PSD3 and the PSR: What Financial Institutions Need to Know

Ask 10 people in the industry what PSD3 and the PSR requires of them on fraud and you’ll likely get 10 different answers.

PSD3, the European Union’s headline legislation, focuses primarily on the authorization, supervision, and governance of payment service providers operating across the EU. The fraud requirements, the ones that will shape risk teams, compliance functions, and payments infrastructure, live in a companion instrument called the Payment Services Regulation, or PSR. 

In this article, we’ll analyze the PSD3 and PSR timelines, break down the key changes EU banks must prepare to address, and share real-world lessons from similar frameworks in the UK to help you build a proactive fraud prevention strategy for 2028. These views are based on what we know of the draft so far, however, requirements may change before the formal publication. 

Key Takeaways 

• PSD3 and the PSR are two separate instruments. PSD3 governs who can provide payment services in the EU; the PSR is where the actual fraud obligations live.
• The regulation is to become fully applicable in 2028. 
• Major changes include: mandatory inbound payment monitoring; a broader liability framework; device and behavioral signals as a compliance baseline; verification of payee on every transfer; and encouragement of the use of AI in fraud detection.
• The UK has been running a similar scheme since October 2024. In the first six months, 87% of eligible losses were reimbursed, returning £66 million to victims.¹ 
• The UK has proved that these operational and technical challenges can be overcome, however, this journey has neither been easy or quick and therefore the time to act is now. 

The PSR Timeline and What Matters

The PSD3/PSR package reached its final political agreement in April 2026 and is expected to enter into force around mid-2026, with full applicability sometime in 2028.

That sounds like room to breathe. It isn’t really. The work to do, if not done already, around building inbound payment monitoring, integrating new behavioral signals into existing detection stacks, retraining operations teams, and standing up new investigation workflows takes longer will quickly make that 18 months feel tight once you account for procurement, implementation, testing, and change management. 

Getting ahead of it now will mean you’re able to work proactively and methodically, as opposed to with a deadline looming.

Why PSD3 and PSR Are Being Introduced Now 

The PSR hasn’t come out of nowhere when you take the context of the last decade into account. The world of fraud has changed dramatically. Scams have become far more sophisticated, real-time payments have arrived, and AI has matured faster than anyone predicted, to name just a few examples.

While banks and financial institutions have been trying to keep pace, so has regulation. That’s the world to which the PSR is responding.

AI maturity is the perfect example. Artificial intelligence is explicitly named as something banks are encouraged to use in fraud detection. Not simply AI, but AI and the continuous evolution of detection mechanisms to keep up with the changing nature of fraud.

If your detection systems still rely primarily on fixed rules, the regulation is pointing directly at that gap.

5 Things PSR Changes for EU Banks

When it comes to fraud prevention, PSR does not introduce minor updates. They represent a fundamental shift in how financial institutions must manage fraud. Understanding these pillars is essential for organizations to redefine their operational roadmaps between now and 2028.

1. Real-Time Payment Monitoring Will Apply to Incoming and Outgoing Payments 

Traditional fraud detection has always watched outgoing transactions. The PSR requires real-time monitoring of incoming payments too. Where there are clear signs of fraud, the receiving institution must block the transaction and return the stolen funds. What “clear” means is yet to be further defined.

This is the regulation’s direct strike against money mule networks, the accounts used to move stolen funds. For many financial institutions, this inbound monitoring requirement could entail building a whole new process, not just upgrading or changing existing infrastructure. 

For fraud and risk operations teams, this is potentially the most operationally complex change in the PSR package. The regulation creates new investigation workflows on the receiving side, not just the sending side, that requires resourcing, tooling, and triage processes that many institutions haven’t thought about before. This strategy has become standard practice in the UK. Regardless of whether an incoming payment is blocked, institutions find it beneficial to link inbound and outbound flows. This allows them to respond rapidly if an account is flagged as fraudulent, effectively stopping funds from being transferred further.

2. Fraud Liability is Wider Than Most People Assume

There’s a misconception that only bank-impersonation scams (where a criminal poses as the customer’s bank) can trigger mandatory refunds. However, the PSR’s liability framework is broader than that. Some points to note are: 

• Non-compliance with real-time transaction monitoring (TM) mandates: If either the sending or receiving PSP fails to perform necessary TM, they may be held liable for refunding financial losses to the customer. Crucially, the PSP carries the burden of proof, requiring them to demonstrate effective outbound monitoring and obtain evidence of TM compliance from the receiving institution.
• Incorrect payee name checks that lead to a misdirected payment
• Unauthorized transactions
• Bank impersonation scams 

This means completing strong customer authentication is insufficient to serve as evidence of  customer negligence. The burden of proof has moved firmly to the financial institution.

What does this mean for compliance teams? Liability exposure needs to be reassessed across the full payment journey, not just the authentication layer. Banks must establish transparent procedures to document that transaction monitoring has occurred, alongside a robust framework that classifies “sufficient transaction monitoring” in alignment with the institution’s specific risk profile.

3. Device and Behavioral Signals Become Baseline Requirements

Profiling device data, session signals, and behavioral patterns are no longer an optional enrichment layer. The PSR recommends this intelligence to be fused with transaction data and not assessed separately.

The logic for this is sound. You can only make the right decisions when you have the full picture. From a Feedzai perspective, it’s clear that using these data points yields huge uplifts in fraud detection. For example, an active call coupled with a new beneficiary set up and subsequent payment is much more indicative of a customer being socially engineered than the transaction data alone.

Fraud product and technology teams, take note. If your detection stack assesses behavioral and transactional intelligence in separate systems rather than as unified inputs, the PSR will expose that gap.

