PSD2 Fraud Transaction Monitoring: The Starting Point
Before analysing the proposed Payment Services Regulation, it is important to understand the current PSD2 framework.
Under Article 2 of Commission Delegated Regulation (EU) 2018/389, payment service providers must have transaction monitoring mechanisms that enable them to detect unauthorised or fraudulent payment transactions. These mechanisms are part of the PSD2 security architecture for strong customer authentication and exemptions from strong customer authentication. They must take into account, at minimum, risk-based factors such as compromised or stolen authentication elements, the amount of the payment transaction, known fraud scenarios, signs of malware and abnormal use of devices or software provided by the PSP.
However, this should not be overstated. Under the current PSD2 RTS, Article 2 does not impose a general statutory obligation to perform real-time pre-execution monitoring before every payment. The EBA clarified in Q&A 2018_4090 that the general monitoring mechanism under Article 2 RTS does not require “real-time risk monitoring” and is usually carried out after execution of the payment transaction. Real-time risk monitoring is required where a PSP wants to rely on the transaction-risk-analysis exemption under Article 18 RTS.
This distinction is crucial. Under PSD2, the argument is not simply:
Every unusual payment had to be blocked in real time,
The stronger argument is:
Where a bank operates a pre-execution Fraud Transaction Monitoring (FTM) or pre-check system, that system must be fit for purpose and must react to objectively abnormal transaction patterns.
Why the OLG Linz Case Came Out the Way It Did
In the OLG Linz case 1 R 45/25f, a bank customer was manipulated by a fraudster posing as a bank-related caller into approving 41 instant transfers totalling around EUR 200,000 within approximately 1.5 hours. The Higher Regional Court of Linz held that the payments were formally authorised, so the strict refund regime for unauthorised payments did not apply. However, the court found that the bank’s Fraud Transaction Monitoring system was insufficient because it failed to react to the cumulative, highly abnormal transaction pattern across several accounts. The customer was also found grossly negligent, so the court split the loss 50:50 between the customer and the bank.
The OLG Linz did not decide that Article 2 RTS creates a universal real-time blocking obligation for all banks and all payments. The case turned on the specific system used by the defendant bank.
The court found, bsed on the Bank’s own witness evidence, that the bank operated a pre-execution Fraud Transaction Monitoring (FTM). Authorised payments were automatically compared with the customer’s previous payment behaviour. The system considered, among other things, the amount of the transaction and the payee account. If a payment significantly deviated from ordinary customer behaviour or if the payee account was flagged as fraud-related, the payment could be stopped. If the payment was not stopped by the FTM, it was processed fully automatically; in the case of instant payments, it could no longer be retrieved unilaterally.
That matters. The court was not imposing an abstract PSD2 duty to run real-time checks before every transaction. It was assessing whether the bank’s own pre-check/FTM system was adequate.
This distincion is decisive. Under PSD2, Article 2 RTS does not generally require real-time pre-execution monitoring before every payment. The Linz case is different because the bank itself operated a system that scanned authorised online-banking transfers before automated execution.
The decisive facts were extreme: 41 transfers, around EUR 200,000, within approximately 1.5 hours, across several accounts controlled by the same customer. The OLG held that such a pattern should not have been assessed as isolated individual payments. The monitoring system should have considered the cumulative amount, the number of transfers and the fact that several accounts of the same disposer were involved.
The stronger lesson from OLG Linz is therefore:
Where a bank chooses to operate a real-time Fraud Transaction Monitoring or pre-check system, that system cannot ignore the very type of pattern it is supposed to detect: rapid, cumulative, abnormal, account-draining transactions.
The PSR Changes the Legal Architecture
The proposed PSR goes further than PSD2.
Under Article 83 of the draft PSR, PSPs would have to operate transaction monitoring mechanisms to support SCA, support SCA exemptions and prevent and detect potentially fraudulent payment transactions. More importantly, the payer’s PSP would have to carry out this monitoring prior to execution, and the payee’s PSP before the funds are made available to the payee. If the required (pre-execution and pre-availability) monitoring is not carried out and the payer suffers financial damage, the PSP bears liability; the payer does not bear financial consequences unless the payer acted fraudulently.
That is a major difference from the current PSD2 framework.
Under PSD2, Article 2 RTS requires monitoring mechanisms, but not as a universal real-time pre-execution rule. Under the PSR draft, pre-execution and pre-availability monitoring become express legal duties.
Unusual Is Not Enough — But Patterns Matter
The PSR draft also protects against overblocking. It expressly says that the fact that a payment order is unusual shall not by itself constitute objectively justified reasons to suspect fraud.
