In late 2025, the European Parliament and Council reached a political agreement to shift the financial burden of authorized push payment fraud and impersonation scams directly onto payment networks and the commercial platforms that use them. This Compliance Consultant guide breaks down how payment service providers (PSPs) and electronic money institutions (EMIs) must restructure their merchant contracts to survive the incoming Payment Services Regulation (PSR) and Third Payment Services Directive (PSD3). Under these updated rules, online platforms and marketplaces face statutory liability to compensate financial institutions that refund defrauded customers. To protect your payment firm before the late 2027 enforcement timeline, you must rewrite your merchant agreements now to explicitly allocate risk, mandate data sharing for fraud prevention, and enforce strict compliance with authentication standards.
Compliance Consultant designs and audits governance frameworks for UK and international financial firms, providing distinct service plans specifically created to satisfy the increased regulatory needs of payment services companies. We routinely guide authorized entities through complex transitions, helping firms manage the FCA compliance lifecycle from initial authorization to the execution of PSD-era updates. Our experience in translating regulatory policy into practical commercial terms helps payment institutions insulate their balance sheets during major legislative shifts.
Preparing for the statutory liability chain under the new Payment Services Regulation
The PSR introduces a decisive shift in risk allocation across the European payments market. Historically, payment service providers avoided direct financial liability for consumer scams where the user authorized the payment themselves, commonly known as authorized push payment (APP) fraud. The new regulatory framework changes this dynamic by requiring sending banks to refund victims of impersonation scams, while simultaneously establishing a legal mechanism to pass that financial loss down the transaction chain.
When a consumer is deceived into sending funds to a fraudulent account, the sending institution must make the consumer whole. However, if a merchant, commercial platform, or digital marketplace facilitated the environment where the fraud occurred or failed to act on red flags, the directive allows the refunding bank to seek direct financial compensation from the platform or the platform's payment processor. To survive this shift, Compliance Consultant advises payment processors to insert specific indemnity clauses into their commercial merchant agreements. These clauses must establish that if a merchant's operational failures or lack of oversight results in a bank claiming compensation under the PSR, the merchant must fully indemnify the PSP.
APP fraud vs. technical bypass
It is critical to distinguish between APP fraud and a technical authentication bypass within your commercial contracts. A technical bypass occurs when a malicious actor exploits vulnerabilities in a merchant’s checkout systems to complete a transaction without performing the required security checks. APP fraud, by contrast, relies on social engineering to manipulate a legitimate user into authorizing a payment under false pretences.
Your merchant agreements must address both risks with separate, precise language. While technical failures are generally governed by standard service level agreements, APP fraud liability requires a customized allocation framework. Contracts must state that the merchant accepts full financial responsibility if they fail to implement the security measures necessary to detect and stop impersonation scams on their platform.
The timeline for enforcement
The legislative timeline is moving quickly following the publication of the final compromise texts for PSD3 and the PSR on April 23, 2026, as noted in the Clifford Chance regulatory briefing. The formal adoption process means the PSR will enter into force by mid-2026, triggering an 18-to-21-month implementation window for most provisions, with certain fraud detection and open banking obligations taking full effect in late 2027.
According to a detailed analysis by Norton Rose Fulbright, this leaves payment firms with a brief window to conduct a comprehensive gap analysis and repaper their merchant portfolios. Waiting until the final regulatory technical standards are published by the European Banking Authority is a high-risk approach. Repapering thousands of merchants requires significant legal overhead, and beginning the drafting process early is the only way to avoid non-compliance when the late 2027 enforcement deadline arrives.
Legally mandating merchant participation in fraud prevention data sharing
The PSD3 framework places a heavy emphasis on proactive transaction monitoring and fraud prevention. To make this operational, the regulation requires payment service providers to share transactional information through a dedicated platform for fraud prevention. However, your payment firm cannot participate effectively in this network if your merchants hoard transaction data or block its transmission due to legacy privacy terms in their contracts.
To address this, your commercial agreements must legally compel merchants to pass specific transaction, device, and behavioral metadata to your infrastructure in real-time. This requirement must be integrated directly into the merchant's operational workflow. The contract should clearly state that the provision of payment services is contingent upon the merchant continuously supplying this data.
[Merchant Checkout] ---> [Real-Time Device & Behavioral Metadata] ---> [PSP Processing Engine]
|
v
[Shared Fraud Platform]
These data sharing mandates must also align with broader financial crime compliance frameworks. By ensuring your merchant terms permit the unrestricted flow of transactional metadata, you can perform the high-level transaction monitoring required by modern regulatory standards. For UK-based firms, these updates must occur alongside adjustments to local financial crime rules, which we cover in our guide on UK Anti-Money Laundering Regulation Reforms.
Re-allocating fraud risks across distinct merchant tiers
Not all e-commerce businesses present the same level of fraud risk under the new European regulatory framework. A small digital storefront using a hosted checkout solution presents a minor risk profile compared to a complex, multi-vendor marketplace. As a payment compliance specialist, Compliance Consultant recommends that payment institutions structure their indemnification clauses based on merchant risk, transaction volume, and technical integration types.
| Merchant Integration | Fraud Liability Allocation | Contractual Requirement | Key Tradeoff |
|---|---|---|---|
| Hosted Checkout (Full SCA handled by PSP) | Low risk to merchant; PSP bears primary technical failure risk | Basic data sharing mandate | PSP takes on higher liability but controls the authentication environment |
| Direct API / Custom Checkout | High risk to merchant for technical bypass | Strict SCA implementation audits and full indemnity | Merchant retains checkout customization but accepts total liability for authentication failures |
| Multi-vendor Marketplaces | Extremely high risk (impersonation fraud) | Seller verification mandates and shared APP fraud liability | Platform must vet its own sub-merchants or face ruinous compensation claims from banks |
For merchants utilizing a hosted checkout, the PSP controls the authentication environment, meaning the payment firm retains the primary risk of technical failure. In contrast, merchants using custom API integrations must accept full liability if an authentication failure occurs due to their custom code. The merchant agreement must state that the business will undergo regular security audits to verify that their checkout systems do not bypass critical security checks.
