New EU payment rules could expand fraud monitoring

On 17 April 2026, the Council of the European Union published compromise texts for two key pieces of payments legislation: the proposed Third Payment Services Directive and the proposed Payment Services Regulation. 

If the legislative process proceeds without major complications, both instruments are expected to be formally adopted this summer. They should then become applicable approximately 21 months after entering into force, likely at the turn of 2027 and 2028.

The new regulatory framework would significantly affect the processing of personal data relating to clients using payment services across the EU. 

What would be the key changes affecting data protection and the application of the EU General Data Protection Regulation?

Liability for impersonation fraud. Under Article 59 of the proposed PSR, payment service providers would newly be required to reimburse consumers for losses caused by transactions initiated by fraudsters impersonating the provider.

Mandatory transaction monitoring. Payment service providers would be required to monitor transactions and related customer behavior for fraud prevention purposes. Failure to implement such monitoring systems would trigger direct liability under Article 83 of the proposed PSR.

Processing of special categories of personal data. The proposed PSR expressly authorizes payment service providers to process special categories of personal data under Article 9 of the GDPR where necessary to comply with obligations under Article 80 of the PSR.

Greater focus on fraud prevention

EU lawmakers have placed increased emphasis on fraud prevention primarily due to the sharp rise in social engineering fraud and spoofing attacks where fraudsters manipulate victims into authorizing payments or disclosing authentication credentials. These newer forms of fraud increasingly blur the traditional distinction between authorized and unauthorized transactions on which the Payment Service Directive 2 liability framework was built.