PSR and PSD3 fraud rules: what changes for IAM teams?

TL;DR: PSR and PSD3 will reshape fraud prevention, liability, and strong customer authentication across European payments, with PSPs expected to add verification of payee, behavioural monitoring, fraud data sharing, and broader SCA options, according to OneSpan. The regulatory shift moves security decisions closer to transaction context, not just user authentication.

NHIMG editorial — based on content published by OneSpan: PSD3: Habemus Pactum Compliance Frederik Mennes

By the numbers:

• According to Revolut’s most recent Financial Crime and Consumer Security report, about 75% of authorized fraud originates on social media platforms, such as Facebook, Instagram, WhatsApp, or Telegram.

Questions worth separating out

Q: How should financial institutions implement verification of payee without creating warning fatigue?

A: Treat verification of payee as a targeted interruption control, not a universal warning banner.

Q: Why do strong customer authentication controls still fail against authorised fraud?

A: Because authorised fraud does not usually break authentication.

Q: What do payment teams get wrong about behavioural intelligence in fraud detection?

A: They often treat behavioural intelligence as a detection add-on instead of a decision input.

Practitioner guidance

• Rebuild payment controls around transaction integrity Map where your current controls stop at authentication and where they should extend into payee validation, device signals, behavioural monitoring, and blocking decisions.
• Tune verification of payee warnings for actionability Review warning thresholds, wording, and escalation paths so the control interrupts fraud without generating so many false prompts that users stop trusting the signal.
• Join fraud telemetry with identity telemetry Correlate session context, device risk, and authentication outcomes so analysts can see when a transaction is legitimate in form but suspicious in intent.

What's in the full article

OneSpan's full article covers the regulatory detail this post intentionally leaves at the policy level:

• The article breaks down how PSR changes verification of payee requirements across instant and non-instant credit transfers.
• It explains the liability exceptions tied to PSP impersonation scams and incorrect application of fraud controls.
• It outlines how device intelligence and behavioural intelligence are expected to feed transaction monitoring decisions.
• It summarises the expected direction of strong customer authentication changes under the final PSR text.

👉 Read OneSpan's analysis of PSR and PSD3 fraud controls, liability, and SCA →

PSR and PSD3 fraud rules: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →