Transaction Risk Analysis (TRA) – balancing fraud detection and user experience under PSD2 and DORA

Introduced under PSD2 and reinforced through DORA, TRA enables payment service providers (PSPs) to deliver secure yet frictionless digital payment experiences.
Rather than applying strict authentication to every transaction, institutions use TRA to make risk-based decisions — evaluating factors like transaction amount, user behavior, and merchant reputation.

Effective TRA strikes a balance between compliance and usability — protecting both financial integrity and customer trust.

Why TRA matters for fraud prevention and compliance

Fraudsters have become more sophisticated, using stolen credentials, synthetic identities, and social engineering. Rigid authentication slows transactions but doesn’t necessarily reduce risk. TRA provides a smarter approach by combining analytics, historical data, and behavioral profiling to detect anomalies before a transaction is approved.

Key goals of TRA include:

• Reducing unnecessary authentication steps through data-driven risk scoring.
• Identifying suspicious or unusual activity in real time.
• Complying with PSD2 exemptions for low-risk transactions.
• Aligning fraud detection with DORA’s resilience requirements.
  
  

When implemented correctly, TRA enhances both security and conversion — a rare combination in regulated financial environments.

How TRA works in practice

TRA models draw on multiple data points to calculate the probability that a given transaction is fraudulent. The system assigns a risk score and determines whether SCA should be triggered or bypassed under a regulatory exemption.

Core components include:

• Behavioral analytics: monitors login patterns, device fingerprints, and customer interaction history.
• Transaction profiling: analyzes payment amount, merchant type, and geographic context.
• Historical fraud data: informs thresholds for “normal” versus risky activity.
• Machine learning models: continuously refine detection accuracy based on new fraud trends.
• Real-time decision engines: execute pass, flag, or authenticate actions within milliseconds.
  
  

This layered process aligns with the EBA’s Regulatory Technical Standards (RTS) and supports compliance with both PSD2 and DORA.

TRA under PSD2 and DORA

Under PSD2, TRA allows PSPs to apply SCA exemptions only if they can demonstrate that their fraud rates remain below specific thresholds set by the European Banking Authority (EBA).
DORA builds on this by requiring that all TRA systems meet strict operational resilience and data integrity standards.

Institutions must ensure their TRA processes are:

• Continuous: analyzing transactions in real time, not batch-based.
• Transparent: able to explain the decision logic to regulators.
• Auditable: maintaining logs for supervisory review.
• Secure: compliant with GDPR and protected from manipulation or bias.
  
  

This integration between PSD2, DORA, and TRA formalizes risk-based fraud detection as a compliance requirement, not an optional capability.

Challenges in TRA implementation

While TRA reduces friction, it introduces operational complexity. Many institutions struggle to meet both regulatory and performance expectations simultaneously.

Common challenges include:

• Data quality and availability: incomplete behavioral or merchant data weakens model accuracy.
• Cross-border coordination: inconsistent fraud definitions between markets.
• Model transparency: regulators demand explainability for automated risk scoring.
• Privacy conflicts: sharing behavioral data across PSPs raises GDPR concerns.
  
  

According to the European Payments Council’s 2024 fraud trends report, over 40% of PSPs cite data-sharing restrictions as the main obstacle to optimizing TRA systems.

“Transaction Risk Analysis is where compliance meets competition. The institutions that master real-time fraud modeling don’t just meet PSD2 expectations — they deliver faster, safer payments that keep customers loyal.”
- William Morris, Lead Enterprise Account Executive - UK

This reflects the growing understanding that TRA is as much a business enabler as it is a compliance tool.

Partisia’s perspective

Effective TRA requires institutions to analyze transaction data collaboratively — yet privacy and jurisdictional limits make this difficult. Partisia’s privacy-preserving data collaboration platform allows PSPs and banks to share fraud insights securely without disclosing personal or transactional details.

With Partisia solutions , institutions can:

• Run shared fraud detection models across multiple payment providers.
• Maintain GDPR and PSD2 compliance while improving fraud accuracy.
• Prove the integrity and resilience of TRA systems under DORA standards.
  
  

This privacy-first approach enables risk intelligence that meets regulatory standards and protects customers — the foundation of trust in modern payments.