The Council and the European Parliament have reached a provisional political agreement to modernise the EU's Payment Services Directive.

Among other things, the proposals aim to put in place a comprehensive anti-fraud framework that will help tackle increasingly common new forms of payment scams.

Among other provisions, to avoid being liable for losses, payment service providers will have to share fraud-related information between themselves. Payment account IBAN numbers will have to be checked against a corresponding bank account name before any transfer can take place (this is something that has been in place in the UK for some time).

Major online platforms and search engines may advertise financial services to consumers in each member state only if the company providing those services is duly regulated and authorised within that member state.  The financial services companies will have to provide evidence of their authorisation to the platform concerned. However, the authorisation procedure for payment institutions will be simplified. 

One of the most significant announcements is that online platforms will be liable to payment service providers who have reimbursed defrauded customers if they are told about fraudulent content on their platform and fail to remove it. 

Customers should be properly informed about all charges (eg currency conversion charges) before they initiate a payment. They must also have access to human customer support (and not just chatbots).

The proposals also aim to reduce market barriers for open banking services.  Authorised open banking providers must be able to access payment account data and the proposed legislation includes a list of prohibited obstacles to data access. In addition, payment service users will be given a dashboard to monitor and manage the permissions they have given to access their data. Banks will have to provide payment institutions with access to payment accounts on a non-discriminatory basis.  We recently wrote about open banking and open finance in the UK.

Manufacturers of mobile devices and electronic service providers will have to allow front-end service providers (such as apps or user interfaces) to store and transfer data needed to process payments, on fair, reasonable, and non-discriminatory terms.

Next steps

The Council and the European Parliament will continue working on the technical elements of the package before final adoption.

Online fraud in the UK

Online fraud is now the UK's biggest crime, with the total cost of fraud against individuals in the UK calculated to be a minimum of £6.8 billion. 

According to press reporting in 2024, the Labour government had plans to make tech companies liable to reimburse victims of APP fraud, but there hasn't been any movement on this. In November last year, the UK's Payment Systems Regulator published a Dear CEO letter to tech firms explaining its proposals to publish data on the firms that are most commonly reported as enabling contact between fraudsters and victims. 

In July 2025, the APPG on Fair Banking published a report on APP fraud and said that "there is a growing chorus, especially among the financial industry, for social media to become liable for sharing the cost of APP fraud reimbursement." It acknowledged that there are extensive practical challenges, as there is a difference between the execution of fraud and the enabling of fraud and therefore establishing a fair cost share is difficult. 

The report also mentions the Online Safety Act 2023, which can hold technology firms accountable. However, the current implementation timetable means that certain duties, including those regarding fraudulent advertising, may not be in effect until 2027.