Europe built fast, low-cost payment rails. Victims deceived into initiating payments are still left alone. Our paper, a contribution to the ongoing discussion, sets out a solution based on the experience we made during the past years: treat fraudulently induced payments as unauthorised, make reimbursement the default at the payer’s ASPSP, and align incentives through shared liability and enforceable cross-sector duties.
What our evidence shows
Scale and typology: EFRI documented 1,750 victims in 20 countries with reported losses above €62.5m. Most losses flowed through “authorised” transfers, not credential theft, and cluster in a few industrialised scam systems.
Gatekeeping failure. Specific acquirers and receiving banks turned scams into industrial flows; case studies include Payvision, Wirecard, Københavns Andelskasse, and Deutsche Handelsbank. These are control failures at onboarding, MCC governance, monitoring, and recall.
Redress that does not work. Financial ADR across the EU is fragmented and often non-binding. In our dataset, victims who attempted ADR obtained no meaningful relief.
Where the PSR stands
Both the Commission’s proposal and the Council’s General Approach keep reimbursement limited to PSP Impersonation cases. They add stronger prevention tools, but the liability perimeter remains narrow and alternative dispute resolution remains weak. The Parliament’s broader, outcome-oriented approach is not carried through in the Council’s General Approach of 18 June 2025. As a result, victims deceived into authorising payments outside PSP Impersonation scenarios remain largely unprotected.
Europe now faces a clear policy choice in the PSR. It can adopt an outcome rule that treats deception-based consent as invalid and classifies such payments as unauthorised with default reimbursement. If it instead preserves technique-based triggers, criminals will adapt around the trigger, enforcement will fragment, and victims will continue to face inconsistent and unequal outcomes.
What EFRI proposes:
- Outcome rule. Recognise fraudulently induced payment as unauthorised. The trigger is deception of the payer’s will, not the scam’s technique. Fraud is Fraud.
- Default reimbursement. Anchor reimbursement at the payer’s ASPSP with narrow, provable exceptions for gross negligence or collusion.
- Shared liability and recourse. Allocate financial responsibility to the actor with control over the breached duty, including receiving PSPs, acquirers, telecoms, and platforms, using calibrated rights of recourse.
- Enforceable prevention duties. Mandate real-time risk analytics, name-check, short cooling-off for high-risk transfers, SIM-swap and anti-spoofing controls, platform KYC and takedown SLAs, and fast freeze and recall.
- Redress that delivers. Create a binding EU-level dispute body with timelines and disclosure duties so adjudicators can see the full chain data and locate breaches.
- Union Fraud Data Framework. Harmonise typologies and reporting to end the statistical vacuum and guide targeted duties and supervision.
- International lessons. Combine default reimbursement on core rails with upstream controls. The UK’s FPS model shows workable reimbursement mechanics, while Singapore and Australia illustrate multi-sector prevention that should be embedded as binding duties in the EU.
Why this matters:
A narrow PSR reimbursement perimeter protects the façade, not the system. Only an outcome rule with default reimbursement and shared liability will restore trust, align incentives, and reduce harm at scale.
Download the full paper here.
