Guide
Shifting Scam Liability : Payment Services Directive 3 (PSD3) Obligations for the EU
PSD3 and the EU Payment Services Regulation are moving scam liability off consumers and onto the institutions that process, facilitate, and profit from the infrastructure scammers exploit. The UK went first, and the October 2024 APP reimbursement regime made clear that reimbursement is just the visible part; the harder operational shift is what institutions need to prove they knew before the money moved. PSD3 takes that logic further. Pre-payment monitoring, receiving-side accountability, and cross-institution intelligence sharing are all on the table. The problem is that most bank fraud controls still trigger at the payment event, and by then the scammer has already coached the victim through every friction point. The scam journey starts days or weeks earlier, across telco networks, social platforms, and encrypted messaging apps, long before a payment instruction arrives. This report breaks down what PSD3 requires, what the UK's experience reveals about the operational shifts ahead, and why institutions that wait for final compliance deadlines will be building their fraud stack under pressure.