PSD3, fraud liability, and the limits of AI agent governance

At a glance

What this is: This interview examines PSD3 and PSR changes, especially fraud liability, bank impersonation scams, and the regulatory blind spot around AI agents.

Why it matters: It matters because payment, identity, and fraud teams will need to align bank accountability, customer authentication, and non-human decision paths before regulation catches up.

By the numbers:

• 75% of APP fraud actually originated on social, on social media platforms or via SMS messages.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read OneSpan's interview on PSD3 fraud liability and AI agent gaps

Context

PSD3 pushes fraud prevention beyond payment rails and into the identity and trust decisions that sit around them. The article's core problem is that fraud liability and customer protection are being reshaped faster than the controls that verify who or what is acting in a payment flow, including delegated automation and emerging AI agents.

For IAM, NHI, and fraud teams, that means the boundary between authentication, authorisation, and liability is getting thinner. The interview also makes clear that AI agents are already on the horizon as payment actors, but current regulation still treats them as an exception rather than a governed identity type.

Key questions

Q: What breaks when payment fraud controls assume a human is always the actor?

A: Controls break when they rely on human behaviour, because delegated software or impersonation scams can move value without the same signals a person would produce. In those cases, authentication may still succeed while the actual decision-maker remains unverified. Teams need to model the real actor, not just the login event.

Q: Why do bank impersonation scams create a liability problem for identity teams?

A: They create a liability problem because the scam is built on trust abuse, not only transaction abuse. If the bank or its channel is treated as authoritative, victims may be protected while institutions still have to prove where the deception started. Identity teams therefore need evidence trails that show actor legitimacy and origin.

Q: How should organisations govern AI agents that can make payments on behalf of users?

A: They should govern those agents as separate non-human actors with their own approval, audit, and delegation boundaries. The key question is whether the agent can initiate value-moving actions independently of the human user. If it can, the payment flow needs identity controls that are designed for delegated execution, not human browsing.

Q: Who is accountable when fraud starts on social media or SMS and ends in a payment?

A: Accountability depends on the legal regime, but the operational lesson is consistent: the organisation that trusted the wrong origin signal may still be responsible for the loss. Teams should be able to show where the scam originated, what identity proof existed, and whether a stronger control could have broken the chain earlier.

Technical breakdown

Bank impersonation scams and liability allocation

PSD3 appears to narrow primary bank liability to bank impersonation scams, rather than all authorised push payment fraud. That distinction matters because liability is being tied to the type of social engineering and the fraud origin, not just the fact that money moved. The regulatory model is therefore becoming more specific about attack narrative, victim context, and who can be held responsible when trust is abused. For practitioners, this means fraud classification and identity verification controls need to support a defensible evidence trail, not just a blocked transaction.

Practical implication: align fraud case taxonomy, evidence capture, and customer verification records so impersonation claims can be tested consistently.

Why AI agents expose a payment identity gap

The interview points to AI agents as a future regulatory gap because they can carry out purchases or payments on behalf of users. Once an agent becomes the actor, human behavioural signals lose much of their value, and standard customer authentication models no longer map cleanly to the actual decision-maker. That creates an identity problem as much as a fraud problem: the system must govern delegated action, not just human login events. Existing payment rules were built for people at the point of approval, not software making runtime decisions.

Practical implication: inventory where delegated software can initiate or complete payments so those flows can be governed as separate identity paths.

Technical fraud controls still need a trust boundary

PSD3's emphasis on prevention, not just reimbursement, points toward layered controls such as strong customer authentication, behavioural checks, and fraud detection. But the interview also shows a structural limit: controls that work on a human user's behaviour are weaker when the real actor is a bank impersonator, a social media scam, or a software delegate. The technical challenge is to establish a trust boundary that survives channel hopping across SMS, social media, and payment interfaces. For identity teams, the question is not only whether authentication happened, but whether the authenticated actor is still the one making the decision.

Practical implication: map each fraud-prevention control to the actor and channel it actually protects, then close the gaps where delegation or impersonation breaks that mapping.

Threat narrative

Attacker objective: The objective is to induce a fraudulent transfer while shifting blame onto a trusted institution or channel.

1. Entry occurs when the victim is reached through social media platforms or SMS messages, which the interview identifies as the dominant origin of authorised push payment fraud.
2. Credential access or abuse follows when the fraudster impersonates a bank employee or the bank itself, exploiting trust rather than stealing credentials directly.
3. Impact is the unauthorised payment, followed by liability disputes over whether the bank, platform, or another party should refund the victim.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Payment fraud governance is becoming an identity problem, not only a reimbursement problem. PSD3 shifts attention from what happens after fraud to which actor was trusted, authenticated, and allowed to move value in the first place. That pushes IAM and fraud teams into the same operating model, because liability is now tied to the trust decision as much as the transaction. Practitioners should treat payment authorisation as an identity control surface.

