EU legal eagle says banks should refund cybercrime victims first, argue later
(2026/03/11)
- Reference: 1773228561
- News link: https://www.theregister.co.uk/2026/03/11/eu_psd2_compensation/
- Source link:
Analysis One of the European Union's top legal advisors is trying to change how banks treat cybercrime victims – meaning they could enjoy greater financial protections sooner than expected.
In a recently published legal [1]opinion , Advocate General Athanasios Rantos urged lawmakers to alter their interpretation of the Second Payment Services Directive (PSD2), which would require banks to reimburse victims of financial fraud before proving wrongdoing.
Crucial to this is the treatment of gross negligence under PSD2. Should Rantos's opinion be adopted, victims of crimes such as bank impersonation scams would be reimbursed immediately, regardless of whether, under EU law, their money was lost through their own gross negligence.
[2]
Under the current PSD2, banks hold the power. If a victim of online fraud reports the crime to their bank, the institution then undergoes a review of the case to decide whether they should be reimbursed.
[3]
[4]
The current model can often leave victims in an uncertain and potentially perilous financial position until the bank determines whether or not to repay them.
Banks often use the gross negligence defense to delay reimbursement. Rantos's opinion, which is not yet legally binding, looks to flip this on its head, forcing banks to pay victims immediately, regardless of whether gross negligence led to the fraud's success, and then reclaim the money after the case is reviewed.
[5]
Under the EU's payment processing regulations, gross negligence can be argued in cases where victims are tricked into handing attackers a [6]one-time passcode or their login details, which the criminal then uses to enrich themselves by making unauthorized payments.
Rantos's hypothetical
The Advocate General provided a fictional [7]example [PDF] of a case in which the victim would benefit from a legislative tweak.
For example, a customer of a bank in the EU is phished by a criminal who listed an item for sale on an online marketplace. They agree to purchase the item, and the criminal sends the victim a link that leads to a web page imitating the victim's bank.
Convinced the web page is legitimate and not under the attacker's control, the unwitting victim enters their bank details to approve a transaction, but the attacker steals those credentials and uses them to make a payment from the victim's account.
The victim reports the scam to their bank, but it claims gross negligence led to the fraudulent transaction (not spotting that the web page was a [8]phishing site). The bank refuses to issue an immediate refund, forcing the victim to pursue a recovery through the courts, likely while in a position of limited resources due to the attacker's theft.
Rantos's opinion would require the bank to cough up money to the victim immediately and allow it to reclaim the funds if gross negligence is proven later, providing the victim greater financial security in the short term.
Jonathan Frost, director of global advisory for EMEA at cyber and fraud detection biz BioCatch, said: "The Advocate General's opinion indicates a major shift in the liability for fraud in European payments. If the Court concurs, banks may have to promptly reimburse customers for unauthorized transactions and then pursue negligence claims. This shifts the initial financial risk to banks, heightening the need to detect account takeover and credential compromise before processing payments."
[9]Dutch cops warn 100 alleged scammers: Turn yourselves in or we tell Grandma
[10]AI agents now help attackers, including North Korea, manage their drudge work
[11]Spyware disguised as emergency-alert app sent to Israeli smartphones
[12]Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal
"This reflects a key principle of the Revised Payment Services Directive (PSD2): customers should be promptly refunded for unauthorized payments, unless the bank can clearly prove fraud or gross negligence. UK banks already reimburse about 98 percent of unauthorized fraud losses, whereas European banks have often refused to reimburse customers unless they pursue legal action."
The overhaul to PSD2's interpretation, per Rantos's opinion, will almost certainly come soon in the form of the updated PSD3 and brand-new Payment Services Regulation (PSR).
Unlike with PSD2, this specific scenario is explicitly codified in both the proposed new regulations, as they are currently worded.
However, a protracted legislative process could mean the protections are not formally introduced and enforced for some time, despite first being proposed in 2024, which is why the Advocate General wants it fast-tracked as part of a reinterpretation of PSD2.
[13]
PSD3/PSR will bring a bunch of changes to the EU's payments regulations. Aside from the more finance-related parts, payment services providers (PSPs) will need to implement more robust Strong Customer Authentication (SCA) – one of the more influential changes lawmakers hope will curb the rising number of financial fraud cases. If PSPs fail to implement SCA properly, regulators could prosecute them.
