Closing the SCA Gap: How European PSPs Can Meet PSD2 and PSD3 Fraud Obligations
- 01 Why does Strong Customer Authentication (SCA) still leave European banks exposed?
- 02 What are the SCA requirements under PSD2 and which exemptions carry fraud risk?
- 03 What does PSD3 mean for fraud detection in the European financial sector?
- 04 How Shufti help European Payment Providers meet Fraud Control Obligations?
TL;DR
- EEA payment fraud hit €4.2 billion in 2024 despite mandatory SCA, because fraudsters exploit exemption pathways (especially TRA, used in 29% of SCA-bypassed card payments) rather than directly breaking authentication.
- Authorised push payment (APP) scams, where users are socially engineered into approving their own fraudulent transfers, now account for roughly 85% of credit transfer fraud losses, a blind spot pure transaction screening can’t catch.
- PSD3 and the Payment Services Regulation (rolling out 2026-2027) will mandate payee name verification, tighter transaction-monitoring windows, and granular fraud reporting, closing gaps left by PSD2.
- Cross-border transactions are 17x riskier than domestic EEA payments, underscoring that the authentication perimeter has structural seams attackers actively target.
Five years after strong customer authentication (SCA) Europe-wide became a regulatory baseline, fraud prevention Europe has a paradox that compliance teams cannot ignore. EEA payment fraud reached €4.2 billion in 2024 even as SCA adoption continued to climb.
Attackers did not break SCA. They worked around it, exploiting exemption pathways, manipulating authorisation flows, and targeting the transaction types that PSD2 fraud prevention Europe’s authentication regime does not reach.
This article maps the full digital fraud controls that Europe compliance officers need to understand: SCA requirements, exemption risk tiers, dynamic linking, 3DS2 deployment, and the obligations incoming under PSD3 and the Payment Services Regulation. The goal is a planning framework, not a compliance checklist.
Why does Strong Customer Authentication (SCA) still leave European banks exposed?
Fraud prevention in European banking has a coverage problem. Strong Customer Authentication (SCA) is mandatory under PSD2 Directive 2015/2366/EU for electronic remote payment transactions, but the directive also defines a structured set of exemptions, and each one is a gap that sophisticated fraud operations have learned to target systematically.
The EBA-ECB 2025 Payment Fraud Report shows that credit transfer fraud losses reached €2.2 billion in 2024, up 16% year-on-year, while card payment losses hit €1.3 billion, up 29%. The sharpest exposure sits at the cross-border edge: card payment fraud rates are 17 times higher when the payee is located outside the EEA compared to domestic EEA transactions, a signal that the authentication perimeter has seams attackers have learned to exploit.
The Authorisation Manipulation Problem
When fraudsters cannot beat authentication directly, they shift strategy to social engineering, convincing legitimate account holders to authorise payments themselves. This is why payment service users bore approximately 85% of total credit transfer fraud losses in 2024, per the EBA-ECB report. The authenticated transaction is a fraud. Fraud detection Europe financial sector teams relying on threshold-based transaction screening cannot intercept a payment that the account holder legitimately authorised under deception or duress.
A layered approach to anti money laundering and fraud prevention that covers identity continuity from onboarding through the account lifecycle closes the gap that authentication alone leaves open. Teams screening only at the payment stage miss the upstream signals: atypical login device, sudden account detail change, new beneficiary added minutes before a large transfer that preceded the fraudulent instruction.

What are the SCA requirements under PSD2 and which exemptions carry fraud risk?
SCA compliance European payments obligations require that remote electronic transactions are authenticated using at least two of three factors: something the customer knows (PIN or password), something the customer has (device or card), and something the customer is (biometric).
PSD2 compliance fraud prevention controls also mandate dynamic linking; the authentication code must be uniquely tied to the specific transaction amount and payee, making an intercepted code useless on a different payment.
The EBA’s Regulatory Technical Standards on SCA define the exemptions payment service providers may apply. Each removes the authentication requirement for a defined transaction category, and each carries a different fraud risk profile that providers must manage against their own fraud rate benchmarks.
Where Transaction List Analysis (TRA) exemptions concentrate risk?
Transaction risk analysis (TRA) exemptions are the highest-volume gap: 29% of remote card payments that bypassed SCA in 2024 used the TRA pathway. TRA allows providers to exempt payments up to €500 when their own fraud rate falls below EBA-defined thresholds. The exemption is self-administered, which means providers with degraded detection models can continue applying it while accumulating losses they are separately required to report.
