by Mathilde Bonneau, Government Relations
In today’s hyper-connected world, fraud is evolving faster than ever before. Our digital lifestyles - online shopping, digital banking, social media - bring convenience but also create fertile ground for cybercriminals. Individuals and businesses now face increasingly sophisticated forms of fraud.
While technology enhances customer experiences, it also equips fraudsters with advanced tools like artificial intelligence to conduct sophisticated phishing attacks or create deep-fake videos and synthetic identities on an unprecedented scale. Fraud is not new and unlikely to be fully eradicated given human behavior and criminal adaptability. The focus should therefore be on minimizing its impact through prevention, early detection, and agile response.
The EU’s Payment Services Directive review (PSD3/R) signals strong commitment to boosting fraud safeguards and consumer protection. However, the traditional “one-size-fits-all” approach with static thresholds and uniform rules is no longer effective given diverse consumer behaviors and evolving fraud tactics.
As legislative discussions progress, two paradigm shifts are urgently needed to equip the digital ecosystem with more effective tools for preventing fraud.
1. Future-proofing the fraud prevention toolbox
Payment Service Providers (PSP) are deploying increasingly advanced fraud prevention tools to tackle new threats. For instance, PayPal’s new AI-powered scam alert system delivers dynamic warnings to consumers according to transaction risk.
It is equally crucial to continue evolving existing tools - like Strong Customer Authentication (SCA) - to ensure they remain effective. Attackers now target the technical elements of SCA, using phishing, malware, and data breaches to steal passwords, fueling credential stuffing attacks. Techniques like SIM swapping and social engineering have diminished the value of SMS one-time passwords (OTP).
This calls for moving beyond static SCA toward adaptive, risk-based authentication frameworks, enabling PSPs to adopt approaches that are innovative and resilient. Passkeys, for example, offer robust, phishing-resistant authentication, allowing users to sign in with biometrics (fingerprint or face scan), removing reliance on traditional passwords.
Failing to modernize SCA under the PSD3/R framework risks locking in outdated practices, limiting PSPs’ ability to strengthen defenses while fraudsters continue to evolve and exploit static security measures.
2. Tackling fraud requires an ecosystem-wide approach
Today’s fraud patterns are clear: fraudsters are using technology to exploit human trust—manipulating consumers into authorizing fraudulent payments via impersonation and emotional tactics. Most scams target individuals long before the payment itself.
This points to a broader reality: modern fraud extends well beyond the financial sector. It spreads across a complex digital ecosystem that includes social media platforms, online marketplaces, search engines, ad networks, telecoms, and messaging apps - many of which fall outside traditional financial regulation.
Improved intelligence sharing both among PSPs and across sectors is essential to tackle sophisticated, organized, cross-border fraud. Yet, collaboration alone is not enough: all actors in the ecosystem must implement controls to prevent and mitigate fraud on their own platforms. While some national or corporate initiatives exist, efforts remain fragmented and inadequate.
Current policy discussions, including under PSD3/R, continue to focus on the responsibilities of banks and PSPs. Far less attention is given to other ecosystem actors in proactive prevention, despite the urgency of addressing fraud at every stage of the fraud chain.
What is needed is a coordinated, EU-wide, cross-sector fraud prevention strategy that goes beyond isolated measures, bringing all actors in the fraud chain under a common framework. Such a strategy should establish clear accountability for each sector’s role, incentivise proactive risk management, and introduce shared liability mechanisms to ensure that the burden of protecting consumers does not rest on PSPs alone.
To conclude, as the EU shapes the future of digital payments, it must also modernize its fraud prevention framework. This includes future-proofing security standards like SCA under PSD3/R and adopting an EU-wide cross-sector approach aligning incentives, responsibilities, and liability. Only bold, coordinated action will keep pace with sophisticated fraud threats to ensure consumers stay protected.