EU Strikes Landmark Deal to Modernize Payment Services, Crack Down on Fraud

The package, unveiled in November, is designed to fortify fraud defenses, enhance transparency around fees, improve access to cash, and level the competitive playing field across Europe’s rapidly evolving payments market.

According to twin press releases Thursday from Parliament and the Council, the reforms are a response to a sharp rise in sophisticated payment scams, data-driven fraud, and opaque charging practices that have undermined consumer trust. As Parliament put it, the deal marks movement toward “a more open and competitive EU payment services sector, with strong defenses against fraud and data breaches.”

TechREG Tracker

A core objective of the package is the creation of a uniform anti-fraud framework applying to banks, payment institutions, post-office giro services, online platforms, and certain technical and communications providers. Both PSR and PSD3 introduce mandatory identity-matching checks, requiring payment service providers (PSPs) to verify that a payee’s name and bank identifier correspond before executing a transfer, mirroring requirements that already apply to instant euro payments.

If a PSP fails to implement adequate fraud-prevention mechanisms, it will bear full liability for customer losses. Parliament underscored that a PSP must refuse a transaction when identifiers do not match and must assess each transaction’s risk. PSPs must also offer spending limits and blocking features to mitigate fraud exposure.

The rules explicitly target impersonation or “spoofing” fraud, now among the most common and damaging digital scams. Per the Council, spoofing occurs when “fraudsters impersonate a customer’s payment service provider to gain trust and trick the user into carrying out fraudulent financial actions.”

In cases of impersonation fraud, PSPs must refund victims in full if the customer reports the fraud to police and to their provider.

In a first-of-its-kind provision, online platforms will be liable to PSPs when they host fraudulent financial content and fail to take it down after notice, extending obligations beyond those in the Digital Services Act. Parliament’s rapporteur René Repasi called the measure “a win for the Parliament,” noting that in certain cases platforms “now have to reimburse banks who have reimbursed defrauded customers.”

Providers also will be legally required to display all charges and currency-conversion costs before ATM and card-payment transactions. Merchants offering card-processing services will need to disclose their fees clearly, allowing businesses and consumers to make informed choices.

To preserve access to cash—particularly in rural and remote regions—the legislation allows retailers to provide cash withdrawals of up to €150 (minimum €100) without a purchase. The measure aims to counter Europe-wide ATM closures and ensure cash remains a viable payment option. “With today’s deal, we have secured better access to cash for citizens across Europe,” said Morten Løkkegaard, rapporteur for PSD3.

Promoting fair competition between banks and non-bank providers by strengthening open-banking obligations is another key element of the new regulations. Banks will be prohibited from discriminating against licensed providers of account-information and payment-initiation services. Device manufacturers and digital service providers must permit payment apps and interfaces to store and transfer payment-related data on fair, non-discriminatory terms.

Danish Business Minister Morten Bødskov described the agreement as “a major step in the fight against payment fraud,” adding that the reforms “pav[e] the way for a more secure, efficient, and consumer-friendly payment landscape for all Europeans.”

The package must now undergo formal adoption by both bodies before entering into force.