PSD2 and fraud monitoring – redefining payment security and compliance

Fraud prevention is no longer a standalone function. It’s now embedded into authentication, transaction analytics, and regulatory reporting. PSD2’s strong customer authentication (SCA) and real-time monitoring requirements have forced a complete shift toward continuous, data-driven fraud management.

The PSD2 framework

PSD2, enacted in 2018, modernized the EU’s payment ecosystem by enabling open banking — the secure exchange of customer data between banks and third-party providers. Its key provisions directly impact fraud detection:

• Strong Customer Authentication (SCA): mandatory multi-factor authentication for digital payments.
  
  
• Transaction Risk Analysis (TRA): dynamic assessment of transaction risk to enable SCA exemptions.
  
  
• Real-time monitoring: continuous evaluation of payment behavior to identify anomalies.
  
  
• Incident reporting: regulated procedures for communicating security breaches to authorities.
  
  

The directive made fraud detection a technical, regulatory, and operational discipline all at once.

 

How PSD2 changed fraud monitoring

Before PSD2, fraud monitoring relied on post-transaction reviews and static rule sets. The directive introduced risk-based, real-time analysis that combines authentication data, behavioral signals, and payment metadata.

Key shifts include:

• From static to dynamic: algorithms adjust thresholds and risk scores continuously.
  
  
• From siloed to integrated: payment data, authentication events, and device data now feed a unified fraud engine.
  
  
• From detection to prediction: AI and analytics forecast risk instead of reacting after losses.
  
  
• From compliance to resilience: monitoring systems now serve both regulatory and security objectives.
  
  

These capabilities support not just regulatory reporting, but the broader goals of operational resilience under DORA and AMLD6.

 

Fraud types targeted under PSD2

According to the European Central Bank’s 2024 Payment Fraud Report, PSD2 has significantly reduced card-not-present fraud, but new threats continue to evolve. Common risks include:

• Account takeover through phishing or malware.
  
  
• Synthetic identities combining real and fake data.
  
  
• Transaction manipulation via compromised APIs.
  
  
• Fraudulent third-party payment initiation.
  
  

The role of Transaction Risk Analysis (TRA)

• Proven fraud rates below defined thresholds.
• Continuous, AI-supported monitoring.
• Clear escalation and reporting mechanisms.

“PSD2 didn’t just tighten authentication; it changed how institutions think about trust. Fraud detection has moved from rule-based control to continuous intelligence.”
- William Morris, Lead Enterprise Account Executive - UK

Cross-regulatory connections

• AMLD6 and AMLD5, which define the broader anti-money laundering architecture.
  
  
• EBA Guidelines on Financial Crime Risk, which extend monitoring obligations.
  
  
• DORA, which ensures resilience in fraud detection systems.
  
  
• FATF Recommendations, which provide the international benchmark for AML and CTF compliance.

Challenges in PSD2 fraud monitoring

• Integrating multiple authentication and monitoring systems.
  
  
• Managing third-party access through open banking APIs.
  
  
• Complying with data protection requirements under GDPR.
  
  
• Maintaining consistent risk thresholds across jurisdictions.
  
  

Partisia’s perspective

• Correlate transaction data across institutions without exposing customer details.
  
  
• Train fraud detection models collaboratively and securely.
  
  
• Meet both PSD2’s transparency obligations and GDPR’s privacy restrictions.