Royal Swinkels

How to prepare for the Payment Services Regulation requirements?

Kees aan de Wiel

EY Netherlands Partner Forensic & Integrity Services

8 minute read 04 May 2026

The Payment Services Regulation (PSR) and Payment Service Directive 3 (PSD3) clarify new requirements for Payment Service Providers (PSPs).

In brief:

  • PSR expands authorized push payment (APP)1 fraud liability, increasing reimbursement risk for PSPs.
  • Stricter requirements for transaction monitoring, fraud data sharing and explainable decisioning.
  • Early preparation in 2026 is critical to manage compliance and financial impacts.

The latest draft versions of the new Payment Services Regulation (PSR) and Payment Services Directive 3 (PSD3) have recently been released, providing more detailed insights into the upcoming (additional) requirements for Payment Service Providers (PSP). The new PSR and PSD3 are European regulations aimed at modernizing and strengthening payment services and to mitigate the related risks, including fraud risks. The PSR and DSD3 introduce stricter requirements for PSPs and provide extra protection for consumers against fraud. Based on the time frame of the implementation of the new regulation (expected by the end of 2027), the year 2026 is the best moment to start with the implementation of the additional requirements as per PSD3/PSR for the PSPs, to be started with an impact assessment, in order to be compliant with PSD3/PSR on the implementation date.

One of the primary objectives related to fraud as per PSR is to combat APP fraud. The PSR sets a clear goal to ensure that PSPs are better equipped to detect and prevent fraudulent activities while enhancing overall trust in payment services. The requirements in this regulation are applicable for the entire payment chain. This means that PSPs are not solely responsible for combating fraud. The PSR stipulates that online platforms like electronic communications services, hosting services and large online platforms may also be held liable for damage suffered by consumers as per APP fraud. It should be noted, however, that the responsibility initially lies at the PSP, and that the PSP can subsequently transfer this responsibility to the platforms. EY Forensic & Integrity Services performed a deep dive into the implications of the requirements as per the PSR and organized a webinar specifically on the implications of PSR. In addition, we drafted an impact analysis for PSPs.

Our assessment indicates that:

  1. the PSR will significantly increase the requirements concerning fraud detection and prevention for PSPs;
  2. the PSR will impact the design of the security measures, compliance protocols, and payment processes at the PSPs;
  3. and as a result of the new liability provisions, the PSR is expected to lead to an increase in the number of consumer refund claims.

In this article the key fraud‑related focus areas introduced by the PSR are introduced as well as the implications for PSPs and the payment chain are included. Followed by the additional requirements relating to transaction monitoring and fraud data sharing. The article will be concluded with the fraud trend analysis and the training of staff as per PSR.

Liability for (Impersonation) fraud

What does change?

The PSR introduces full liability for impersonation fraud2. This means that the PSP is obligated to reimburse the victim for the losses incurred, even where the PSP has not fallen short in its fraud prevention measures.

The PSP is liable for the full amount of the losses, if two conditions are met:

  1. the consumer has notified its PSP without undue delay after becoming aware of the fraud, and;
  2. the consumer has reported fraud to the police.

The two exceptions under which it is possible to refuse a refund are where there is fraud or gross negligence on the part of the consumer. The burden of proof lies with the PSP.

What does this mean for PSPs?

We identify three key responsibilities that are closely linked to combating impersonation fraud.

  1. PSPs must implement robust technical safeguards to prevent or stop fraudulent payments.
  2. PSPs should invest in best practices that not only strengthen their security measures but also help to convincingly demonstrate to consumers when they have fallen victim to fraud.
  3. PSPs should invest in fully understanding fraud (trends) to assess the potential impact of emerging threats.

The three main responsibilities outlined above have several implications.