Merchants also have a role to play. They will need to share more data with the PSPs, which can then make better-informed decisions about whether to approve or deny transactions. User locations, session data, device IP addresses, and more will work to provide PSPs with a clearer picture of who exactly authorized the payment: the genuine cardholder or a malicious third party.
SCA is already a requirement under the existing [14]PSD2 , although PSD3 will bring improvements, with the PSR enforcing them. Given that the PSR is a regulation and not a directive - which requires member states to transpose requirements into domestic law, another lengthy process - the EU can immediately enforce it across all member states.
The types of data that inform SCA will remain largely unchanged, but PSD3 will more clearly define liability in cases of failure.
SCA under PSD2 is also usually enforced through means only accessible via smartphone, and PSD3/PSR will force PSPs to broaden these methods of authentication, offering greater protection to those without access to a smartphone, for example, or those with disabilities. ®
Get our [15]Tech Resources
[1] https://infocuria.curia.europa.eu/tabs/jurisprudence?sort=DOC_DATE-DESC&searchTerm=%22C-70%2F25%22&publishedId=C-70%2F25
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[7] https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260031en.pdf
[8] https://www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
[9] https://www.theregister.com/2026/03/09/dutch_police_fraud_shaming/
[10] https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/
[11] https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
[12] https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2020/03/13/eu_multi_factor_auth_banking/
[15] https://whitepapers.theregister.com/
In a recently published legal [1]opinion , Advocate General Athanasios Rantos urged lawmakers to alter their interpretation of the Second Payment Services Directive (PSD2), which would require banks to reimburse victims of financial fraud before proving wrongdoing.
Crucial to this is the treatment of gross negligence under PSD2. Should Rantos's opinion be adopted, victims of crimes such as bank impersonation scams would be reimbursed immediately, regardless of whether, under EU law, their money was lost through their own gross negligence.
[2]
Under the current PSD2, banks hold the power. If a victim of online fraud reports the crime to their bank, the institution then undergoes a review of the case to decide whether they should be reimbursed.
[3]
[4]
The current model can often leave victims in an uncertain and potentially perilous financial position until the bank determines whether or not to repay them.
Banks often use the gross negligence defense to delay reimbursement. Rantos's opinion, which is not yet legally binding, looks to flip this on its head, forcing banks to pay victims immediately, regardless of whether gross negligence led to the fraud's success, and then reclaim the money after the case is reviewed.
[5]
Under the EU's payment processing regulations, gross negligence can be argued in cases where victims are tricked into handing attackers a [6]one-time passcode or their login details, which the criminal then uses to enrich themselves by making unauthorized payments.
Rantos's hypothetical
The Advocate General provided a fictional [7]example [PDF] of a case in which the victim would benefit from a legislative tweak.
For example, a customer of a bank in the EU is phished by a criminal who listed an item for sale on an online marketplace. They agree to purchase the item, and the criminal sends the victim a link that leads to a web page imitating the victim's bank.
Convinced the web page is legitimate and not under the attacker's control, the unwitting victim enters their bank details to approve a transaction, but the attacker steals those credentials and uses them to make a payment from the victim's account.
The victim reports the scam to their bank, but it claims gross negligence led to the fraudulent transaction (not spotting that the web page was a [8]phishing site). The bank refuses to issue an immediate refund, forcing the victim to pursue a recovery through the courts, likely while in a position of limited resources due to the attacker's theft.
Rantos's opinion would require the bank to cough up money to the victim immediately and allow it to reclaim the funds if gross negligence is proven later, providing the victim greater financial security in the short term.
Jonathan Frost, director of global advisory for EMEA at cyber and fraud detection biz BioCatch, said: "The Advocate General's opinion indicates a major shift in the liability for fraud in European payments. If the Court concurs, banks may have to promptly reimburse customers for unauthorized transactions and then pursue negligence claims. This shifts the initial financial risk to banks, heightening the need to detect account takeover and credential compromise before processing payments."
