The new PSR compromise text preserves the immediate refund rule for unauthorised transactions on paper. But Article 56 may give banks a structured route to delay phishing refunds where they claim objectively justified suspicion of gross negligence.
EFRI has long warned that Europe’s payment-fraud framework suffers from a structural protection gap.
In our reform paper “Restoring Trust in European Payment Rails: A Framework for a Shared Liability Reform”, we identified a double failure in the current system: first, deception-induced payments are still treated as “authorised” and typically remain unreimbursed; second, even clearly unauthorised transactions often face fragmented enforcement, inconsistent outcomes and broad gross-negligence defences by banks.
This has also been a recurring theme in EFRI’s public work. We have written repeatedly about phishing, online banking fraud, authorised push payment fraud, pig-butchering scams, payment-chain failures, weak redress routes, and the need for a modern shared-liability framework. The basic point is simple: Europe has built faster and more efficient payment rails, but it has not yet built a matching liability and enforcement architecture for consumers harmed by fraud.
The newly published final compromise texts for the Payment Services Regulation (PSR) and PSD3 must be read against that background.
The Council documents are dated 17 April 2026 and describe the PSR as the “confirmation of the final compromise text with a view to agreement.” The text is not yet formally adopted law, but it is no longer an early draft. It reflects an advanced political compromise in the EU legislative process.
This article focuses on one issue only: unauthorised phishing transactions under Article 56 PSR. Article 59 PSR, which deals with certain impersonation-fraud cases, deserves separate analysis.
The current PSD2 rule: refund first
Only recently, Advocate General Athanasios Rantos addressed this issue in C-70/25, Tukowiecka. According to the Court of Justice press release, the case concerns a phishing attack: a fraudster imitated the customer’s bank website, obtained her login details and executed an unauthorised payment from her account. The bank refused reimbursement, arguing that the customer had been grossly negligent.
This is not an isolated story. Across Europe, similar scenarios occur every day on a massive scale: consumers are deceived by fake banking websites, spoofed messages, manipulated login flows and professional social-engineering tactics. After the money is gone, many victims face the same institutional response: the bank points to authentication, alleges negligence and refuses or delays reimbursement. Consumers are then left to fight alone against institutions that control the transaction logs, fraud-monitoring data and internal risk records.
The Advocate General’s position is clear: under current PSD2 law, a bank cannot refuse the immediate refund of an unauthorised phishing transaction merely because it alleges gross negligence by the customer. The bank must refund first, unless it has good reason to suspect fraud by the customer and communicates that suspicion to the competent national authority. Gross negligence may become relevant later, if the bank seeks to make the customer bear the loss after reimbursement.
That is the key principle:
refund first, dispute gross negligence later.
For phishing victims, this matters. It prevents banks from using broad negligence allegations to delay reimbursement while the consumer carries the immediate financial loss.
The Advocate General’s position gave victims and consumer organisations a rare signal of fairness. It recognised the core imbalance: in unauthorised phishing cases, the consumer should not carry the immediate financial burden merely because the bank alleges gross negligence. The logic is simple but important: refund first, dispute responsibility later.
Article 56 PSR: refund first — but with a new exception
Article 56 of the PSR final compromise text keeps the immediate refund rule in form. In the case of an unauthorised payment transaction, the payer’s payment service provider must refund the payer immediately and no later than by the end of the following business day.
But Article 56 also introduces a critical exception.
The bank does not have to refund immediately if it has objectively justified reasons to suspect that the payer intentionally or with gross negligence failed to comply with security obligations and communicates those grounds to the payer in writing. The same provision also refers to suspicion of fraud by the payer.
This is the decisive shift.
Under the Advocate General’s interpretation of PSD2, gross negligence is not a front-end refund blocker. Under the proposed PSR, objectively justified suspicion of gross negligence may become a reason to delay immediate reimbursement.
The practical question changes:
Under PSD2: must the bank refund first and argue gross negligence later?
Under PSR: can the bank formulate objectively justified suspicion quickly enough to delay the refund?
That is not a technical drafting issue. It changes the balance of power between banks and consumers.
