Full Report
Advocate General urges rethink of PSD2 to speed compensation after scams Analysis One of the European Union's top legal advisors is trying to change how banks treat cybercrime victims – meaning they could enjoy greater financial protections sooner than expected.…
Analysis Summary
# Regulation/Compliance: PSD2 Reinterpretation (Proposed Transition to PSD3/PSR Standards)
## Overview
This initiative stems from a legal opinion by EU Advocate General Athanasios Rantos. It seeks to re-interpret the Second Payment Services Directive (PSD2) to shift the "liability burden" in cybercrime cases. The goal is to mandate that banks reimburse fraud victims immediately before investigating claims of "gross negligence," rather than withholding funds during lengthy reviews or legal battles.
## Key Details
- **Issuing Authority:** Advocate General of the Court of Justice of the European Union (CJEU)
- **Effective Date:** Immediate (if adopted by the Court via reinterpretation); otherwise via PSD3/PSR adoption (expected 2026/2027)
- **Jurisdiction:** European Union (EU)
- **Status:** Proposed legal opinion (setting the stage for future binding rulings and PSR implementation)
## Requirements
### Mandatory Requirements
1. **Immediate Reimbursement:** Banks must refund victims of unauthorized transactions or impersonation scams promptly upon reporting.
2. **Post-Hoc Negligence Claims:** Financial institutions may only reclaim funds *after* the refund has been issued and if "gross negligence" is definitively proven.
3. **Enhanced SCA:** Payment Service Providers (PSPs) must implement robust Strong Customer Authentication (SCA).
4. **Transaction Data Monitoring:** Merchants must share granular metadata (IP addresses, session data, location) with PSPs for risk assessment.
### Recommended Practices
1. **Behavioral Biometrics:** Implementing fraud detection that monitors account takeover (ATO) patterns.
2. **Expanded Authentication Channels:** Developing SCA methods for users without smartphones or those with disabilities to ensure inclusive protection.
## Affected Organizations
- **Industries:** Banks, Payment Service Providers (PSPs), Fintechs, and Online Merchants.
- **Organization Size:** All entities processing EU payments regardless of size.
- **Geographic Scope:** All EU Member States.
## Compliance Timeline
- **March 2026:** Advocate General’s opinion published; signals immediate shift in judicial interpretation.
- **2024–2026:** Legislative process for PSD3 and Payment Services Regulation (PSR) continues.
- **Future Date:** Full enforcement of PSR (as a Regulation, it will apply directly without member state transposition).
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Review current fraud reimbursement workflows to identify delays caused by "gross negligence" investigations.
- **Liability Audit:** Examine the success rate of current SCA implementations and identify "impersonation scam" vulnerabilities.
### Implementation Phase
- **Liquidity Management:** Adjust reserves to account for "refund-first" mandates.
- **Technical Integration:** Update merchant-to-PSP data pipelines to include IP, session, and device data as required by the upcoming PSR.
### Validation Phase
- **Audit Trails:** Ensure every transaction has a verifiable SCA log.
- **Recovery Workflow:** Establish clear legal and administrative processes to prove gross negligence and reclaim funds post-refund.
## Technical Requirements
- **Strong Customer Authentication (SCA):** Multi-factor authentication that must be accessible across various devices (not limited to smartphones).
- **Data Sharing Protocols:** Real-time transmission of user location, device IP, and session metadata from merchants to PSPs.
- **Fraud Detection Systems:** Systems capable of spotting credential compromise before a payment is processed to mitigate the new financial risk to the bank.
## Penalties & Enforcement
- **Fines:** Potential for significant administrative fines under PSD3/PSR for failure to implement SCA properly.
- **Other Consequences:** Immediate financial loss as banks must now carry the liquidity risk of fraud during the investigation period.
- **Enforcement:** EU national competent authorities and the CJEU through judicial rulings.
## Related Standards
- **PSD2 (Existing):** Currently allows banks to withhold funds during negligence investigations.
- **PSD3/PSR (Future):** Codifies the "reimburse-first" principle and expands SCA requirements.
- **ISO 20022:** Relevant for payment messaging standards used during data sharing.
## Resources
- **Official Documentation:** [CJEU Case C-70/25 - Advocate General Opinion](https://infocuria[.]curia[.]europa[.]eu/tabs/jurisprudence)
- **Guidance Documents:** [CJEU Press Release PDF](https://curia[.]europa[.]eu/site/upload/docs/application/pdf/2026-03/cp260031en[.]pdf)
## Practical Recommendations
- **Shift Compliance Strategy:** Move from a "defensive" reimbursement posture to a "predictive" prevention posture. Since money must be returned immediately, the cost of failing to catch fraud at the gateway has increased.
- **Update Terms & Conditions:** Clearly define what constitutes "gross negligence" in user agreements to align with EU court interpretations.
- **Accessibility Audit:** Ensure SCA methods do not rely solely on mobile apps to avoid non-compliance under the new "inclusive authentication" mandates.