Filenews 1 December 2025 - by Theano Thiopoulou
EU member states and the European Parliament have agreed on new regulations that will oblige banks and other payment service providers to better protect their customers from online fraud, hidden fees and data leaks, Parliament announced last Thursday.
Customers should be duly informed of all charges before initiating a payment. They should receive, for example, information on currency conversion fees or any fixed fees for withdrawing cash at ATMs, regardless of who handles them. To ensure better access to cash, especially in remote and rural areas, retail stores will be able to provide cash withdrawals of up to €150 and at least €100, without the customer having to buy anything.
Improving competition
The negotiators agreed to reduce market barriers for "open banking services" (account information and payment initiation services) and to prevent account servicing payment service providers (ASPSPs) (usually a bank or other financial institution) from discriminating against them. Authorized open banking providers must have access to payment account data, and the legislation includes a list of prohibited barriers to data access. In addition, payment service users will be given a dashboard to monitor and manage the permissions they have given to access their data. Banks should provide payment institutions with non-discriminatory access to payment accounts. Mobile device manufacturers and e-service providers should allow front-end service providers (such as applications or user interfaces) to store and transfer data required for payment processing, on fair, reasonable and non-discriminatory terms.
Customer Protection
If a Certification Service Provider (CSP) fails to implement appropriate fraud prevention mechanisms, it will be liable to cover customer losses. PSPs should check that the beneficiary's name and unique identifier match. In cases of discrepancies, the PSP should refuse the payment order and inform the payer. PSPs should also ensure strong customer authentication and carry out a risk assessment. MEPs confirmed that payment service providers (PSPs) must offer spending limits and exclusion measures to reduce fraud risks.
If a fraudster initiates or changes a transaction, it will be considered an unauthorized transaction and the PSP will be responsible for the full amount of the fraud. In addition, the PSP receiving the transaction should freeze any transaction it deems suspicious. To protect customers from impersonation fraud, where a fraudster pretends to be a PSP employee and tricks the customer into authorizing a payment, the PSP must refund the full amount if the customer reports the fraud to the police and informs their PSP.
Online platforms will be liable to Certification Service Providers (PYPs) that have compensated deceived customers if they become aware of fraudulent content on their platform and do not remove it. This builds on and enhances the protection provided by the Digital Services Act. In addition, financial services advertisers must show the very large online platforms and search engines that they have the legal license (or official exemption) in the relevant country to offer these services or that they are advertising on behalf of someone who has one. MEPs also ensured that users should have access to human customer support (not just chatbots) and that public funds should be allocated to educating people on how to avoid fraud.
Simplified licensing
The negotiators also agreed to simplify the licensing process for payment institutions. Authorisation should be subject to strict prudential and capital requirements, accurate own funds calculations, reliable budget forecasts and harmonised schedules, with initial capital scaled to the provider's risk level and the payment services provided. Cryptocurrency service providers already licensed under the Markets in Cryptocurrencies Regulation will be subject to a simplified process while maintaining appropriate risk controls and providing only the services specified in the application.
