The European Union introduced the Revised Payment Services Directive (PSD2) to modernize the digital payments ecosystem and increase security for consumers across Europe. Adopted in 2015, the directive reshaped the relationship between banks, fintech companies, and customers by establishing clearer rules for electronic payments, stronger authentication requirements, and a framework for open banking.

One of the central objectives of PSD2 is to increase trust in digital payments. The directive requires financial institutions to implement Strong Customer Authentication, a mechanism that verifies a user’s identity using at least two independent factors such as a password, a mobile device, or biometric authentication. By introducing these security measures, the EU aimed to significantly reduce fraud in online banking and card payments.

Beyond security, PSD2 also promotes competition and innovation. The directive obliges banks to allow licensed third-party providers to access payment accounts (with customer consent). This change enabled the growth of financial technology services that can aggregate accounts, initiate payments, and develop new financial tools without requiring users to interact directly with their banks.

However, one of the most debated aspects of PSD2 concerns liability in cases of fraud, particularly phishing scams. The directive clearly distinguishes between unauthorized transactions and authorized transactions carried out under deception.

If a payment transaction is unauthorized – for example when a criminal gains access to a victim’s account and transfers money without their knowledge – the bank must usually refund the amount quickly, often by the next business day. In such cases, the customer’s liability is limited, typically to a small amount (often up to €50), unless the bank can prove fraud or gross negligence by the user.

Phishing attacks, however, often fall into a different category. In many scams, victims are manipulated into authorizing the payment themselves, for instance by confirming a transaction through their banking app or authentication device. Because the payment is technically authorized by the user, PSD2 does not automatically require banks to compensate the loss.

This distinction has sparked ongoing debate among regulators, consumer advocates, and cybersecurity experts. Critics argue that modern phishing techniques, often involving social engineering and sophisticated impersonation, can trick even cautious users. As a result, regulators and policymakers are currently discussing reforms, including updates under the upcoming Payment Services Regulation (PSR), which may introduce stronger obligations for banks to detect and prevent scams.

In practice, PSD2 represents a balance between innovation, security, and consumer responsibility. While it significantly strengthened protection against unauthorized transactions, it still leaves many phishing-related losses outside automatic reimbursement, placing increasing importance on both bank fraud detection systems and user awareness.