EBA finally sounded the alarm in April 2024: In its latest Opinion on new types of payment fraud and possible mitigations (EBA-Op-2024-01), the European Banking Authority (EBA) came to the concluston that despite regulatory advancements and improved security frameworks, payment fraud remains a fast-evolving and deeply concerning threat within the European financial ecosystem.
The Opinion underscored that fraudsters are constantly adapting, and that existing protections—especially in the context of instant payments and strong customer authentication (SCA)—are no longer sufficient to shield consumers from substantial financial losses.
EBA’s Key Findings
One of the most alarming conclusions presented in the Opinion was that the fraud rate for instant payments is approximately ten times higher than for standard credit transfers. This is highlighted in paragraph 21 of the Opinion, where the EBA emphasizes the systemic vulnerability of real-time transactions due to the irreversible nature of the execution and the speed with which funds are transferred and disappear.
In parallel, the Opinion identifies social engineering as the dominant mode of modern payment fraud. Rather than exploiting technological weaknesses, attackers increasingly manipulate victims psychologically—through phishing, smishing, vishing, or impersonation (so-called “CEO fraud”)—to initiate transactions themselves. This trend is particularly concerning because such fraud often technically qualifies as authorised under PSD2 rules, leaving consumers with no reimbursement under Article 73 of PSD2.
According to paragraph 15, EBA data shows that in 79% of fraudulent credit transfer cases, customers bear the financial loss. This reflects a structural imbalance in liability allocation, where the current legal framework too often places the burden on victims, despite their lack of intent or awareness.
EBA’s Recommendations
While the EBA acknowledges the progress made through the proposals for PSD3 and the new Payment Services Regulation (PSR), it explicitly calls for additional measures to adequately address evolving fraud threats (para. 54). Among the key proposals:
- Payment service providers (PSPs) should be obligated to perform dynamic risk assessments in real time, particularly before executing instant payments.
- The legal definition of authorised transactions should be reconsidered in cases of social engineering, ensuring victims are not systematically excluded from reimbursement merely because they triggered the payment themselves.
- There should be enhanced requirements for fraud-related data sharing between PSPs, including transaction metadata such as device IDs, phone numbers, and behavioural patterns—ideally through a harmonised EU-wide framework (paras. 60–63).
The EBA advocates for a secure, privacy-compliant EU-wide data exchange platform, possibly leveraging hashing techniques to maintain GDPR compatibility while enabling collaborative fraud detection
Implications for Consumers and Civil Society
The EBA Opinion echoes what consumer organisations and civil society initiatives like EFRI have been highlighting for years: The current regulatory and supervisory regime does not adequately protect victims of online fraud. It reflects a technological and legal asymmetry—consumers are expected to navigate increasingly sophisticated fraud tactics, while liability rules (except for unauthorized transfers there are no liability rules!) still assume they are primarily at fault.
The proposed mitigations are crucial steps in the right direction. However, unless these are implemented swiftly and made legally binding across the EU, consumer trust in the digital payment ecosystem will continue to erode.
Why does the PSP Industry not make a soon start?
EFRI strongly supports the EBA’s recent Opinion and reiterates that Europe can no longer afford to wait for new legislative texts like PSD3 and the Payment Services Regulation (PSR) to take effect. Fraud evolves in real time, while legislation and enforcement lag far behind.
Despite the mandatory use of Strong Customer Authentication (SCA) under PSD2, fraudsters have adapted swiftly. Every day, innocent European consumers are transferring tens of millions in lifetime savings to scammers—enabled by European payment service providers
Years after PSD2, most banks still fail to provide basic tools to their customers such as real-time behavioural analytics, phishing protection, and dynamic risk scoring. These technologies exist. Banks have the means and data to implement them. What is lacking is a sense of urgency.
The EBA has already laid out actionable, best-practice measures that can be implemented now, without waiting for PSR enforcement:
Real-time transaction monitoring, especially for instant payments
Mandatory IBAN/name verification before executing transfers
Proactive customer alerts and fraud response mechanisms
A balanced liability model that protects consumers rather than blaming them
EFRI believes that responsible banking must not be driven by regulatory compliance alone, but by a genuine commitment to customer protection. PSPs should act before the law mandates them to.
Why the delay?
It’s been nearly two years since the PSR proposal and over a year since the first readings in EU Parliament and the ECB’s recommendation to the EBA for regulatory technical standards (RTS). Each day of inaction leaves more consumers exposed to losses that are entirely preventable.
It is time for both industry and regulators to lead with responsibility, not excuses.
