The growth of fraud in digital payments and the limits of PSD2

 by Davide De Nittis, Partner at Excellence Edge, and Davide Olivieri, Manager at Excellence Payments

Digital payments are now an integral part of the daily lives of households and businesses. Cards, bank transfers, and digital wallets enable increasingly fast, simple, and accessible transactions, contributing to the creation of a solid and reliable European digital payments ecosystem.

The data from the Bank of Italy Report on fraudulent payment transactions – first half of 2025 show that the phenomenon of fraud remains overall under control: 12 fraudulent transactions per one hundred thousand transactions (0.012%) and 3 euros per one hundred thousand euros transacted (0.003%).

These figures, however, should not lead us to think that the risk has decreased. On the contrary, fraud is changing in nature and becoming progressively more sophisticated, taking advantage of the growing digitalisation of payments and increasingly advanced customer manipulation techniques.

Indeed, in the first half of 2025, bank transfers accounted for more than 81 million euros in fraud, while instant transfers show significantly higher levels of risk than ordinary ones (0.043% versus 0.002%). Other payment instruments also show similar dynamics: e-money payments, particularly prepaid cards, record higher fraud rates than other cards and are increasing compared with the same half of the previous year (0.031% in value).

Remote transactions (e-commerce) also remain more exposed than payments made at physical POS terminals: for cards, the fraud rate reaches 0.065%, compared with 0.006% for in-person transactions.

These dynamics also emerge clearly from the analysis of the data by payment instrument: while bank transfers account for the highest economic value of fraud, payment cards and electronic money record a higher incidence in terms of the number of fraudulent transactions, as shown in Figures 1 and 2.

The most significant change, however, concerns the nature of fraud: in bank transfers, 74% of the value derives from payments authorised by the customer but induced through manipulation, using social engineering techniques such as phishing, spoofing, or fake investments.

This evolution highlights the limitation of PSD2 (Payment Services Directive 2). Strong Customer Authentication (SCA) has strengthened the security of access to accounts, but it does not always succeed in blocking payments authorised in good faith by the customer.

It is also in response to this changing nature of fraud risk that the European Union has introduced the new regulatory package consisting of PSD3 (Payment Services Directive 3) and PSR (Payment Services Regulation), with the aim of strengthening fraud prevention and adapting the regulatory framework to the new reality of digital payments. In this sense, PSD3 does not represent a revolution, but rather a natural maturation of the regulatory framework, designed to respond to the growing sophistication of digital threats and strengthen consumer trust in the digital payments ecosystem.

Why the European Union introduced PSD3 and PSR
In June 2023, the European Commission presented a new regulatory package consisting of the PSD3 Directive (COM(2023) 366 final) and the Payment Services Regulation – PSR (COM(2023) 367 final), with the aim of updating the regulatory framework for payments.

The final adoption of the package is expected between the end of 2027 and the beginning of 2028. After publication in the Official Journal, the PSR, being a directly applicable regulation, will enter into force within approximately 18 months, while PSD3 will have to be transposed by the Member States within a period of between 18 and 24 months.

PSD3 updates the rules on governance, security, authorisation, and liability of payment service providers, strengthening customer protection and cooperation among operators. The PSR, in turn, introduces uniform rules at European level on transparency, fraud prevention, complaint handling, and the allocation of liability.

Taken together, PSD3 and the PSR mark a significant evolution in the approach to digital payment security. The new regulatory framework intervenes in particular along four main lines:

1. From strong authentication to systemic fraud prevention
2. Greater cooperation and information sharing among payment service providers
3. The evolution of Strong Customer Authentication from PSD2 to PSD3
4. Clearer liability and allocation of losses in the event of fraud

1. From strong authentication to systemic fraud prevention
One of the main innovations introduced by PSD3 concerns the treatment of APP fraud (Authorised Push Payment fraud), that is, fraud in which the customer authorises a payment after being manipulated by a fraudster.

This type of fraud, which under PSD2 largely represented a regulatory gap, is now addressed with clearer tools that shift the focus no longer solely to the formal correctness of authentication, but to the overall ability of PSPs (Payment Service Providers) to prevent and intercept fraud before the payment is executed.

The PSR introduces an obligation to reimburse victims, except in cases of gross negligence by the customer, and redefines the liability of payment service providers, prompting them to demonstrate that they have adopted adequate preventive measures.

There are many examples of APP fraud that prompted the regulatory intervention: from “fake supplier” fraud, in which a company makes payment to bank details communicated fraudulently; to fake investment opportunities promising high returns; to telephone spoofing, where the bank’s number appears and the customer is induced to transfer funds to criminals’ accounts. In all cases, the common feature is the absence of a preventive control capable of blocking the payment before the fraud is completed.