Icons for payment

The PSR also sets out several specific technical measures that PSPs are required to implement. Examples are the obligation to block suspicious transactions, both incoming and outgoing; IBAN–name matching or verification of the payee; and cooling-off periods for changes to spending limits.
Some of the Dutch banks already apply such cooling-off periods, and experience shows that these have a positive impact on fraud prevention. In addition, the PSR introduces mandatory verification of PSP licenses by social media platforms and enables the sharing of fraud-related data among PSPs.

Transaction Monitoring and fraud data sharing

What does change?

PSPs must implement transaction monitoring to enable strong customer authentication and reduce fraud, covering all PSPs in the chain. The PSR will require more advanced monitoring than PSD2, including data monitoring such as payment account details, transaction specifics, and session information that PSPs must verify for fraud prevention. Part of the data that must be monitored also includes shared fraud data. What a PSP can monitor is limited to the data that is listed in the regulation. On one hand, this provides protection for consumers, but it also makes the legislation less future proof since fraud evolves and new methods may emerge that require monitoring of different types of data.

In addition to the data that must be included in transaction monitoring, risk-based factors must also be considered. Unlike the limited data, the PSR specifies a minimum set of risk factors that PSPs must consider. Examples of risk-based factors include known fraud scenarios in the provision of payment services and signs of malware infection in any sessions of the authentication procedure.

The data as noted above may be shared with other PSPs when the PSP has objective and justified reasons to suspect fraudulent behavior by a payment service user. The purpose of this data sharing is solely for the detection and prevention of fraud. The data that may be shared is strictly limited to the listed data in the PSR, such as the previously mentioned transaction specifics and session information. Transaction monitoring systems process substantial numbers of data and data must be processed with well-defined objectives and privacy safeguards. Exchanging information about fraudulent transactions requires collaboration and data-sharing agreements between PSPs to ensure compliance with GDPR regulations.

What does this mean for PSPs?

As a result of the additional requirements regarding monitoring and sharing, the following requirements can be identified.

  1. Requirement for the implementation of additional toolings or the redesign of current tooling for transaction monitoring.
  2. Requirement to be up to date on risk-based fraud factors.
  3. Requirement for close collaboration internally and within the payment chain.

Meeting the requirements for monitoring is not merely a matter of implementing more advanced tooling. The key challenge lies in developing a deeper understanding of the behavior underlying a transaction and being able to substantiate, in a transparent and consistent manner, why a transaction was or was not flagged as potentially fraudulent. PSPs must therefore ensure that monitoring outcomes are explainable and defensible, both towards customers and supervisory authorities.

In addition, the PSR explicitly requires PSPs to monitor data while taking at least a minimum set of risk‑based factors into account. This includes reviewing behavioral signals, unusual transaction patterns and customer‑specific risk characteristics. A stronger focus on these risk‑based factors supports earlier detection of fraud and enables PSPs to concentrate their efforts on transactions and customers that pose the highest risk.

The regulation also makes clear that PSPs can no longer assess suspicious behavior in isolation. Where there are objective and justified reasons to suspect fraudulent activity by a payment service user, PSPs are required to share specific types of data with other PSPs. This marks a shift towards a more collective fraud‑defense model across the payment services industry, in which collaboration and timely information exchange play a central role in preventing and mitigating fraud.

Payment fraud risks and trends

What does change?

As per the PSR, PSPs need to create adequate customer fraud awareness and internal staff training for PSPs representatives. Customer fraud awareness includes proactively alerting customers, through all appropriate channels and media, when new forms of payment fraud emerge. PSPs should provide customers with clear and practical guidance on how to identify fraudulent attempts and clearly warn them about the actions and precautions necessary to avoid becoming victims of fraud. In addition, customers must be clearly informed about where and how they can report fraudulent activities and quickly obtain relevant fraud-related information.

With these measures PSPs must consider the needs of their most vulnerable customers. This may be challenging as it requires a clear understanding of who the most vulnerable customers are, as well as how they can be most effectively reached. PSPs are not alone when it comes to customer awareness. The PSR also stipulates that providers of electronic communications services, as well as providers of very large online platforms and very large online search engines, share this responsibility.

