Europe’s new payment rules shake up fraud protection and fees

The European Union has just closed one of the most significant regulatory deals of the past decade for the digital finance sector. The new Payment Services Regulation (PSR) and the Third Payment Services Directive (PSD3) promise a deep redesign of the payments ecosystem — from how customers are protected against fraud to how banks, fintechs, and big tech platforms compete.

And while it may sound like a technical overhaul, the impact will be very real for anyone who pays online… and for any business that depends on those payments to operate.

A new framework for a market that outgrew its rules

For years, the boom in electronic payments, fintech, and online marketplaces grew faster than regulation. The EU is basically admitting that current rules no longer work to stop the surge in digital fraud or to guarantee fair competition between traditional and emerging players. The political agreement between Parliament and Council puts an end to that regulatory gap.

The new rules harmonize standards across all 27 member states, strengthen security, require total fee transparency, and guarantee continued access to cash even in rural areas. And they do so with language that sends a clear message to the industry: fraud responsibility shifts to the service providers, not the users.

This shift connects with other tech transformations we’ve been seeing in recent months. For example, Enterprises and More has covered how the digitalization of financial services is creating new security challenges, especially when integrating AI tools into sensitive processes like onboarding or authentication. The new regulatory framework enters right into that discussion and tries to establish order before risks escalate.

Online fraud: now the provider pays if it fails to do its job

The reform tightens the obligations of payment service providers (PSPs). If a PSP does not implement adequate anti-fraud mechanisms, it will be directly responsible for covering the customer’s losses. This includes:

• Mandatory verification that the beneficiary’s name matches the identifier.

• Automatic rejection of payments with inconsistencies or elevated risk.

• Strong customer authentication and continuous risk analysis.

• Spending limits and blocking options to minimize attacks.

The logic is simple: if a fintech, bank, or tech platform hasn’t kept its defenses sharp, the user shouldn’t bear the cost of that security gap. In practice, this pushes institutions to improve their real-time systems and invest more in fraud intelligence, biometrics, behavioral patterns, and predictive analytics.

The agreement also adds a key element: if a scammer manages to initiate or modify a transaction, it will automatically be considered unauthorized, forcing the provider to issue a full refund. And if the victim reports the fraud to the police and notifies their PSP, they can also receive a full refund even in impersonation scams (when the attacker pretends to be a bank employee).

Not only that: online platforms will be held responsible if they allow fraudulent content to remain active after being warned. This goes beyond what the Digital Services Act already established, reinforcing the idea that security isn’t just a financial-sector issue.

At Enterprises and More, several analyses have highlighted how the rise of digital scams has forced banks and tech platforms to rethink collaboration, especially in markets where fraud spreads through ads or marketplaces. This new European framework responds directly to that growing complexity.

Full transparency: bye bye hidden fees

Another key pillar of the agreement is transparency. From now on, users must receive before paying:

• Full information about all fees.

• The exact exchange rate applied in international payments.

• Any fixed cost associated with withdrawing cash from ATMs, no matter who operates them.

The goal is as obvious as it is necessary: ending surprise charges, especially in cross-border operations or when intermediaries are involved. The EU wants people to understand what they are paying from the very first moment — no fine print, no fees that appear when it’s already too late.

Pay by card.

This transparency requirement will also affect large advertising platforms. Advertisers offering financial services will need to prove they are legally authorized to operate in the country. The goal is to curb the growing number of fraudulent ads currently slipping through search engines and social networks.

Access to cash: a measure no one expected, but needed

The rise of digital payments hasn’t eliminated the need for cash, especially in rural areas or places with limited tech infrastructure. The EU wants to ensure withdrawing money remains easy, so it’s introducing an unprecedented measure: citizens will be able to withdraw between €100 and €150 in stores without needing to buy anything.

This helps offset the mass closure of bank branches and ATMs in less populated regions. And even if it seems contradictory in a digital-first era, it’s a key measure for maintaining financial inclusion — a topic also covered at Enterprises and More when analyzing how automation and the disappearance of in-person services affect less connected areas.

Competition: fintech and banks finally compete on equal terms

The reform also tackles market competition: the days of banks blocking “open banking” services are over. Unjustified barriers to data access are banned, and fair conditions must be guaranteed for payment initiation and account aggregation providers.

Users will gain access to a unified dashboard showing who has permission to access their data, and they’ll be able to manage it easily. Banks will also be required to offer non-discriminatory access to accounts for licensed payment institutions.

Another major point: mobile manufacturers and tech providers will have to allow external apps to store and use the data needed to process payments. This directly affects major hardware players that restricted access to NFC chips or proprietary systems.

Simpler authorization: the door opens, but with controls

Authorization processes for new payment institutions will be simplified — but without lowering standards. Requirements include:

• Solid prudential rules.

• Accurate calculation of own funds.

• Realistic financial forecasts.

• Initial capital aligned with the activity’s real risk.

If you’re already authorized as a crypto service provider under MiCA, you’ll be able to follow a streamlined process, reducing duplicate paperwork and speeding up market entry.

Disputes: less hassle, faster resolution

If a conflict arises, all PSPs will be required to participate in alternative dispute resolution mechanisms if the consumer requests it. The goal is to ease the burden on courts, accelerate refunds, and reduce the administrative friction that usually frustrates users.

Although its focus is clearly financial, this agreement is part of Europe’s broader technological and regulatory evolution. From the rise of artificial intelligence to the competition between banks and new digital players, everything points toward a more dynamic, more automated, and more risk-exposed market. Rules like PSR and PSD3 aim to keep that balance between innovation and protection — without slowing down the entrepreneurial momentum that has already transformed the industry.

Frequently Asked Questions

What is PSD3 and how does it differ from PSD2?

PSD3 updates and expands the rules introduced by PSD2, focusing on stricter fraud prevention, stronger supervision of payment institutions, and improved transparency. It also enhances competition by removing barriers to open banking services.

Will payment providers be fully liable for fraud?

Yes. If a provider fails to apply adequate fraud-prevention measures, it must reimburse the customer entirely. This includes impersonation scams, provided the victim reports the incident to the police and informs the PSP.

How will the new rules affect online platforms?

Platforms will be liable if they allow fraudulent content to remain live after being notified. PSPs can demand compensation when fraud originated on a platform that failed to act.

Can customers withdraw cash in shops under the new rules?

Yes. Citizens will be able to withdraw between €100 and €150 in stores without making a purchase, improving access to cash in rural and remote areas.

What changes for open banking providers?

They gain stronger rights to access account data on fair and non-discriminatory terms. Banks will no longer be able to impose technical or administrative barriers that hinder payment initiation or account information services.