 seeks to refine SCA protocols to strike a better balance between security and user convenience. The goal is to make it harder for fraudsters to exploit vulnerabilities in the authentication process.
2. Mandatory Fraud Reporting: Financial institutions will face stricter obligations to report fraud incidents and share data across borders. This aims to improve the industry’s collective response to emerging threats.
3. Improved Consumer Rights: PSD3 proposes extending liability protections for consumers in cases of fraud, ensuring greater fairness and consistency across member states.

These measures reflect a commendable effort to strengthen the financial system’s defenses. However, they may not fully address the unique challenges posed by APP fraud.

The regulatory gap: APP fraud

Unlike card fraud, which has been a primary focus of regulatory efforts, APP fraud presents distinct challenges. Its reliance on authorized transactions means that existing safeguards, such as SCA, may not be effective. While PSD3 does aim to enhance fraud detection and reporting, its provisions do not explicitly target the complexities of APP scams.

In the UK, initiatives such as the Contingent Reimbursement Model (CRM) Code have sought to address this gap. Introduced in 2019, the CRM Code outlines best practices for banks to prevent APP fraud and reimburse victims. However, the voluntary nature of the code has limited its effectiveness, with significant disparities in how banks handle claims.

The Payment Systems Regulator (PSR) recently announced mandatory reimbursement requirements for APP fraud victims, which came into force in 2024. While this is a step in the right direction, it raises questions about how PSD3 will align with such national measures. Without a harmonized EU-wide approach to APP fraud, regulatory fragmentation could hinder progress.

What more can be done?

To adequately address APP fraud, PSD3 should incorporate more targeted provisions. The following steps could strengthen its impact:

1. Standardized Reimbursement Rules: Establishing clear, EU-wide guidelines for reimbursing APP fraud victims would ensure consistency and fairness. This could be modelled on the UK’s upcoming mandatory reimbursement scheme, encouraging financial institutions across Europe to adopt similar practices.
2. Enhanced Data Sharing: PSD3’s fraud reporting requirements should be expanded to include APP fraud-specific data. A centralized database for reporting and analyzing APP scams could improve detection rates and help identify trends more quickly.
3. Public Awareness Campaigns: Regulatory efforts should be complemented by initiatives to educate consumers about APP fraud risks. Raising awareness about common scams and providing guidance on recognizing red flags could empower individuals to protect themselves.
4. Accountability for Payment Platforms: As APP fraud often involves non-bank payment providers, PSD3 should impose stricter obligations on these entities. This could include requirements to implement advanced fraud prevention tools and cooperate with banks in investigating fraudulent transactions.

A call for holistic regulation

APP fraud is a multifaceted problem that demands a coordinated response. While PSD3 represents a significant step forward in tackling financial crime, its current scope may fall short of addressing the full scale of the APP fraud crisis. Policymakers must prioritize this issue, ensuring that regulations evolve to meet the realities of an increasingly digital payments ecosystem.

The UK’s experience offers valuable lessons. Initiatives such as the CRM Code and mandatory reimbursement rules demonstrate the potential for targeted measures to make a tangible difference. However, these efforts need to be replicated and expanded across Europe to achieve meaningful progress.

As PSD3 approaches, it brings hope for a safer, more resilient financial system. Yet, its success will depend on whether it can address the most pressing fraud challenges of our time. APP fraud, with its devastating impact on victims and growing prevalence, deserves greater attention within the regulatory framework. By building on the lessons learned in the UK and fostering collaboration across borders, policymakers can ensure that PSD3 delivers on its promise to protect consumers and strengthen trust in the payments ecosystem.

The fight against fraud is far from over, but with the right focus and determination, PSD3 could be the catalyst for meaningful change.

• Read more under:
• Blog Articles
• Compliance Management