ESEN

Strengthening Anti-Fraud Protection: A Brief Overview of the New Developments in Payment Services

Download newsletter

ADMINISTRATIVE LAW DIVISION

A significant reform of the payment services framework is on the horizon. On 17 April 2026, the Council of the European Union published a note presenting the preliminary compromise texts for both the new Payment Services Directive (commonly referred to as PSD3) and the new Payment Services Regulation (PSR). Together, these measures will establish a new legal framework, replacing the current regime set out in Directive (EU) 2015/2366 (PSD2), as implemented in Spain by Royal Decree-Law 19/2018 (further developed by Royal Decree 736/2019), and Directive 2009/110/EC on electronic money institutions, transposed into Spanish law by Law 21/2011 and Royal Decree 778/2012.

Pending their formal adoption by the European Parliament and the Council, and their subsequent entry into force—scheduled for the twentieth day following publication in the Official Journal of the European Union (expected during the summer of 2026)—PSD3 will provide for a transposition period of 21 months from its entry into force. The PSR will become directly applicable from the same date, with the exception of the beneficiary name-and-identifier verification regime, for which a longer implementation period of 27 months has been established. Significantly, this verification requirement will apply to all credit transfers, rather than only SEPA transfers, thereby extending the regime introduced by Regulation (EU) 2024/886.

This new legislative framework represents more than a mere formal restructuring. Unlike its predecessor, it combines a directive with a directly applicable regulation, reserving the key conduct of business rules for the latter. The objective is to reduce the divergent national interpretations that arose under PSD2 while also introducing substantial changes to the regulation of payment services.

One of the most notable developments concerns fraud prevention, with a clear shift of risk towards payment service providers. In response to the growing prevalence of fraud under the PSD2 regime—including phishing, smishing, vishing, spoofing and other forms of social engineering and identity impersonation—the proposed Regulation fundamentally reshapes the existing legal framework. It expressly provides that a payment transaction will not be regarded as authorised where the payer has been manipulated through social engineering into initiating a payment to a third party other than the intended beneficiary, or where the transaction has been executed by a third party without the payer’s consent using credentials obtained fraudulently. This reform comes against the backdrop of official statistics published by the Spanish Ministry of the Interior, which indicate a worrying increase in this form of cybercrime.

The proposed Regulation also introduces a specific right to reimbursement for consumers who fall victim to identity impersonation. Where a third party unlawfully uses the name, email address, telephone number, website or application of a payment service provider to deceive a consumer into making a fraudulent payment, the consumer will be entitled to claim full reimbursement of the amount from the payment service provider.

That said, reimbursement will be excluded where the consumer has acted with gross negligence. However, the Regulation introduces a series of non-exhaustive and non-binding criteria intended to assist in determining whether such gross negligence exists.

Alongside these anti-fraud measures, and beyond the wider regulatory and supervisory reforms, the new legal framework pursues greater harmonisation by:

  • expanding and strengthening Strong Customer Authentication (SCA) through a more adaptive, risk-based approach that combines behavioural biometrics with traditional physiological biometric authentication;
  • promoting open banking, facilitating the electronic exchange of data between software systems;
  • enhancing transparency regarding fees and contractual terms while introducing mandatory integration with the European Digital Identity Wallet (EUDI Wallet);
  • establishing a stricter regulatory regime for NFC (Near Field Communication) payments; and
  • improving consumers’ access to cash, allowing retailers to provide cash withdrawals of between €100 and €150 (depending on how each Member State implements the legislation), thereby offering an alternative to traditional cash withdrawals through bank-operated ATMs.

Taken together, these reforms will have significant implications for both consumers and small and medium-sized enterprises. The strengthening of open banking, combined with enhanced fraud prevention measures and greater consumer protection, points towards a future payment services ecosystem that is not only more secure but also more convenient for economic operators. At the same time, the reforms are expected to create particularly attractive opportunities for the rapidly evolving fintech sector.