AI agent payment delegation creates a governance gap that current PSD3 logic does not yet cover. The article explicitly notes that AI agents are not mentioned in PSD3, even though they may soon make purchases and payments on behalf of users. This is not a generic automation issue, but a delegated actor problem: the regulation assumes a human operator behind the payment event. The implication is that payment governance will need an actor model that can distinguish human intent from machine execution.

Impersonation liability exposes a named failure mode: channel trust without actor verification. The PSD3 discussion shows that fraud originating on social media or SMS can still lead to bank liability when the bank is impersonated. That is a governance assumption collapse, because the system treats channel provenance as a proxy for actor legitimacy. When the channel is trusted more than the identity behind it, fraud can move before verification catches up. Practitioners should re-examine how much trust their control stack places in origin signals.

Fraud prevention programmes will be judged on evidence, not intention. PSD3's direction implies that banks need traceable proof of what was authenticated, what was inferred, and where the scam originated. That matters because liability boundaries will be disputed in the grey area between bank impersonation, tech impersonation, and other scam types. The field will increasingly reward identity evidence chains that survive regulatory scrutiny.

Delegated payment authority: AI agents, if left outside current governance models, become a class of non-human actor that can execute value-moving actions without a matching liability framework. This is the concept PSD3 unintentionally surfaces. It is not enough to say an agent is automated; the governance question is whether the actor can initiate, complete, and obscure a payment path faster than current review cycles can see it. Practitioners should prepare for identity and fraud controls that treat delegated software as a distinct governance object.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• The 2024 ESG Report: Managing Non-Human Identities shows that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.

What this signals

With more than 75% of APP fraud originating on social media platforms or via SMS messages, the control problem is expanding beyond the payment screen and into upstream identity trust decisions. That means fraud programmes need to treat origin signals as part of identity governance, not just marketing or communications risk.

Delegated payment identity: once software can initiate or complete purchases, the organisation needs a distinct control model for non-human actors that can move value without human behavioural cues. The challenge is not simply stronger authentication, but tighter actor classification and evidence collection across the full payment path.

Teams that already struggle to account for NHIs should expect the same governance pressure in payments, where actor ambiguity can create audit and liability disputes. The 2024 ESG Report: Managing Non-Human Identities found that 72% of organisations have experienced or suspect a breach of non-human identities, a reminder that identity blind spots rarely stay confined to one domain.

For practitioners

• Map payment flows to the real decision-maker Separate human-authored transfers, delegated software actions, and bank-initiated workflows so each has a distinct trust and liability path. That mapping should include SMS, social media, and in-app entry points where impersonation can begin. Use it to find where actor verification is still inferred rather than proven.
• Classify impersonation cases by origin and actor Build fraud taxonomy that distinguishes bank impersonation, tech impersonation, and other APP scam types, then preserve evidence on channel origin, customer interaction, and verification step. That makes it easier to support liability decisions when claims move into the grey area.
• Inventory delegated payment capabilities Identify where AI agents or other software can make or complete purchases, and document whether those paths have a separate approval model, audit trail, and rollback path. Treat delegated execution as a non-human identity issue, not a user-experience feature.
• Align fraud evidence with regulatory disputes Capture enough transaction context to show which control failed first: origin trust, identity proofing, or behavioural detection. That evidence will matter when banks seek to transfer liability to platforms or telecoms under PSD3-style rules.

Key takeaways

• PSD3 pushes fraud response into the identity layer by tying liability to how trust was established and abused.
• The article's most important signal is that AI agents are already creating a governance gap that current payment rules do not explicitly cover.
• Banks and payment teams should prepare evidence-rich actor models now, because liability disputes will turn on who or what actually made the decision.

Key terms

• Bank Impersonation Scam: A fraud pattern in which the attacker pretends to be the victim's bank or a bank employee to influence a payment decision. The control problem is not only payment security but trust validation, because the victim is being manipulated through an apparently legitimate identity channel.
• Authorised Push Payment Fraud: A payment scam in which the victim is persuaded to authorise the transfer themselves. The transfer is technically authorised, but the decision is corrupted by deception, which makes liability, evidence, and prevention harder to separate from standard transaction controls.
• Delegated Payment Authority: A governance model in which a non-human actor can initiate or complete a payment on behalf of a person or system. The key issue is not automation alone, but whether the actor has independent execution capability that needs separate identity, audit, and accountability controls.
• Actor Verification: The process of proving which identity is actually making a decision or taking an action in a digital flow. In payment and fraud contexts, this goes beyond authenticating a login and asks whether the authenticated entity is the true initiator, especially when channels, bots, or agents are involved.

Deepen your knowledge

PSD3, delegated payment authority, and non-human identity governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your fraud and IAM teams are starting to model software as an actor, it is worth exploring.

This post draws on content published by OneSpan: PSD3 updates and the regulatory impact on fraud prevention. Read the original.