The evidentiary burden of PSD3: recovering impersonation fraud costs from online platforms
Claude

To successfully recover fraud reimbursement costs under the incoming European payment framework, payment service providers must establish highly structured, forensic evidence paths. Our analysis at Compliance Consultant shows that while Article 59 of the new Payment Services Regulation (PSR) creates a legal right to subrogate spoofing losses to telecom operators and online platforms, these entities will vigorously contest claims. Consequently, firms must move beyond basic refund processing by capturing timestamped digital footprints of platform failures before fraudulent content is removed under the Digital Services Act (DSA). Success under this Third Payment Services Directive (PSD3) regime depends on immediate operational upgrades to transaction logging and customer reporting workflows.
Historically, authorised push payment (APP) fraud and impersonation scams have fallen into a regulatory grey area. If a consumer authorised a payment, the transaction was considered valid, leaving the payer to bear the loss. As loss volumes have escalated, regulators have shifted their focus from consumer negligence toward institutional responsibility.
The political agreement on PSD3 and PSR fundamentally redraws these boundaries. Payment service providers (PSPs) are now mandated to reimburse victims of spoofing and impersonation fraud. However, the legislation also creates a new legal vector: PSPs can claim those funds back from the telecom operators and online platforms where the fraud originated. The gap between possessing this legal right and actually recovering funds from global tech platforms will be determined entirely by a payment firm's internal documentation and incident response architecture.
The reality of spoofing and the platform liability trap
The prevailing assumption among mid-sized PSPs is that the introduction of platform liability under PSR will act as an automatic financial backstop for fraud losses. This misinterprets how intermediary liability functions in practice. Online platforms will not issue refunds to banks or payment institutions based on a customer's unsupported claim of being scammed on their network. Platforms will require irrefutable, timestamped proof that they were notified of fraudulent activity, failed to act, or allowed spoofing to occur through negligence.
Firms treating this as a simple dispute resolution process, rather than a rigorous evidence-gathering operation, will find themselves fully liable for the customer refund with no viable route for recovery. In our work as a specialist UK-based regulatory compliance firm, we find that firms relying on passive systems face the greatest exposure. If your compliance framework cannot show exact transactional links to platform failures, your recovery claims will be summarily rejected by platform legal teams.
This liability shift is not a theoretical change. The EBI analysis on authorised transactions outlines how the EU framework is systematically moving toward a shared liability model where the traditional distinction between authorised and unauthorised payments is disappearing. Under this model, the initial transaction authorisation no longer absolves the institutions involved. Instead, the focus is entirely on which party had the technical capability to prevent the fraud.
Analyzing the mechanics of Article 59 and the new liability chain
Under the upcoming Payment Services Regulation (PSR), the liability for bank impersonation fraud is fundamentally reallocated. When a customer is deceived by a fraudster pretending to be an employee of their bank or payment institution, the PSP is required to make the customer whole. However, the legislation introduces a critical safety valve for financial firms: the ability to seek recourse from the telecom or social media entities that hosted the deceptive interaction.
This framework means that our advisory specialists at Compliance Consultant are urging firms to treat fraud management as a litigation-readiness exercise. When a spoofing incident occurs, your firm must immediately build a case file that proves another intermediary failed in its statutory duty of care. This is the only way to successfully execute a subrogation claim under the new rules.
The overlap with the Digital Services Act
The link between financial regulations and tech platform obligations is established through the Digital Services Act (DSA). Under the compromise reached in the Draft PSR, online platforms are held liable if they are notified of fraudulent content and fail to remove it. As detailed in Osborne Clarke's reporting, this represents a significant expansion of platform liability.
To trigger this liability, the payment firm must prove the platform had knowledge of the illegal activity. This means your operational teams must document that a notice was sent to the platform, or that the platform's automated systems should have detected the obvious impersonation attempt under their DSA compliance mandates. Without this documentation, the platform can argue they acted in good faith and are exempt from liability under safe-harbour provisions.
Spoofing definitions and regulatory boundaries
The regulatory definition of "spoofing" under the PSR focuses on cases where a fraudster manipulates sender identities, phone numbers, or email headers to mimic a trusted source. This includes masquerading as bank employees, central bank officials, or government agencies to gain the customer's trust. The victim is then manipulated into approving a transaction that appears entirely legitimate.
This narrow definition means that standard authorised push payment scams—such as purchase fraud or investment scams—are treated differently than direct spoofing. To successfully claim refunds from platforms, PSPs must prove that spoofing occurred. Your internal dispute processes must be designed to categorise these fraud types with absolute precision. Compliance Consultant often works with firms to structure these regulatory risk classifications.
Building the evidence matrix to challenge platforms
To recover funds from global technology platforms or major telecom providers, payment firms must possess a standardised evidence package. These platforms employ sophisticated legal teams that will reject any claim containing vague or incomplete data. Our specialists at Compliance Consultant recommend establishing a strict digital evidence protocol that front-line fraud teams must execute the moment a customer reports an incident.
The required evidence package should include the following core components:
- The exact URL, account handle, or sender ID used by the fraudster on the originating platform.
- Cryptographically preserved communication logs, including timestamps that match the transaction execution.
- The specific technical details of the spoofing vector, such as manipulated SMS headers or spoofed telephone numbers.
- A formal police report reference showing the customer has reported the impersonation.
- Proof that the platform was notified of the fraudulent account or content and failed to take immediate action.
