The recent agreement between the European Parliament and the Council in November 2025 marks a fundamental shift in the EU’s approach to payments. We are moving away from an era of purely "technical security" (like 2FA and passwords) into a new era of "ecosystem responsibility."
For banks and Payment Service Providers (PSPs), the message from the new Payment Services Regulation (PSR) and Payment Services Directive 3 (PSD3) is clear: collaboration is no longer optional, and liability is shifting.
Here are the five critical changes in the new text and what they mean for the future of payment verification and fraud prevention.
1. Closing the Gap: Verification of Payee (VoP) Goes Universal
Until now, the rollout of Verification of Payee (VoP), also known as "Name Check", has been fragmented. The legal basis for VoP was previously anchored in the Instant Payments Regulation (IPR). Because the IPR technically amended the SEPA Regulation, its scope was legally limited to Euro-denominated SEPA payments.
This left a massive legislative gap. What about a wire transfer in Polish Zloty? What about a high-value corporate transfer via TARGET2? What about money remittances?
The PSR closes these gaps definitively.
- Currency Agnostic: VoP is no longer just for the Euro. It will become mandatory for credit transfers in all EU currencies.
- Rail Agnostic: The regulation focuses on the service (Credit Transfer) rather than the infrastructure. This means the VoP obligation extends to RTGS payments (high-value corporate flows) and Money Remittances (where they terminate at an IBAN).
We are moving from a "SEPA-only" safety net to a comprehensive European shield. This creates a massive interoperability challenge: a French bank must now be able to verify account ownership with a Swedish or Romanian bank in real-time.
2. The Liability Shift: Bank Impersonation
The PSR introduces a stricter liability regime for banks, particularly regarding "Spoofing" (Bank Impersonation Fraud).
Under PSD2, banks often refused refunds by arguing that a customer was "grossly negligent" if they authorized a payment, even if they were manipulated by a scammer. The PSR changes this dynamic:
- Spoofing Liability: If a fraudster impersonates an employee of the bank (e.g., “This is the fraud department, move your funds to this safe account”) and the customer complies, the bank is now liable to refund the full amount.
- Burden of Proof: To refuse a refund, the burden is on the bank to prove the customer acted fraudulently or with gross negligence, but the bar for proving negligence in spoofing scenarios is now significantly higher.
3. "Big Tech" Enters the Liability Chain
Perhaps the most groundbreaking change is that the liability "waterfall" now flows upstream to non-financial platforms. The regulator recognizes that while fraud ends in the banking app, it usually starts on social media or search engines.
- Platform Liability: If a consumer is defrauded via a scam on an online platform (e.g., a fake investment ad), the bank, after refunding the customer, can now seek reimbursement from the platform.
- The Condition: The platform becomes liable if it was informed of the fraudulent content and failed to remove it.
4. GDPR "Safe Harbor" for Collaborative Defense
For years, a major hurdle for banks was data privacy. One bank couldn't warn another that "IBAN X is a confirmed mule account" without risking a substantial GDPR fine. Fraudsters exploited this silence, moving faster than compliance teams could communicate.
The PSR solves this by providing a specific legal basis for sharing fraud data.
- The Change: PSPs are now explicitly authorized to share data such as mule account identifiers, device fingerprints, and attack patterns.
- The Effect: This enables "collaborative defense." Instead of fighting fraud in silos, banks can create shared intelligence consortiums and "blacklists" without fear of privacy litigation, provided they follow the regulation's protocols.
5. Transaction Monitoring: From "Static" to "Behavioral"
Under PSD2, transaction monitoring was often rule-based and rigid (e.g., "Flag any transaction over €10,000"). The PSR mandates a shift to intelligence-led monitoring.
- Behavioral Insights: Banks must implement systems that learn typical user habits, such as location, spending patterns, and device usage, to flag anomalies that static rules would miss.
- Receiver-Side Freezing: Crucially, the receiving PSP is now empowered and obligated to act as a safety brake. If they detect suspicious incoming patterns, they must freeze the funds before they are credited to the beneficiary. This is critical for stopping funds before they are cashed out by money mules.
How iPiD Helps
At iPiD we understand the challenges of adhering to new payments regulations. We’ve helped banks and PSPs across the Eurozone introduce Verification of Payee (VoP). Our iPiD Node solution provides comprehensive verification of payee Requestor and Responder capabilities. Additionally, the iPiD Node reporting suite and forensic tools provide the information to support liability claims. As a global Know Your Payee (KYP) solution we also provide account validation coverage reaching billions of bank accounts around the world. Talk to us today about how iPiD solutions can help your organisation comply with the incoming PSD3 regulations and enhancements to the Instant Payments regulation.