4. Verification of Payee Applies to Every Credit Transfer

A name-and-account check, free to the end customer, applied before a payment executes must take place and there’s clear liability attached to getting it wrong.

The important nuance here: a failed Verification of Payee (VoP) check cannot be the sole reason to block a payment. It has to feed a broader risk decision. The check is an input to a risk assessment, not a verdict in itself.

5. AI Could Become an Expected Part of Fraud Detection 

Recital 103 of the PSR acknowledges the role of AI and advanced analytical techniques in fraud prevention.

The PSR’s requirements around real-time monitoring, behavioral signals, and adaptive detection can be difficult to meet with static detection rules that humans have to manually update. For institutions still operating that way, the PSR gives compliance and risk teams the regulatory backing to finally make the case for modernizing. The use of AI and machine learning for fraud prevention in payments has emerged as one of the most effective and well-established applications of this technology.

Additional PSD3 and PSR Obligations Banks Should Anticipate 

Layered alongside the headline changes are formalized requirements that will touch more of the organization than most teams currently realize. This includes mandatory annual fraud awareness training for staff, proactive scam alerts to customers before high-risk payments execute, and detailed fraud data reporting to regulators. 

Together, these requirements push institutions toward a continuous fraud management framework as opposed to a set of fixes that get revisited periodically at audit time.

What the UK Already Learned and Why It Matters for EU’s PSD3 and PSR Planning

PSD3 represents the most valuable planning input EU banks have right now. It’s a similar framework to the UK’s reimbursement mandate that’s already live, with operational data behind it.

The UK introduced mandatory APP (authorized push payment) scam reimbursement in October 2024. Under the scheme, liability is split 50/50 between the sending and receiving institution.

According to the PSR’s dashboard, in the 15 months since the scheme launched (through December 2025), 89% of eligible APP scam losses were reimbursed, returning £243 million to victims.² 

For context, UK Finance reported a 65% reimbursement rate on personal accounts in 2024, before mandatory reimbursement existed. Consumers filed around 352,000 claims over the period, with 243,000 in scope for reimbursement. Of those, 82% were closed within five business days and 98% within 35. 

The behavioral shifts that followed are as instructive as the headline numbers.

• The liability split restructured org charts. Shared responsibility on the receiving side created a direct financial incentive to invest in anti-mule capability. Dedicated roles appeared in institutions that had never had them before.
• Claims adapted to maximize eligibility. Because the scheme was widely publicized, customers became incentivized to frame losses in whichever way gave them the best chance of a full refund. Banks that hadn’t built sophisticated claims-assessment processes found themselves exposed in ways they hadn’t anticipated.
• Scam patterns migrated. Confirmation of Payee (CoP) (the UK’s equivalent of the PSR’s VoP requirement) drove bank-impersonation and “safe account” scams to record lows. According to the UK Finance Annual Fraud Report 2026, impersonation fraud fell 18% as these vectors became unviable.³ 
• External intelligence became table stakes. Banks rapidly layered in device intelligence and behavioral biometrics to identify high-risk receiving accounts that transaction data alone couldn’t detect.

All this is great news for EU institutions. The UK playbook is a concrete, replicable planning input that’s real-world tested. The dynamics that played out across UK banks will likely play out in other markets, meaning the institutions that use the UK’s experience as a planning blueprint now will be in a materially stronger position in 2028.

A Realistic View on Fraud Intelligence Sharing

While the PSR creates a framework for institutions to share fraud intelligence across sectors, a genuinely exciting step in the right direction, there is a reality check on this.  

For example, in theory it means banks have the ability to share information with the likes of telecom operators. This can help to flag fraudulent phone numbers used in scams and give another layer of defence. 

However, in practice there are three constraints that limit this data sharing. 

1. Confirmed fraud takes time to verify, meaning identifiers like IBANs and phone numbers are often stale by the time they’re safe to share. 
2. Errors in shared intelligence can wrongly flag unrelated customers. 
3. Without a mandate for a central platform, the realistic outcome can be bilateral arrangements that are difficult to integrate and maintain at scale.

Data sharing is one method, but will not solve the problem. The way we share intelligence needs to allow for more dynamic ways of sharing insights that evolve beyond simple identifiers being shared.

What Does PSD3 and the PSR Mean for Your Fraud Prevention Strategy? 

The institutions that navigate these changes successfully won’t necessarily be the ones with the largest budgets. They’ll be the ones that treat the PSR as a strategic architecture conversation rather than something to add on the compliance checklist.

• For fraud and risk teams, the regulation creates a mandate to consolidate: inbound and outbound monitoring running on a single platform, behavioral and transactional signals fused rather than siloed, and investigation capacity designed for a world where the receiving side carries as much liability as the sending side.
• For compliance teams, the shift in the burden of proof, away from authentication as a proxy for customer negligence, means existing policies need revisiting well before 2028.
• For payments and product teams, the VoP requirement and the expectation of real-time monitoring across both payment flows will have integration implications that need to be scoped now if they’re going to land on time.

The underlying question the PSR forces every institution to answer is whether this moment gets used to build something better, or whether just enough gets bolted onto existing systems to pass the initial bar. The institutions that choose the former will be building infrastructure that can absorb whatever comes after 2028. The ones that choose the latter will find the bar keeps moving.

Additional Resources

• Blog: What Is Application Fraud? Detection, Prevention & Real-World Examples
• Report: Fraud Detection Benchmarking Report
• Solution Brief: The Intelligence to Spot a Scam. The Speed to Stop It.
• Solution: Transaction Fraud Detection & Prevention Solutions