Other relevant rules
The PSR text then gives banks a structured follow-up process. Where the bank relies on objectively justified suspicion of fraud or intentional/grossly negligent conduct, it must within 15 business days either refund the payer or provide a justification for refusing the refund.
For victims, that distinction is not minor. Immediate reimbursement exists because fraud victims often need fast restoration of stolen funds. A suspicion-based delay mechanism shifts pressure back to the victim at the worst possible moment.
The PSR final compromise text does contain important safeguards. Some were already present in PSD2; others are now made more explicit. As under PSD2, authentication or strong customer authentication alone should not be sufficient to prove authorisation, fraud or gross negligence. The provider must provide supporting evidence.
However, the PSR goes further by expressly requiring the payment service provider to invite the user to provide information about the events leading up to the disputed transaction before concluding that the user authorised the transaction, acted fraudulently, or acted with intent or gross negligence.
Those safeguards matter. But they will matter only if courts, supervisors and complaint bodies enforce them strictly.
EFRI's concerns
EFRI’s concern is not theoretical. It reflects what phishing victims already experience across Europe.
Phishing is not disappearing. On the contrary, recent threat reports indicate that AI is making phishing, smishing, vishing and other social-engineering attacks more scalable, more personalised and harder to detect. The European Payments Council’s 2025 Payments Threats and Fraud Trends Report states that criminals are using AI to automate, scale and personalise attacks, making them more effective and more difficult to identify. ENISA’s Threat Landscape 2025 similarly describes phishing as a primary method for credential theft, session hijacking and other forms of intrusion.
This matters for payment law. If phishing attacks become more convincing and more automated, the number of victims and the amount of damage are likely to increase. At the same time, there is still no simple technical or legal “recipe” that reliably prevents these attacks at scale. Banks, payment providers, telecom companies, platforms, regulators and law enforcement are all struggling with a threat environment that evolves faster than traditional controls.
Once again, the practical risk is that the financial burden will fall on the least powerful actor in the chain: the consumer.
This is already the reality in many phishing cases. Banks often do not refund first. Instead, they point to the fact that credentials were used, that strong customer authentication was completed, or that the customer clicked on a fraudulent link. They then allege gross negligence and shift the burden back onto the victim.
The result is a severe evidentiary imbalance. The consumer is left without the money, while the bank controls the transaction logs, authentication records, device data, fraud-monitoring alerts, internal risk scores and escalation files. The victim is then forced into complaints, ombudsman proceedings or litigation without access to the very evidence needed to challenge the bank’s position.
The problem is therefore not only what banks do. It is also how the system responds. If courts, complaint bodies and supervisors accept broad gross-negligence arguments too readily, the consumer-protective logic of PSD2 is weakened in practice, even before the PSR enters into force.
This is precisely the practice that the Advocate General’s Opinion in C-70/25 appeared to challenge under current PSD2 law: alleged gross negligence should not be a front-end reason to withhold the immediate refund. The bank should refund first and dispute responsibility later.
Article 56 of the PSR final compromise text risks moving in the opposite direction. By allowing banks to delay immediate reimbursement where they have “objectively justified reasons” to suspect intentional or grossly negligent conduct by the payer, the text may give legal structure to the very refusal logic that consumers already face in practice.
EFRI's assessment
Article 56 PSR may turn today’s disputed bank practice into tomorrow’s regulated procedure.
For EFRI, this would be unacceptable. Europe cannot promote instant, digital payment rails, acknowledge the rise of AI-enhanced phishing, and then allow the cost of that fraud to be pushed back onto individual consumers through standardised gross-negligence allegations.
The key issue is not whether banks should be protected against genuine consumer fraud. They should. The issue is whether victims of sophisticated phishing should be denied immediate reimbursement merely because the bank can formulate suspicion quickly enough.
The rule must remain clear:
Sophisticated phishing is not ordinary carelessness. Gross negligence must remain a narrow, evidence-based exception — not a mass rejection tool for banks.
Europe will not defeat online fraud by making reimbursement easier to delay. It will restore trust only by making prevention mandatory, liability enforceable and consumer redress immediate.