Low-value exemptions are structurally simpler but are exploited at high frequency through card testing and enumeration attacks. Trusted beneficiary exemptions where the account holder whitelists a payee are increasingly targeted through social engineering that redirects the whitelist to an attacker-controlled account before a large transfer is initiated.

What does PSD3 mean for fraud detection in the European financial sector?
Online fraud prevention Europe regulations become more uniform under PSD3 and the Payment Services Regulation (PSR), which reached provisional agreement in late 2024 and are expected to be transposed into national law across 2026 and 2027. The PSD3/PSR timeline analysis from Norton Rose Fulbright notes that the incoming framework extends liability obligations and mandates granular fraud reporting at the transaction type level, a significant step beyond PSD2’s aggregate reporting approach.
For teams already tracking broader KYC regulatory shifts taking effect through 2025 and 2026, PSD3 adds pressure at multiple points in the payment stack.
Payee name verification and Authorised Push Payments (APP) Scam Liability
PSD3 requires payment service providers to verify that payee names match account details before processing credit transfers, a direct response to authorised push payment (APP) scams, which the current data shows are driving the bulk of user-borne losses.
European financial fraud prevention solutions built on rule-based transaction screening alone will not satisfy this requirement because payee name verification demands a real-time matching capability that sits upstream of the payment instruction, not downstream of it.
Expanded Transaction Monitoring Obligations
PSD3 extends monitoring requirements beyond the current PSD2 scope, with tighter timelines for detecting and reporting anomalous patterns. Fraud detection Europe financial sector capabilities need to move from retrospective batch review toward continuous, in-session behavioural signals. Providers that relied on end-of-day reconciliation to catch suspicious patterns will face a compliance gap when the new monitoring windows take effect, particularly in the credit transfer segment where losses are already accelerating.
How Shufti help European Payment Providers meet Fraud Control Obligations?
The friction in meeting PSD2 and PSD3 fraud obligations is rarely a missing rule; it is the gap between where identity is verified and where the transaction is screened. In most PSP stacks, those two signals run on separate systems, which means a behavioural anomaly flagged during a payment does not automatically reach back to the account’s onboarding risk profile.
Shufti closes that gap through identity-to-transaction continuity. The risk signal captured during onboarding travels through the full account lifecycle and informs fraud prevention decisions at the payment stage, so teams get a connected picture rather than isolated point-in-time checks. For AML obligations under PSD3’s expanded monitoring requirements, Shufti’s AML screening draws on 100,000+ data sources updated every 15 minutes, a cadence that matches the EBA’s expectation for continuous adverse media and sanctions monitoring rather than periodic batch review.
See how Shufti’s identity and transaction screening stack maps to your PSD2 and PSD3 obligations with a 20-minute demo.
Frequently Asked Questions
What are the SCA requirements under PSD2?
PSD2's Strong Customer Authentication requires remote electronic payments to be authenticated using at least two factors from three categories: knowledge (PIN or password), possession (device or card), and inherence (biometrics). Dynamic linking is also mandatory; the authentication code must be uniquely tied to the payee and transaction amount, so it cannot be reused on a different payment.
How does PSD2 affect fraud liability in Europe?
Under PSD2, liability for unauthorised payment fraud sits primarily with the payment service provider unless the account holder acted with gross negligence. Authorised push payment (APP) fraud where the user is deceived into approving the transfer currently falls outside provider liability in most frameworks. PSD3 proposes to shift a portion of APP scam liability onto providers, materially changing the risk calculus for credit transfer products.
What exemptions exist under Strong Customer Authentication?
The EBA's Regulatory Technical Standards define five main categories: low-value transactions, trusted beneficiaries whitelisted by the account holder, fixed recurring payments with identical amounts, contactless in-person payments below thresholds, and transaction risk analysis (TRA) exemptions for payments up to €500 where the provider's fraud rate meets EBA benchmarks.
What is the difference between PSD2 and PSD3?
PSD2 established SCA as the baseline authentication requirement for remote electronic payments. PSD3 and the Payment Services Regulation expand the framework to require payee name verification, mandate broader APP scam protections, tighten transaction monitoring timelines, and introduce granular fraud reporting obligations. PSD3 is not a replacement; it builds on PSD2's foundations and closes gaps the current fraud data has exposed.
What is dynamic linking in SCA?
Dynamic linking is a PSD2 requirement that authentication codes must be uniquely tied to both the specific transaction amount and the specific payee at the moment of authentication. If the payment amount or destination changes after the code is generated, the code becomes invalid. This prevents man-in-the-browser attacks where an attacker intercepts a legitimate authentication flow and redirects the payment to a different account.
