Skip to main content

A Comprehensive Look at the Payment Service Regulation (PSR)

In a bid to fortify the European financial landscape against cyber threats, the European Commission has proposed a significant overhaul of the Payment Service Directive 2 (PSD2). This transformative initiative divides into the Payment Service Regulation (PSR) and a forthcoming Payment Service Directive 3 (PSD3).

These proposals remain pending for finalization and parliamentary approval (which will probably only happen in 2026), but are more than necessary, as there has been a notable increase in online scams in recent years. In 2022, 8% of the Dutch population fell victim to such practices.

These online scams go beyond financial implications, inflicting severe negative consequences on victims. They erode societal trust and a sense of safety, significantly impacting the overall well-being of victims and their trust in both individuals and the digital society. Shockingly, 42% of these victims reported a loss of trust in society, while 22% expressed feeling less safe as a result of these incidents (Research on online safety and crime 2022, Central bureau of statistics).

Let’s take a look at what the bifurcation of the PSD2 means for the industry.

IBAN-Name Verification: A Leap Toward Safer International Banking
A commendable stride in the proposed PSR is the mandatory implementation of IBAN-Name verification for payment service providers. While this measure is already in practice in the Netherlands through SurePay, the current database limitations for foreign banks underscore the need for a more comprehensive international approach. The anticipation is that this step will enhance the safety of banking for EU consumers.

Strong Customer Authentication: Prioritizing Safety Without Exclusion
Recognizing the diversity in digital proficiency and vulnerabilities, the PSR introduces strict requirements for authenticating users, ensuring a secure banking environment for all. The emphasis is on fostering safety without compromising accessibility, even for those less digitally adept.

This means that authentication should also be possible without a smartphone. Nevertheless, it is vital to acknowledge that these measures may not entirely mitigate Authorized Payments fraud.

Compulsory Compensation for Victims of Bank Helpdesk Fraud
Aligned with the Dutch model, the new regulations advocate for mandatory compensation for consumers falling prey to bank helpdesk fraud. While many Dutch financial institutions already exhibit leniency in such cases, the universal implementation of this compensatory framework at the European level establishes a level playing field.

Compensating victims does little to mitigate fraud, as the number of Dutch victims continues to be alarmingly high. As a result, our recommendation is to limit reimbursements solely to unauthorized payments. To effectively tackle the issue, the emphasis should shift toward prevention, detection, and the targeted apprehension of criminals.

Addressing the Surge in Online Scams: A Call to Action
In the past few years, banks have made notable strides in thwarting criminals' attempts to breach the payment system. This success has led to a substantial decrease in unauthorized payments, such as those stemming from phishing and malware activities. Consequently, criminals have redirected their efforts toward targeting consumers directly.

Online scams hinge on social engineering, a tactic employed to manipulate and deceive individuals into transferring money. The challenge for banks lies in their limited ability to prevent such scams, given that the manipulation occurs outside the payment system where banks lack the means to detect this fraudulent activity.

Beyond the PSR: Additional Measures for a Comprehensive Approach
Recognizing the multifaceted nature of online scams, it would be valuable for companies in Big Tech, social media platforms and electronic communication providers if there would be an obligation to know your customer (KYC). This is in line with the proposal of the NVB, the Dutch Banking Association. To counteract anonymity, all parties in this scam chain should implement two-factor authentication and verify customer identity.

In conclusion, the PSR stands as a pivotal milestone in fortifying the European financial sector against online threats. However, a comprehensive approach, encompassing additional measures and collaborative efforts, is essential for effectively thwarting the surge in online scams and safeguarding the digital realm for consumers and financial institutions alike.

Author: Peter Sitskoorn, Practice Lead Financial Economic Crime at Ordina.

Would you like more information on this topic? Get in touch.

Peter Sitskoorn

Practice Lead Financial Economic Crime