EU member states and the European Parliament have agreed on new rules forcing banks and other payment providers to better protect customers from online fraud, hidden charges and data breaches, Parliament announced last Thursday.
Customers must be properly informed of all charges before starting a payment. They will receive information on currency conversion fees or any fixed charges for cash withdrawals at ATMs, regardless of who operates them.
To ensure better access to cash, particularly in remote and rural areas, retail shops will be able to provide cash withdrawals of up to €150 and at least €100 without customers needing to buy anything.
Negotiators agreed to lower market barriers for open banking services and prevent account servicing payment service providers—usually a bank or other financial institution—from discriminating against them. Authorised open banking providers must have access to payment account data, and the legislation includes a list of banned obstacles to data access.
Payment service users will be given a dashboard to monitor and manage the rights they have granted for access to their data. Banks must provide payment institutions with non-discriminatory access to payment accounts.
Mobile device manufacturers and electronic service providers must allow front-end service providers such as apps or user interfaces to store and transfer data required for payment processing on fair, reasonable and non-discriminatory terms.
If a payment service provider fails to implement adequate fraud prevention mechanisms, it will be liable for covering customer losses. Payment service providers must check that the name and unique identifier of the beneficiary match.
In cases of discrepancies, the provider must reject the payment order and inform the payer. Providers must also ensure strong customer authentication and conduct risk assessments.
MEPs confirmed that payment service providers must offer spending limits and blocking measures to reduce fraud risks.
If a fraudster initiates or alters a transaction, it will be considered an unauthorised transaction, and the payment service provider will be liable for the full amount of the fraud.
Additionally, the receiving payment service provider must freeze any transaction it deems suspicious.
To protect customers from impersonation fraud, where a fraudster pretends to be an employee of the payment service provider and tricks the customer into approving a payment, the provider must refund the full amount, provided the customer reports the fraud to police and informs their payment service provider.
Online platforms will be liable to payment service providers that have compensated defrauded customers if they are notified of fraudulent content on their platform and do not remove it. This builds on and strengthens protections provided by the Digital Services Act.
Additionally, financial service advertisers must show very large online platforms and search engines that they have the legal licence or official exemption in the relevant country to offer these services or are advertising on behalf of someone who has. MEPs also ensured that users must have access to human customer support, not just chatbots, and that public resources should be allocated to educate people on how to avoid fraud.
Negotiators also agreed to simplify the licensing process for payment institutions. Licensing will be subject to strict prudential and capital requirements, precise own-funds calculations, reliable budget forecasts and harmonised timelines, with initial capital scaled to the provider’s risk level and payment services offered.
Cryptocurrency service providers already licensed under the Markets in Crypto-Assets Regulation will be subject to a simplified procedure whilst maintaining appropriate risk controls and providing only the services specified in the application.