Since the EU introduced its Revised Payment Services Directive (PSD2) in 2018, Authorised Push Payment fraud (APP) has grown into the continent’s most prevalent form of financial crime. This explosive growth surprised few of us in the industry, but regulators likely didn’t expect one major consequence of that explosion: a shift in liability from banks to their customers.

Under PSD2, there is no customer reimbursement mandate for authorised payments. The directive only covers unauthorised Account Take Over (ATO) fraud. PSD3, scheduled to take effect in 2026, aims to make banks liable for reimbursement in bank impersonation scams but no other form of APP. The EBA is working to formalise the differences between unauthorised and authorised frauds and show how hybrid attacks – like the use of Remote Access Trojans from the customer machine alongside social engineering – might end up in the customer’s favour.

The financial impact of APP

Strong Customer Authentication (SCA) mandated by PSD2 is a double-edged sword. Brought in to reduce the overall losses across all digital channels it has benefited remote card purchases more than anywhere else. In the UK initial research by Nationwide showed SCA helped to prevent 2,000 cases of fraud each month. It also found that more than two-thirds of customers are happy to enter a passcode or manually approve a payment, even though some transactions might take a little longer, as long it makes their purchase journey more secure.

Although SCA has effectively put a stop to one type of fraud (ATO), it’s also led to a rise in social engineering attacks, ironically causing European banks to refund defrauded customers less frequently. A 2024 opinion paper by the European Banking Authority (EBA) found that most EU digital fraud losses are now borne by the customer.

By posing as a legitimate business or government body, cybercriminals committing APP fraud manipulate their victims into making payments or sharing personal details. APP circumvents SCA because the victims are tricked into voluntarily transferring away their money. In the UK alone, APP now impacts around 200,000 consumers each year, costing the economy around £459.7 million in 2023 (with over 60% reimbursement across industry²). The EBA estimates the EEA losses at around €1.2B with as little as 21% reimbursement, and that figure only includes those cases reported to banks. Whether customers are classified as Grossly Negligent or attack MO’s misclassified as authorised rather than unauthorised is a moot point, SCA has become a raw deal for many European victims. There exist inconsistencies across countries and between individual banks as to how victims are treated.

PSD3’s need for improvement

In some ways, SCA leaves consumers less safe from fraud than they were before PSD2, exposing them to the increasing number and frequency of APP scams – any losses from which their banks and governments hold them personally liable. While the European Parliament reviews the proposed PSD3 directive, more must be added in amendments to better protect fraud victims. If this fails to happen, we’ll soon start discussing the need for PSD4.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Today, European nations are facing enough fraud to consider it a (trans)national security threat. Holding victims accountable is neither correct nor ethical, especially when there exists another way to protect consumers from scams without introducing more friction into the customer journey or placing more liability on their shoulders.

Proactively detecting and flagging fraud

Many organisations view their customers as the weakest link in their fraud-prevention defences. But it doesn’t have to be this way. In fact, customers, their idiosyncrasies, their digital habits and the ways they bank can instead form the basis of new, watertight digital protections.

Behavioural biometric intelligence analyses a user’s digital behaviour to distinguish whether an online banking session is legitimate or fraudulent. It can monitor patterns in mouse activity, keystroke movement, touchscreen behaviour, device orientation, user hesitation, disjointed typing, and much more.

A major advantage of behavioural intelligence is its ability to operate passively in the background. It silently monitors thousands of parameters, such as how a person holds their phone or how they scroll and toggle between fields, minimising friction in the user experience and storing this information for the user’s next session.

Once the user logs on again, the technology can compare their behaviour with previous data (validation not authentication) and, if it’s significantly different and matches known patterns of criminal activity, flag the session as potentially fraudulent.

Crafting a seamless and secure digital experience

Behavioural intelligence also offers protection against so-called “voluntary” APP fraud. It looks at several factors to recognise APP scams in real-time, such as:

• The overall length of the session: Typically, fraudulent payment sessions last longer and exhibit aimless mouse movements, indicating the customer is waiting for further instructions from an imposter over the phone.
• Segmented typing: How a person enters an account number themselves (versus someone reading it to them) makes a huge difference to the typing cadence.
• Hesitation: Customers being scammed often show signs of hesitation, even if the well-rehearsed fraudster is skilled in coercion and reassurance. Long pauses before performing simple actions are telling signs of fraud.
• Device displacement: Continuous movement of the phone suggests the user is picking it up to receive instructions and placing it back down to carry out the directed actions.

Ultimately, behaviour tells all. It’s the only thing fraudsters and the increasingly sophisticated artificial intelligence tools at their disposal cannot mimic. The introduction of behavioural intelligence is a powerful tool for combating advanced threats, while also fostering innovation and growth. Most pressingly, it could soften concerns around PSD2 and PSD3’s shortcomings while regulators iron out their next moves, replacing friction and fraud with a world of trust and ease. English speaking countries who experienced APP fraud first have been the pioneers to deploy and are now seeing fraud levels decline with displacement elsewhere.

Iain Swaine is Director EMEA, Global Advisory at BioCatch