On behalf of the European Fintech Association (EFA) and the European Digital Payments Industry
Alliance (EDPIA) we would like to emphasise the importance of introducing a shared liability regime for
impersonation fraud under article 59 and relevant Recitals in the final text of the EU Payment Services
Regulation (PSR), which is currently under negotiation.

Authorised push payment (APP), including impersonation fraud, has emerged as one of the most
significant and rapidly expanding forms of cyber-enabled crime globally, including in the EU. These
typologies exploit social engineering techniques to manipulate consumers into authorising payments
or disclosing sensitive information. Increasingly, individuals are being targeted through a range of
deceptive methods, including spoofed telephone calls, fraudulent SMS messages, phishing emails,
and the dissemination of misleading or fraudulent content across online and social media platforms.
Generative AI represents a fundamental shift, enabling voice and identity impersonation as well as
sophisticated automated fraud attacks that can bypass traditional diligence and investigation tools at
scale. As a result, APP fraud now represents a major threat to consumer trust, financial stability, and
the integrity of the EU payments landscape.

In most cases, consumers are first exposed to APP fraud through online platforms, social media, or
directly via their mobile devices through SMS or messaging applications – outside the remit of the
financial sector. Criminals leverage these channels to cultivate trust with victims well before any
financial transaction occurs. By the time a payment is initiated through a payment service provider
(PSP), the victim has already been deceived. Evidence indicates that more than half of scams originate
on non-payment platforms such as social media (e.g., Facebook, TikTok, Instagram), traditional
telecommunications channels (e.g., spoofed phone calls, text messaging), or messaging applications
(e.g., WhatsApp, Signal). Despite this, PSPs remain the only actors in the fraud chain currently
expected to detect, prevent, and, where unsuccessful, reimburse fraudulent transactions – even
though the root cause and early stages of these scams lie beyond their control. One sector alone
cannot manage risk across the entire digital economy.

By providing a model where only PSPs are liable to refund consumers, the current PSR proposal is
placing disproportionate burdens on PSPs, creating an unlevel playing field across the ecosystem and
undermining innovation. More critically, this approach also fails to address fraud at its actual
source:by focusing solely on the point of payment, rather than the origin of fraudulent activity, the
proposal risks entrenching existing criminal methodologies, allowing fraudsters to continue exploiting
systemic gaps with impunity. Lastly, placing the liability for APP fraud only on PSPs also
inappropriately absolves other ecosystem players from their responsibility for what is fundamentally a
collective action problem.

EFA members strongly support consumer protection and security as well as the safeguard of the
integrity and well-functioning of the EU payment ecosystem. In light of this, and to ensure all the
relevant actors in the payment chain carry out fraud prevention and mitigation activities
appropriately, EFA members recommend that the PSR should introduce shared liability across the
fraud chain. Intermediaries such as telecom operators and online platforms must share responsibility
when fraud originates or is facilitated within their domains , as recognised by the European Parliament
in its position and in line with the governance and transparency framework required by the Digital
Services Act (DSA) to support fraud detection and mitigation.

A shared liability model across the fraud chain would deliver several key benefits: