Roger Alexander, Board Advisor at Chargebacks911, says that while PSD3 is coming, we can’t forget about APP fraud
The upcoming Payment Services Directive (PSD3) is poised to introduce sweeping changes across the payment industry in Europe. Intended to strengthen consumer protection, enhance competition, and ensure regulation keeps pace with innovation, it builds on the foundations of its predecessor, PSD2.
A key focus for the directive is combating fraud, which has become a persistent nightmare for financial services. However, as its rollout nears, one question lingers: is PSD3 equipped to tackle the growing issue of Authorised Push Payment (APP) fraud?
The impact of APP fraud on UK consumers
APP fraud happens when individuals are manipulated into willingly transferring funds to accounts controlled by fraudsters. Unlike unauthorised transactions, these payments are made by the victim under false pretences, often leaving them with few alternatives.
Though there have been pointed attempts towards combating APP fraud, it has grown significantly in the UK, driven by the increasing sophistication of scams and the psychological tactics used, including impersonation of trusted institutions or urgent threats. In fact, research from The Payments Association shows financial losses to the tune of £340 million in 2023 were attributed to APP fraud alone. (1)
Victims often experience both financial loss and emotional distress, with individual cases sometimes involving life-changing sums. Despite growing awareness, the nature of these scams – targeting human trust rather than technical systems – makes them difficult to prevent through traditional security measures alone.
PSD3’s strategy for combating fraud
PSD3 includes measures aimed at fraud prevention and detection, including improved Strong Customer Authentication (SCA). PSD3 offers improvements to authentication protocols aimed at balancing security with user experience, reducing potential vulnerabilities in transaction authorisation.
Additionally, financial institutions will be required to share fraud data more consistently across borders to improve threat response, and PSD3 suggests harmonising liability protections across Member States to improve fairness in how fraud cases are treated. These steps mark progress in addressing financial crime, but their impact on APP fraud may be limited due to the nature of the transactions in question.
The oversight challenge: Addressing APP fraud
While unauthorised fraud is a central focus of many regulatory frameworks, APP fraud requires a different approach. Because the victim willingly sends money to the fraudster, standard security mechanisms may not be enough to prevent this type of scam even though PSD3 aims to improve fraud security.
In the UK, voluntary codes of conduct like the Contingent Reimbursement Model (CRM) code have been introduced to offer guidance on handling APP fraud, including recommendations around responsibilities and timeframes for reimbursement. However, the effectiveness of these codes is often constrained by inconsistent adoption and interpretation. The Payments Services Regulator (PSR) has recently moved toward mandatory reimbursement. Still, without broader alignment, differing rules across regions may create confusion and unequal responsibility when it comes to liability.
Exploring additional opportunities
To strengthen PSD3’s response to APP fraud, several additional measures should be considered:
- Standardised reimbursement rules:
- Clear, region-wide guidelines would promote consistency and fairness in how merchants and payment service providers are held responsible, encouraging financial institutions across Europe to adopt similar practices.
- Enhanced data sharing:
- PSD3’s fraud reporting requirements should be expanded to include APP fraud-specific data, i.e.; a centralised database for reporting and analysing APP scams.
- Public awareness campaigns:
- Regulatory action should be supported by sustained consumer education, helping people identify and avoid common scam tactics.
- Accountability for payment platforms:
- As APP fraud often involves non-bank payment providers, PSD3 should impose stricter obligations on these entities.
Fraud: Moving towards comprehensive regulations
APP fraud is a multifaceted problem that demands a coordinated response. Though PSD3 offers a timely update to the regulatory framework addressing financial crime, its effectiveness may hinge on how well it adapts to the realities of social engineering. This behavioural manipulation underpins these scams.
Policymakers must prioritise this issue, ensuring that regulations evolve to meet the realities of an increasingly digital payments ecosystem. The UK’s experience offers valuable lessons. Addressing APP fraud will require a mix of harmonised rules, enhanced collaboration, proactive monitoring, and a strong public awareness strategy. By complementing technical safeguards with efforts to address human vulnerability, PSD3 has the opportunity to better align with the demands of the digital payments age.
As the financial ecosystem becomes more interconnected and reliant on instant transactions, the ability to adapt regulatory tools to both known and emerging risks will be critical. With proper attention, PSD3 can move beyond general fraud prevention and play a central role in reducing the impact of APP scams on individuals and the broader economy. The race against fraud is far from over, but with the correct focus and determination, PSD3 could be the start of meaningful change.