[9]Dutch cops warn 100 alleged scammers: Turn yourselves in or we tell Grandma
[10]AI agents now help attackers, including North Korea, manage their drudge work
[11]Spyware disguised as emergency-alert app sent to Israeli smartphones
[12]Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal
"This reflects a key principle of the Revised Payment Services Directive (PSD2): customers should be promptly refunded for unauthorized payments, unless the bank can clearly prove fraud or gross negligence. UK banks already reimburse about 98 percent of unauthorized fraud losses, whereas European banks have often refused to reimburse customers unless they pursue legal action."
The overhaul to PSD2's interpretation, per Rantos's opinion, will almost certainly come soon in the form of the updated PSD3 and brand-new Payment Services Regulation (PSR).
Unlike with PSD2, this specific scenario is explicitly codified in both the proposed new regulations, as they are currently worded.
However, a protracted legislative process could mean the protections are not formally introduced and enforced for some time, despite first being proposed in 2024, which is why the Advocate General wants it fast-tracked as part of a reinterpretation of PSD2.
[13]
PSD3/PSR will bring a bunch of changes to the EU's payments regulations. Aside from the more finance-related parts, payment services providers (PSPs) will need to implement more robust Strong Customer Authentication (SCA) – one of the more influential changes lawmakers hope will curb the rising number of financial fraud cases. If PSPs fail to implement SCA properly, regulators could prosecute them.
Merchants also have a role to play. They will need to share more data with the PSPs, which can then make better-informed decisions about whether to approve or deny transactions. User locations, session data, device IP addresses, and more will work to provide PSPs with a clearer picture of who exactly authorized the payment: the genuine cardholder or a malicious third party.
SCA is already a requirement under the existing [14]PSD2 , although PSD3 will bring improvements, with the PSR enforcing them. Given that the PSR is a regulation and not a directive - which requires member states to transpose requirements into domestic law, another lengthy process - the EU can immediately enforce it across all member states.
The types of data that inform SCA will remain largely unchanged, but PSD3 will more clearly define liability in cases of failure.
SCA under PSD2 is also usually enforced through means only accessible via smartphone, and PSD3/PSR will force PSPs to broaden these methods of authentication, offering greater protection to those without access to a smartphone, for example, or those with disabilities. ®
Get our [15]Tech Resources
[1] https://infocuria.curia.europa.eu/tabs/jurisprudence?sort=DOC_DATE-DESC&searchTerm=%22C-70%2F25%22&publishedId=C-70%2F25
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/12/06/multifactor_authentication_passkeys/
[7] https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260031en.pdf
[8] https://www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
[9] https://www.theregister.com/2026/03/09/dutch_police_fraud_shaming/
[10] https://www.theregister.com/2026/03/08/deploy_and_manage_attack_infrastructure/
[11] https://www.theregister.com/2026/03/06/spyware_disguised_as_emergency_alert/
[12] https://www.theregister.com/2026/03/06/microsoft_spots_clickfix_campaign_abusing/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abGft9AaW9crnAcNOn-3PgAAAAw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2020/03/13/eu_multi_factor_auth_banking/
[15] https://whitepapers.theregister.com/
Re: Good intention perhaps
Phil O'Sophical
It's rarely the bank's fault, and people always seem to forget that high street banks get their money from their customers. The more the banks are forced to reimburse gullible customers who have been conned by scammers, the more the bank charges for all customers will go up.
If someone follows a link they have been sent to a phishing site, instead of typing in the bank address as they have been repeatedly told to do, they must share the responsibility. The fact that the site pretends to be their bank isn't the bank's fault, nor the fault of the bank's more attentive customers, so why should they have to pay?
Good intention perhaps
But the devil will be in the detail for any legal implementation.
It's a very strange area, we are dealing with multiple challenges and issues, not least the one being we've got scammers aplenty who are giving this the broadside approach and then clinging to any mark that seems to be drawn into the scam.
It's an ever moving set of rules and goalposts.
Whilst banks are very much loaded with cash, is it always the banks fault that a scammer has worked on their system to steal funds from a poor unsuspecting victim?
As soon as you put a control in place to deal with something, then the miscreant n'er do well, will work out a method to get around it.
Much like electricity and water, the thief will take the path of least resistance.