Liability, fraud prevention, and the contentious issue of authorization in PSD3 and PSR
In a recent episode of the PSD3 and PSR podcast series, Peter Frey delved into the significant changes brought about by the new EU regulations under PSD3 and the Payment Services Regulation (PSR). One of the key guests in the conversation was Dana Wondra, Senior Manager Marketing at Payment & Banking.
Wondra, who has been a part of the Payment & Banking team since August 2023, brought her extensive experience in the field to the discussion. With a background in business administration from the University of Greifswald and a stint as the marketing director at TOP Sportmarketing Berlin GmbH for almost two decades, Wondra has proven herself as a seasoned professional.
The conversation focused on liability and protection against fraud in the reform of the payment services directive. The EU is shifting from focusing mainly on liability for unauthorized payments to also addressing liability for fraudulent authorized payments, particularly in cases involving social engineering tactics where users are deceived into authorizing payments themselves.
The concept of an authorized payment now involves more scrutiny. Even if a payment was formally authorized (e.g., via the correct input of credentials), liability could still arise if the authorization was obtained through deceptive methods like identity fraud or sophisticated manipulation.
Payment service providers (PSPs) may thus be held liable for fraud losses even when payments were technically authorized by users, if the user was tricked into authorizing the payment under false pretenses.
The regulations introduce new requirements for fraud risk management, including enhanced training obligations for PSPs, stricter rules for customer communication, and preventive measures such as mandatory IBAN/Name checks to reduce the success of fraudulent manipulations.
The burden of proof in fraud cases will shift or at least become more complex, with PSPs needing to demonstrate that they took appropriate preventive measures and that the payment was indeed legitimately authorized without deception.
Peter Frey summarized this as a fundamental systemic approach to combating fraud risks under PSD3 and PSR, emphasizing the expanded scope of PSP liability beyond traditional unauthorized transactions, demanding proactive fraud prevention, and better consumer protection measures.
The podcast episode, with enormous practical relevance for all market participants, also touched upon the topic of social engineering, a significant issue in the new regulations with far-reaching regulatory consequences.
[1] Peter Frey explains how the EU is addressing fraud risks systematically through new training obligations, stricter customer communication requirements, and preventive measures like IBAN/Name-Check.
[2] Dana Wondra has been a consultant and project manager at GOLT Coaching since June 2022.
[3] The EU aims to set new standards for fraudulent authorized payments.
[4] In certain circumstances, payment service providers could potentially be held liable for payments approved through identity theft or sophisticated deception, even if they were formally correctly authorized.
[1] The expanded approach to combating fraud risks under PSD3 and PSR includes new training obligations, stricter customer communication requirements, and preventive measures like IBAN/Name checks for payment service providers (PSPs), as explained by Peter Frey.
[2] Since June 2022, Dana Wondra has been a consultant and project manager at GOLT Coaching, in addition to her role as Senior Manager Marketing at Payment & Banking.
[3] Under the new EU regulations, there are ambitious plans to set new standards for fraudulent authorized payments.
[4] In some situations, payment service providers could be held liable for payments approved through identity theft or sophisticated deception, despite the payments being formally correctly authorized.