A further element concerns the obligation to verify the beneficiary. The mechanism, already provided for instant transfers with the introduction of VOP (Verification of Payee) in October 2025, is strengthened by the PSR and integrated among anti-fraud controls on bank transfers. Before a payment is executed, the payer’s PSP will have to verify the correspondence between the IBAN and the name of the beneficiary and, in the event of a discrepancy, clearly inform the customer.

Fraud prevention therefore becomes a systemic objective, involving technology, processes, cooperation among operators, and protection of the end user.

2. Greater cooperation and information sharing among payment service providers
Alongside the strengthening of preventive controls, PSD3 introduces a decisive enhancement of cooperation among payment service providers (PSPs), recognising that combating fraud can no longer be effective if managed in isolation by individual operators. In an increasingly digital and interconnected context, in fact, fraudulent schemes tend to replicate rapidly across different intermediaries and countries, exploiting information asymmetries and uncoordinated response times. For this reason, the new regulatory framework promotes an “ecosystem” logic, in which relevant information on attempted fraud, operational incidents, and suspicious behaviour can be shared in a structured and timely way among operators.

In this scenario, the PSR provides a clear legal basis for the exchange of anti-fraud information, while at the same time ensuring compliance with personal data protection regulations, such as the GDPR. The objective is twofold: on the one hand, to prevent the spread of the same fraudulent schemes across multiple PSPs, increasing the capacity for early detection; on the other, to create a more resilient and coordinated system at European level, in which security does not depend only on the individual countermeasures adopted, but on the quality of collaboration among the actors involved. This evolution marks the transition from a reactive and fragmented approach to a proactive and shared model of fraud risk management.

3. The evolution of Strong Customer Authentication from PSD2 to PSD3
Strong Customer Authentication, while remaining central, is being reconsidered in a more flexible and contextual way. The new provisions of PSD3 update Article 97 of PSD2, introducing risk-based authentication tools and integrating systems for monitoring user behaviour, the device used, the transaction context, and its consistency with previous habits. This approach makes it possible to reduce friction for the user in low-risk operations, while at the same time strengthening controls on suspicious transactions. The combination of advanced SCA and real-time monitoring represents one of the most important innovations in combating fraud and optimising the user experience.

From a technological point of view, the PSD3-PSR package pushes towards the adoption of advanced fraud prevention solutions. AI and machine learning systems make it possible to identify anomalous patterns in real time by analysing large volumes of transactional and behavioural data. Techniques such as device fingerprinting, behavioural biometrics, and continuous session monitoring make it possible to detect weak signals that, taken individually, might seem harmless, but which taken together indicate a high risk of fraud. The objective is not only to block fraudulent transactions, but to intervene before the customer completes them.

4. Clearer liability and allocation of losses in the event of fraud
The redefinition of liability in the event of fraud constitutes a further turning point. PSD3 clarifies the role of the payer’s PSP, that of the beneficiary’s PSP, and that of the end user, preventing losses from automatically falling on the customer when the risk signals were detectable or the controls inadequate. This principle of shared liability strengthens the importance of prevention and stimulates investment in more advanced security systems.

The impacts are not limited to traditional banks. PSD3 also affects fintechs, TPPs (Third Party Providers), AIS (Account Information Services), and PIS (Payment Initiation Services), imposing stricter governance, internal control, and security requirements. While on the one hand these obligations entail new operating costs, on the other they contribute to strengthening trust in the open banking ecosystem and creating more solid foundations for the development of new digital services. PSPs will be required to systematically integrate data, technology, and processes, using AI and machine learning tools to identify suspicious patterns and prevent fraud in real time.

The regulation does not merely prescribe technical obligations, but also requires greater customer education and awareness. Users must receive clear information on fraud risks, be alerted in the event of anomalous transactions, and understand their rights in the event of a fraudulent payment. These aspects are referred to in both PSD3 and the PSR, highlighting how consumer protection is an integral part of the European strategy against fraud.

Conclusions: from compliance to trust in the payments market
Overall, the PSD3–PSR regulatory framework marks a significant transformation in the European payments market. The fight against fraud is no longer entrusted to isolated measures, but becomes a systemic process based on prevention, cooperation among operators, and shared responsibility. For banks, fintechs, and payment service providers, the new regulatory framework represents an opportunity — one that the sector cannot afford to miss — to strengthen security, increase customer trust, and consolidate competitiveness in the European digital market. Compliance with the regulatory package will require PSPs and banks to invest in technological innovation and process review, but it will also constitute a distinguishing factor for those able to combine security and user experience effectively.