The highest level of risk lies with multi-vendor marketplaces. Because these platforms host independent third-party sellers, they are highly susceptible to impersonation fraud and merchant onboarding scams. A Ravelin study highlights that enterprise merchants face an average annual fraud loss of $10.6 million, a figure driven heavily by platform abuse and marketplace fraud. Your marketplace agreements must include strict seller verification covenants, requiring the marketplace to perform robust due diligence on its sub-merchants and to hold sufficient collateral to cover potential APP fraud claims.
Restructuring strong customer authentication clauses in commercial contracts
The PSR strengthens consumer-facing conduct rules and introduces more prescriptive requirements for Strong Customer Authentication (SCA). Under the updated standards, payment processors and merchants must have absolute clarity on who is responsible for triggering authentication, handling exemptions, and maintaining the security logs required to prove compliance during regulatory audits.
Your revised merchant agreements must explicitly state which party is responsible for collecting the necessary security credentials. If the merchant uses a custom checkout and fails to trigger SCA when required by the PSR, the contract must dictate that the merchant is solely liable for any fraudulent chargebacks or regulatory penalties that result from the transaction.
Managing SCA exemptions
Under the PSD3 and PSR framework, handling transaction exemptions is a major point of commercial friction. Merchants often attempt to apply exemptions—such as the Low-Value Exemption or Transaction Risk Analysis—to minimize checkout friction and boost conversion rates. However, if an exemption is applied incorrectly, the liability for any subsequent fraud shifts immediately.
Your commercial contracts must specify that when a merchant requests an SCA exemption, they accept the corresponding financial risk. If the PSP grants the exemption at the merchant's request, and the transaction is later proved to be fraudulent, the contract must state that the financial loss falls entirely on the merchant's balance sheet. The merchant must also agree to maintain detailed logs of all exemption requests and make them available to the payment firm upon request.
Confirmation of Payee requirements
The payment services regulation also extends the requirement for a free Confirmation of Payee (CoP) service to all credit transfers, as detailed in the MONEI payment guide. This service matches the name of the recipient with the account details before a transfer is executed, adding a major layer of defense against impersonation scams.
[Initiate Transfer] ---> [Verify Recipient Name & IBAN] ---> [CoP Match Success] ---> [Execute Transfer]
|
v (Mismatch)
[Trigger Fraud Alert]
For payment institutions, your merchant agreements must clarify how CoP errors and mismatches are handled at checkout. If a merchant's platform allows a transaction to proceed despite a CoP mismatch warning without obtaining explicit, recorded consent from the customer, the merchant must assume the liability for any resulting fraud claim. Your contracts must require the merchant's platform to display these warnings clearly and to record the user's acknowledgment of the risk before proceeding.
Common commercial contract pitfalls identified by Compliance Consultant
In our analysis of payment agreements across the sector, many firms continue to rely on outdated contract templates that leave them exposed to massive liabilities under the new rules. One of the most frequent errors is waiting for final regulatory technical standards to be issued before starting the contract amendment process. Because repapering commercial relationships is a lengthy process, delaying your legal review ensures your firm will face non-compliance when the late 2027 enforcement deadline arrives.
Another common pitfall is relying on legacy PSD2 terminology. The PSR and PSD3 fundamentally redefine electronic money tokens, transaction monitoring, and liability chains. Contracts that reference outdated PSD2 standards will fail to protect payment processors from the specific compensation claims allowed under the new regulation, leaving the payment firm's balance sheet exposed to incoming claims from consumer banks.
Actionable steps to protect your payment business balance sheet
To protect your business from the incoming PSD3 and PSR fraud liability shifts, you must take immediate action to modernize your commercial contracts. Waiting for the market to adapt is not a viable strategy; proactive contract repapering is essential to secure your firm's financial position.
Payment firms should take the following steps immediately:
- Audit your merchant portfolio: Categorize your current merchant base by risk profile, technical integration type, and transaction volume to identify high-risk relationships.
- Review your existing contracts: Identify all clauses referencing PSD2 definitions, SCA execution, and fraud indemnification to determine where updates are required.
- Draft a PSD3 compliance addendum: Create a dedicated contract addendum that explicitly addresses APP fraud liability, real-time data sharing requirements, and SCA exemption risk.
- Enforce data sharing requirements: Update your integration guides and terms of service to make the transmission of transactional and device metadata a non-negotiable requirement for using your gateway.
- Establish robust audit rights: Ensure your contracts give your firm the legal right to audit your merchants' checkout implementations and authentication logs at any time.
If your internal compliance and legal teams lack the bandwidth to manage this transition while handling daily operations, you should consider partnering with an experienced external advisor. Compliance Consultant provides dedicated regulatory gap analysis and tailored compliance updates through our specialized compliance support services. Our team can help you map these incoming European rules to your operational agreements, ensuring your business remains protected.
To discuss your regulatory compliance requirements and learn how we can support your business through the transition to PSD3, contact Compliance Consultant today. You can book a free 30-minute discovery call by emailing info@complianceconsultant.org with the subject "Retainer Discovery Call" or by calling our UK Freephone number at 0800 689 0190. For international enquiries, please contact our London office at 0208 243 8620. Let our team of regulatory experts help you turn compliance into a commercial advantage.