The EU sells enhanced transaction monitoring as a major fraud-prevention reform. Victims should look closer.
The drafted Payment Services Regulation, or PSR, is presented as a major step in the fight against online payment fraud. One of its most promoted tools is enhanced transaction monitoring. The message sounds promising: banks and payment service providers should monitor payments, detect suspicious transactions, stop fraud before money disappears and refund consumers where fraud-prevention obligations are breached.
That sounds good. But it is not the revolution victims need.
Transaction monitoring is not new. Banks already had transaction-monitoring obligations under the PSD2 framework. They also had monitoring obligations under anti-money-laundering rules. Banks already had contractual duties of care and warning duties where objective red flags existed. Member States with developed banking duty-of-care case law, such as Germany, have already applied this principle in payment cases.
So the PSR does improve the legal architecture. It makes transaction monitoring more visible. It places the payer’s PSP and the payee’s PSP into the same fraud-prevention chain. It also introduces important burden-of-proof rules against PSPs. The PSR does improve the legal architecture: it makes transaction monitoring more visible, brings both the payer’s PSP and the payee’s PSP into the fraud-prevention chain, and introduces important burden-of-proof rules against PSPs.
But these rules will not fundamentally change the economics of fraud prevention inside the payment rails. Banks and PSPs may face stronger monitoring duties, but they still have too little immediate economic incentive to clean up the rails by identifying, blocking and removing fraud-enabling accounts, merchants, mule networks and high-risk counterparties before consumer funds disappear.
For victims, the battlefield remains largely the same: they will still have to fight banks over what the bank should have detected, whether warning signs were sufficient, and whether the payment should have been suspended or returned.
What the PSR actually says
Article 83 of the April 2026 PSR compromise text states that PSPs “shall have transaction monitoring mechanisms in place” to support strong customer authentication, justify exemptions from strong customer authentication, and prevent and detect potentially fraudulent payment transactions.
The key new provision is Article 83(1a). It requires the payer’s PSP to carry out transaction monitoring before execution of the payment transaction. It also requires the payee’s PSP to carry out transaction monitoring before the funds are made available to the payee. If such monitoring is not carried out for a transaction and the payer suffers financial loss, the relevant PSP bears liability. If the payer’s PSP cannot provide evidence that both PSPs monitored the transaction, it must refund the payer. The provision also states that the “burden to prove” that there was no breach lies with the PSP concerned.
Article 65 then connects monitoring to intervention. Where the payer’s PSP has objectively justified reasons to suspect that the transaction is fraudulent, based on transaction monitoring or other relevant information, it must suspend the execution of the payment transaction. If it fails to do so, the payer should not bear the financial loss, except where the payer acted fraudulently. The burden of proof that there was no breach lies with the PSP.
Article 69 creates the corresponding payee-side mechanism. If the payee’s PSP has objectively justified reasons to suspect that a payment credited or to be credited to the payee’s account is fraudulent, it may withhold the funds and return them to the payer’s PSP. If the reasons are clear and incontrovertible, it must do so. Again, the burden of proof lies with the payee’s PSP.
This is not irrelevant. It is stronger than the PSD2 text. But it is still not a victim-first refund regime.
Transaction monitoring already exists under PSD2
The most important point is this: transaction monitoring was already part of the existing PSD2 framework.
Article 2(1) of Commission Delegated Regulation (EU) 2018/389, the PSD2 Regulatory Technical Standards on strong customer authentication and secure communication, already requires PSPs to have mechanisms capable of detecting “unauthorised or fraudulent payment transactions.” These mechanisms must take into account elements typical of the payment service user’s normal use of personalised security credentials, and they must consider factors such as compromised authentication elements, transaction amount, known fraud scenarios, malware indicators and abnormal use of devices or software.
This means that a bank customer who usually transfers EUR 2,000 and suddenly sends EUR 50,000 cross-border to a new or suspicious recipient should not become visible to the bank for the first time because of the PSR. Such a transaction should already have been relevant under any serious PSD2 fraud-monitoring framework.
The European Banking Federation makes the same point from the industry side. It states that Article 83 PSR builds upon Articles 1 and 2 of Delegated Regulation 2018/389 and argues that the existing RTS language should be retained because it gives PSPs flexibility for SCA, SCA exemptions and fraud prevention.
That observation supports EFRI’s point: the PSR is not inventing transaction monitoring. It is repackaging and elevating it.
AML rules also require banks to monitor suspicious transaction behaviour
Transaction monitoring is also not only a PSD2 topic. Under EU anti-money-laundering rules, obliged entities must conduct ongoing monitoring of the business relationship, including scrutiny of transactions, to ensure that transactions are consistent with the institution’s knowledge of the customer and the customer’s risk profile. The AML framework also requires scrutiny of complex, unusually large or unusual transaction patterns without an apparent lawful or economic purpose.
AML monitoring and fraud-prevention monitoring are not identical. AML focuses on money laundering, terrorist financing and suspicious financial flows. PSD2 and PSR fraud monitoring focus on unauthorised or fraudulent payment transactions and the protection of payment service users.