This is important for legitimate payment traffic. A customer may make a large payment, a foreign payment or a rare payment for perfectly lawful reasons. A bank should not block payments merely because they are uncommon.
But the Linz case was not about one unusual payment. It was about a highly abnormal pattern:
41 payments. Around EUR 200,000. Approximately 1.5 hours. Several accounts. Instant payments. A known phishing environment. A cumulative draining of funds.
Under the PSR logic, this is not merely a single unusual payment. It is a cumulative risk pattern that may create objectively justified reasons to suspect fraud.
Important Caveat: Impersonation Fraud Is Different
There is one important caveat. If the Linz case were analysed under the PSR’s specific PSP impersonation-fraud rule, the result might be less favourable for the consumer than under the transaction-monitoring route. The facts included a fraudster pretending to act in connection with the bank, which could invite an analysis under proposed Article 59 PSR.
That provision would, in principle, create a refund claim where the statutory conditions are met: the consumer was manipulated by a third party pretending to be the consumer’s PSP through communication channels attributed to that PSP, notified the PSP without undue delay after becoming aware of the fraud, and reported the fraud to the police.
For EFRI’s purposes, the stronger legal route is therefore the transaction-monitoring route under proposed Articles 65 and 83 PSR. Under Article 65, where the payer’s PSP has objectively justified reasons to suspect fraud and fails to suspend the transaction, the payer should not bear the financial loss unless the payer acted fraudulently; gross negligence is not listed as the relevant loss-allocation defence in that specific rule. Article 83 would also expressly require the payer’s PSP to carry out transaction monitoring before execution and the payee’s PSP before funds are made available; if such monitoring is not carried out and the payer suffers financial damage, the PSP bears liability, unless the payer acted fraudulently.
The core issue in the Linz case is therefore not only that the customer was deceived by an impersonator. The more important point is that the bank’s own Fraud Transaction Monitoring system failed to react to a highly abnormal transaction sequence.
Gross Negligence - The Key Difference
The OLG Linz applied current Austrian tort-law logic. It found that the bank’s FTM system was insufficient, but it also found that the customer had acted grossly negligently. The result was a 50:50 split of the loss.
Under the PSR transaction-monitoring rules, that result would be much harder to justify. Where the payer’s PSP has objectively justified reasons to suspect fraud and fails to suspend the transaction, the draft provides that the payer shall not bear financial losses, except if the payer acted fraudulently. The burden of proof lies with the PSP.
That is a major structural shift.
Under the current national framework:
Bank monitoring failure + customer gross negligence = possible loss sharing.
Under the PSR transaction-monitoring framework:
Objectively justified fraud suspicion + PSP failure to suspend/or failure to prove required transaction monitoring = PSP liability, unless the payer acted fraudulently.
Gross negligence is not the same as fraud. That distinction is central.
Applying the PSR to the Linz Facts
If the PSR transaction-monitoring regime had applied, the key questions would likely have been:
- Did the payer’s PSP carry out transaction monitoring before execution?
- Did the system assess the full payment sequence, not merely each transaction in isolation?
- Did the pattern create objectively justified reasons to suspect fraud?
- Did the payer’s PSP suspend execution or make reasonable efforts to assess the risk?
- Can the PSP prove that there was no breach?
- Did the payer act fraudulently?
On the facts found by the OLG Linz, the customer was grossly negligent — but not fraudulent. The bank had a pre-check/FTM system, but it did not stop a sequence of 41 transfers totalling around EUR 200,000 within about 1.5 hours.
Under the PSR transaction-monitoring logic, that could lead to a much stronger case for full PSP liability than under the current Austrian tort-law framework.
EFRI’s Position
The OLG Linz judgment should not be used to claim that PSD2 already imposed a general real-time blocking obligation before every payment. That would be too broad and vulnerable to attack.
Its real importance is more precise:
The bank had a Fraud Transaction Monitoring/pre-check system. That system was supposed to detect abnormal payment behaviour. It failed to react to an extreme transaction pattern. The court therefore held the bank liable, even though the payments were formally authorised.
The proposed PSR would take this logic further. It would make pre-execution transaction monitoring an express obligation of the payer’s PSP and pre-availability monitoring an express obligation of the payee’s PSP. It would also reduce the role of gross negligence as a loss-allocation defence where the transaction-monitoring duty was triggered and breached.
The lesson is clear:
Authentication is not enough. Warnings are not enough. And a fraud monitoring system is not meaningful if it treats a rapid sequence of suspicious payments as unrelated isolated events.
Under PSD2, the OLG Linz result depended heavily on the bank’s own pre-execution FTM system. Under the PSR, that type of monitoring would become part of the explicit EU payment-fraud liability architecture.
