The updated draft of the PSD3/PSR [1] was published on the 17th of April and it is expected to be very close to the final text to be published at some point in Q2 2026 or Q3 2026. In this blog I am looking at how it is changing the use of data for fraud prevention.
Historically, the use of personal data for fraud prevention was governed by the GDPR [1]. Banks needed to select the basis for personal data, such as the user consent for the processing, a legitimate interest or public interest. For special category data, it was further required to rely on explicit user consent or substantial public interest. Unfortunately, when GDPR was implemented into local law, only some countries in EU included fraud prevention as a substantial public interest. In the end, most banks had to rely on user consent as basis for the processing of some of the data.
The reliance on user consent, in combination with bank secrecy legislation, meant that sharing of fraud data between banks was severely limited, and rarely implemented in practice.
Data sharing
However, with PSD3/PSR [2], banks are now mandated to share the following data, “to the extent necessary to operate transaction monitoring mechanism to prevent and detect potentially fraudulent payment transaction” [a]:
- Information about the payer (but not behaviour details)
- Information about the payment account and transaction history
- Transaction information, including currency, date, time, and account number
- Session data, including IP-addresses
- Device data, including device identifiers
- Information about the payee, including account number
This change means we will see more banks sharing data, by for example relying on the compliance with a legal obligation of GDPR (Article 6, paragraph (c)).
Data processing for transaction monitoring
Furthermore, with PSD3/PSR [2], banks are now also mandated transaction monitoring to detect fraud. There is also a list of data items that can be used, if they are necessary to perform transaction monitoring [b]:
- Information about the payer, including behaviour characteristics of the payer when authenticating
- Information about the payment account and transaction history
- Transaction information, including currency, date, time, and account number
- Session data, including IP-addresses
- Device data, including device identifiers
- Information about the payee, including account number
- Information received through data sharing
Also here, I expect we will see a shift in the basis used for processing these data items, from consent-based (Article 6, paragraph 1 (a) of GDPR [1]) to compliance with a legal obligation (Article 6, paragraph (c)).
Transaction monitoring is one of the areas where EBA will publish regulatory technical standards (RTS), so we might get more clarity of what data attributes are required when the RTS is published.
Data sharing through pseudonymisation
During Q3 2025, we also got a new ruling from the Court of Justice of the European Union, clarifying the scope and handling of pseudonymised data [3].
Based on the court judgement, in some cases and with the right controls and segregation in place, when pseudonymised data is sent between organisations, the receiving organisation does not have to regard the data as personal data. This will facilitate and make data sharing between organisations easier.
Better fraud prevention
The above changes have potential to improve fraud prevention across Europe:
- More accurate fraud prevention decisions, when more data signals are available
- Recognition fraud of patterns across organisations further improving fraud prevention decisions, when data sharing removes blind spots
- Improved collaboration, when data sharing becomes mandatory
Based on that, we should see lower fraud rates and better protection for banking users. What kind of changes are you planning to your fraud data processing and data sharing?
At Callsign we focus on a solution that:
- Collects and handles all the data attributes listed in the PSD3/PSR regulation, including behaviour biometrics, transaction data, account data, session data, and device identifiers
- Performs fraud prevention through both rules and machine learning based on those data attributes
- Enables data sharing through our orchestration and consortium view of data
We also assist in the compliance with regulations such as to PSD3/PSR, GDPR, DORA, and more, through our excellent legal, security and data privacy team for our EU clients. Why not get in touch and discuss your approach to compliance and leverage our experience.
References
[1] |
European Union, “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL: on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR),” Official Journal of the European Union, pp. 1-88, 27 April 2016. |
[2] |
Council of the European Union, “2023/0210 (COD), 8221/26: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on payment services in the internal market and amending Regulations (EU) No 1093/2010, (EU) No 260/2012, (EU) 2017/2394, (EU) 2021/1230 and (EU) 2023/1114,” pp. 1-431, 17 April 2026. |
[3] |
Dittmar & Indrenius, Discussion Roundtable at Nordic Fintech Summit, Helsinki, 2026. |
[a] Please see Article 83a paragraph 1 for the obligation to perform data sharing and Article 83 paragraph 2 for the list of data items
[b] Please see Article 83 paragraph 1 for the obligation to perform transaction monitoring and Article 83 paragraph 2 for the list of data items