But in real life, both frameworks require banks to look at transaction patterns, customer profiles, unusual behaviour, destination risk, account activity and red flags. Banks cannot credibly argue that transaction monitoring is a new discipline suddenly created by the PSR.
The duty-of-care principle already required banks not to look away
The PSR’s transaction-monitoring model must also be seen against the background of contractual banking duties.
In a bank-customer relationship, the bank is not merely a technical machine executing payment orders. It is a professional financial intermediary. It owes contractual duties of care. These duties do not mean that a bank must investigate every payment or advise the customer about every commercial decision. But they do mean that a bank cannot blindly execute payment orders where objective warning signs point to a serious risk of loss or fraud.
The German Federal Court of Justice, the Bundesgerichtshof, confirmed this principle in its judgment of 14 May 2024, XI ZR 327/22.
The BGH started with the traditional rule: in cashless payments, a bank generally need not concern itself with the underlying commercial relationship. It is normally involved only to ensure the technically correct, simple, and fast execution of the payment. The BGH also stated that a bank does not generally have to examine whether processing a payment transaction poses risks to any participant, nor generally monitor account movements without specific indications.
But the BGH confirmed the crucial exception. A warning duty can arise where, in the normal processing of the payment, the bank encounters “massiven Verdachtsmomenten” and “objektiver Evidenz” indicating a risk of misappropriation or harm. The customer should be warned because the customer lacks information which the bank has and needs that warning to take steps to avoid loss.
This is the red-flag duty-of-care model. It already existed before the PSR.
The BGH judgment shows that a receiving bank can become relevant when it possesses objective information indicating a payer-relevant risk. However, under German law this may require a complex construction through assigned claims and third-party loss liquidation. The PSR goes further in regulatory structure: it expressly requires the payee’s PSP to monitor before funds are made available and links that role to withholding, return and burden-of-proof consequences.
This should not be confused with an automatic refund rule. Under the BGH approach, the claimant must still establish that a duty to warn arose. Once such a duty and its breach are established, the presumption of proper conduct after disclosure shifts the burden of causation. The PSR burden-of-proof rule operates differently: it requires PSPs to prove that they did not breach specific monitoring, suspension or withholding duties.
This is the real procedural improvement. Under the PSR, the bank should not be able to defeat a claim merely by asserting that internal monitoring took place. The PSP must be able to prove that it complied with the relevant monitoring, suspension or withholding obligation. The problem is that this still does not answer the central substantive question: when did the available indicators become strong enough to require intervention?
The duty-of-care principle is based on information asymmetry. The customer does not know what the bank knows. Where the bank has objective warning signs, it must not behave like a blind execution machine. The PSR does not remove this asymmetry. But it gives victims a clearer regulatory basis to challenge the bank’s failure to act.
Neither an unusual payment nor a payee-verification mismatch automatically crosses the PSR intervention threshold
The upcoming legal battlefield will be the aggregation of red flags. The PSR expressly states that an unusual payment order alone does not constitute objectively justified reasons to suspect fraud. It also prevents PSPs from relying solely on the outcome of payee verification. But both factors remain relevant risk indicators. The decisive question will be whether, taken together with other information, amount, customer profile, new payee, cross-border destination, device data, fraud-sharing information or mule-account patterns, they created objectively justified reasons to suspect fraud.
Higher litigation risk
The banking industry has correctly identified the litigation risk. The German Banking Industry Committee warned that a separate liability regime for transaction monitoring risks creating more disputes between payment service users and PSPs and may force PSPs to disclose details of their fraud-monitoring systems
EFRI draws the opposite policy conclusion. The fact that the evidence lies inside the bank is not an argument against liability. It is the reason why victims need disclosure rights, a reversed burden of proof and a genuine consumer-first reimbursement mechanism.
What is still missing is a clear victim-first rule. If a consumer reports fraud, the starting point should be immediate reimbursement, unless the PSP can prove that the consumer committed fraud. The professional actors, payer’s PSP, payee’s PSP, intermediary PSPs, and other infrastructure providers should then allocate responsibility among themselves. The PSR does not take this step. It improves the legal tools, but it leaves victims inside the dispute. Like proposed in our Shared Liability Paper.
EFRI's conclusion
Enhanced transaction monitoring under the PSR is old wine in new bottles. The bottle is better. The protection for victims is still not good enough.
The old wine is the existing duty-of-care and red-flag principle: banks must not ignore objective warning signs. PSD2 RTS already required transaction monitoring. AML rules already required ongoing scrutiny of suspicious transaction behaviour. National case law already recognised warning duties where massive red flags exist.
The new bottle is the PSR structure: transaction monitoring becomes more explicit, applies to both payer and payee PSPs, and is linked to liability, refund consequences and a burden-of-proof reversal.
That is useful. But it is not enough.
The PSR does not create a genuine consumer-first fraud reimbursement regime. It mainly codifies and harmonises a red-flag duty-of-care model that already exists in more developed national case law. Victims may have stronger legal arguments under the new PSR rules, but they will still face David-versus-Goliath disputes against banks that control the relevant monitoring evidence.