Capturing digital footprints before takedown
The greatest operational challenge in recovering spoofing costs is the speed at which fraudsters delete their tracks. Once the transfer is completed, the fraudulent ad is removed, the social media profile is deleted, and the chat history is wiped. If the PSP waits until the customer's formal dispute is processed to gather evidence, the digital footprints are gone.
Your customer-facing applications must prompt users to upload screenshots, save URLs, and export chat histories during the initial fraud reporting flow. Your internal systems must automatically package these files with the corresponding transaction metadata. This immediate data capture is the difference between a successful subrogation claim and absorbing a total loss.
Linking the fraudulent communication to the authorised payment
To establish platform liability, you must prove a direct causal link between the platform's failure and the financial loss. It is not enough to show that a customer was scammed on a platform and later made a payment. You must prove that the specific fraudulent communication hosted on that platform was the direct trigger for the transaction.
This requires mapping the timestamp of the deceptive message to the precise second the payment order was initiated. It also means documenting any specific payment instructions provided by the fraudster within the platform's chat interface. If this chain is broken, platform legal teams will argue that intervening factors caused the customer to send the funds.
Operational infrastructure upgrades for subrogation
Firms cannot claim platform refunds if their own house is not in order. The Payment Services Regulation (PSR) mandates that PSPs must implement specific fraud prevention systems before they can shift liability. If a regulator or a platform can prove your firm failed to implement these preventative measures, you lose your right to recovery.
At Compliance Consultant, we advise our clients that compliance is not just about having policies on paper; it requires active, testable systems. This is especially true for payment firms navigating the transition to PSD3.
Name-IBAN verification logging
Under the new rules, payment service providers must check that the payee's name matches the unique identifier. If there is a mismatch, the PSP must block the transaction and warn the payer. Your systems must log these warnings and the customer's subsequent actions.
If a mismatch occurred and your system failed to alert the customer, your firm is fully liable for the loss. Conversely, if your system did issue the warning and the customer actively bypassed it, this audit trail is vital. It proves your firm met its statutory obligations, which is necessary for defending your position in any dispute.
Documenting human customer support interventions
The PSR includes strict provisions to prevent full automation of customer support in fraud cases. Payment firms must ensure that customers have rapid access to human support staff when reporting potential fraud. This is designed to prevent victims from being locked out of their accounts or ignored by automated chatbots during a live scam.
Your operational logs must show the exact response times of your human support teams. If a customer was delayed in reporting a scam because your support line was unavailable, the platform can argue that the delayed response allowed the funds to be transferred. Documenting these interactions is critical for proving your operational diligence. For firms preparing for these rigorous inspections, ensuring your records can withstand scrutiny is the difference between passing and failing FCA desk-based reviews.
Comparing liability models and recovery paths
The shift from PSD2 to the PSR/PSD3 framework fundamentally alters how fraud costs are allocated. To help compliance teams understand these shifts, Compliance Consultant has mapped the transition across the primary fraud scenarios.
| Fraud Scenario | PSD2 Liability Standard | PSR / PSD3 Liability Standard | Evidence Required for Platform Recovery |
|---|---|---|---|
| Unauthorised transaction | PSP liable (unless gross negligence) | PSP liable | N/A |
| Impersonation fraud (Spoofing) | Payer liable (transaction authorised) | PSP liable, but can recover from ECSP/Platform | Proof of platform negligence or failure to remove known fraudulent actors |
| Ignored Name-IBAN mismatch | Payer liable | PSP liable | Records proving warning was actively bypassed by customer |
This comparison shows that the old investigative model—which focused almost entirely on whether the customer authorised the transaction—is obsolete. Under the new regime, the investigation must focus on the source of the deception and the technical measures implemented by all intermediaries in the chain.
What this means in practice for compliance officers
For Heads of Compliance and Risk, preparing for the PSD3 and PSR transition requires a complete overhaul of current fraud logging practices. You must update your operational risk frameworks to treat platform recovery failures as a distinct financial risk. Your risk registers must contain specific parameters that track the percentage of fraud cases where platform-specific evidence was successfully captured.
To implement this systematically, front-line staff and automated systems must be trained to extract URLs, sender IDs, and timestamps immediately when a scam is reported. Standardising this data collection is essential for meeting the evidentiary thresholds required by platform legal teams. Our Comprehensive Compliance Retainer Services give firms access to our full digital product library, which includes the Complaints RCA & MI Reporting Template (£149 retail) to help you structure this data effectively.
For firms navigating these complex regulatory changes, establishing these detailed evidence trails also supports compliance with broader UK expectations. Under the FCA's focus on consumer protection, having structured dispute and root-cause analysis processes is vital for demonstrating good outcomes. If you are structuring your systems to meet these standards, our Compliance Case Studies demonstrate how we help firms translate complex rules into workable, defensible systems during major regulatory transitions.
Closing
The intention behind the European payment package is to force the entities hosting fraud to bear the financial consequences. However, the legal right to claim compensation is useless without the operational machinery to enforce it. When the implementation deadline arrives, the payment firms that have engineered their compliance and dispute systems to trap and document platform-level data will successfully insulate their balance sheets. Those relying on retrospective investigations and paper compliance will absorb the full cost of the internet's fraud problem.
If you need to evaluate your firm's readiness for these incoming rules, Compliance Consultant offers structured advisory support. You can book a free 30-minute discovery call to discuss your regulatory needs and identify the right retainer tier for your firm. Contact us at info@complianceconsultant.org with the subject "Retainer Discovery Call" or call our UK Freephone at 0800 689 0190 to speak with a specialist today.