In addition to raising fraud awareness among customers, the PSR emphasizes the importance of internal fraud training for personnel. To ensure effective mitigation of payment fraud risks, PSPs are required to provide personnel with at least annual training programs focused on payment fraud risks and emerging trends. These training sessions equip personnel with the necessary skills and knowledge to fulfil their responsibilities in identifying and responding to fraudulent activities.

What does this mean for PSPs?

Based on the requirements outlined above, we identify the following responsibilities.

  1. Warn customers regarding new fraud types across multiple channels.
  2. Provide clear guidance on recognizing fraud, steps to take, and where to report it.
  3. Address needs of vulnerable customers with tailored communication.
  4. Offer mandatory annual fraud‑risk training for relevant personnel.
  5. Collaborate with online platforms, online search engines and electronic communications service providers.

When designing training programs for personnel, it is important to cover several key areas to ensure employees are well-equipped to recognize and respond to payment fraud risks. We consider it as a leading practice to work with criminal journeys that incorporate modus operandi. This approach enables personnel to learn about the various stages in a criminal’s method for committing fraud, as well as the measures that can be implemented to disrupt their activities. It helps personnel identify vulnerable points in the payment process where intervention can be most effective. In addition, collaborating with online platforms to tackle fraud in an integrated manner definitely has added value.

How EY can help

  • Payment services

    Our payments professionals can help your business enhance innovation, drive growth and improve performance. Find out more.

    Read more

Concluding remarks

In this article the (additional) requirements for fraud prevention and detection for PSPs as per the PSR are summarized. It can be stated that the PSR will be a game changer in the field of (digital) fraud prevention and detection. Whereas PSD2 mainly focused on the prevention of customer for fraud; the PSR requires PSPs to implement adequate procedures on fraud prevention and detection.
 

The financial consequences of APP fraud can be claimed by customers at the PSP and there is no maximum defined on the amount which can be claimed and as a result needs to be compensated by the PSP. So adequate (digital) fraud prevention and detection measures are crucial, in combination with a robust claim handling process and refund mechanism.
 

Failing to prevent and detect APP fraud in the payment chain will have severe financial implications initially for the PSPs and potentially secondary for the Platforms. Not complying with the PSR requirements will result in financial implications for the PSP, impacting on the Profit & Loss Account directly. In addition, as per PSR fraud prevention and detection becomes more a compliance risk.
 

Considering the implications of the PSR, PSPs need to take appropriate actions, including the redesign of the procedures and systems currently applied for fraud prevention and detection as well as the related training and the implementation of a claim management system. Based on the current insights, it’s expected that the PSR will be effective by the end of 2027. A 1.5-year period is relatively short for initiating and implementing the required actions, so it is our advice to initiate the actions within (very) short notice and to comply with the additional requirements as per PSR as soon as possible.


Summary

The Payment Services Regulation (PSR) and Payment Service Directive 3 (PSD3) clarify new requirements for Payment Service Providers (PSPs). The regulations expand liability, tightens transaction monitoring requirements and mandates stronger collaboration and data sharing across the payment chain. PSPs are also required to improve customer fraud awareness and provide structured fraud training for staff. As implementation is expected by the end of 2027, 2026 is a critical year for PSPs to conduct impact assessments and prepare by adapting systems, processes and governance to remain compliant and manage risk.

Related articles

The complex landscape of capital and growth in the fintech industry

Unveiling PSD3 & PSR updates for elevating payments security. Dive into our concise analysis & readiness strategic approach.

Rudrani Djwalapersad

    About this article

    Kees aan de Wiel
    EY Netherlands Partner Forensic & Integrity Services
    Analytically sharp. Brings clarity and structure to complex, sensitive matters. Specialized in fraud and integrity investigations, advising the Financial Sector.
    Related topics
    Payments
    Banking & Capital Markets
    Financial services

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.