De Raad van de Europese Unie maakte bekend dat er binnen de Raad overeenstemming is bereikt over het onderhandelingsstandpunt inzake de betaaldienstenverordening – Payment Services Regulation (PSR) – en de nieuwe betaaldienstenrichtlijn – Payment Services Directive (PSD3).

Aankondiging

In de aankondiging staat onder meer dat gegevensdelen door financiële instellingen (FI’s) wordt vergemakkelijkt, dat is iets waar Nederland om heeft gevraagd (zie tweede alinea van het citaat hierna). Ook het verzoek van FI’s om gegevens te mogen delen met telecombedrijven en de asociale media (zie derde alinea van het citaat hierna) wordt gehonoreerd.

Lees de aankondiging (machinevertaling, markering door mij) met onder meer:

Betalingsfraude aanpakken en consumentenbescherming en transparantie verbeteren

De voorstellen beogen de invoering van een alomvattend kader voor fraudebestrijding. Dit kan helpen om de steeds vaker voorkomende nieuwe vormen van betalingsfraude aan te pakken, zoals zogeheten ‘spoofing’-fraude, waarbij een fraudeur zich voordoet als de betalingsdienstaanbieder van een klant om vertrouwen te winnen en de gebruiker te verleiden tot het uitvoeren van financiële handelingen.

Betalingsdienstaanbieders zullen onder meer onderling informatie over fraude moeten uitwisselen en een systeem moeten opzetten waarbij IBAN-nummers kunnen worden gecontroleerd aan de hand van de naam van een overeenkomstige bankrekening voordat er geld naar wordt overgemaakt.

Het onderhandelingsmandaat van de Raad versterkt de fraudebestrijdingsaspecten van de voorstellen door aanbieders van elektronischecommunicatiediensten zoals internetcarriers en messagingplatforms in het toepassingsgebied van de fraudepreventie op te nemen. Het bepaalt duidelijker dat consumenten niet benadeeld mogen worden als gevolg van frauduleus gedrag en benadrukt dat de nieuwe wetgeving nauw moet aansluiten bij de EU-wetgeving inzake gegevensbescherming.

De nieuwe regels zorgen ook voor meer transparantie bij geldautomaattransacties, waarbij alle verschuldigde kosten en wisselkoersen moeten worden vermeld voordat een transactie plaatsvindt. De Raad heeft nog meer bepalingen ingevoerd om de transparantie over vergoedingen en regels voor betaalkaartsystemen te vergroten. In het algemeen zullen consumenten en bedrijven in de EU een beter overzicht hebben van de toepasselijke vergoedingen en daardoor betere keuzes kunnen maken.

Nieuwe technologische ontwikkelingen

De voorstellen hebben ook tot doel het betalingsdienstenlandschap van de EU aan te passen aan nieuwe en innovatieve manieren om betalingen te verrichten. Innovatieve betalingsinitiatiedienstaanbieders en informatiedienstaanbieders zullen hun klanten nuttiger en modernere betalingsdiensten kunnen aanbieden dankzij hun verbeterde toegang tot alle noodzakelijke bankrekeninginformatie. In het standpunt van de Raad wordt innovatie in de betalingsdienstensector weliswaar gesteund, maar wordt ook gepleit voor het inbouwen van waarborgen op dit gebied.

Artikelen uit het PSR-voorstel over criminaliteitsbestrijding en gegevensbescherming

Hierna volgen enkele bepalingen uit het PSR-voorstel.

In het PSR voorstel zit een artikel over samenwerking ter bestrijding van fraude en dergelijke, zie:

Article 59a Cross-sectoral cooperation for the purpose of fraud prevention and detection

1. For the purpose of preventing and detecting fraud, including that referred to in Article 59(1), providers of ‘electronic communications services’ as defined in Article 2(4), point (b), of Directive (EU) 2018/1972 shall have in place measures to ensure effective cooperation with payment service providers, having regard to the technical characteristics of each of their services.

For the purpose of the first subparagraph, without prejudice to Directive (EU) 2022/2555, Directive 2002/58/EC or Article 91 of this Regulation, electronic communications services providers shall establish dedicated communication channels with payment service providers, or participate in a system for effective communication, or in an information sharing mechanism, to allow for faster and more effective sharing of any information that could be useful in the prevention and detection of fraud within the meaning of this Regulation and in compliance with Regulation (EU) 2016/679 and Directive 2002/58/EC.

Personal data should only be processed to the extent strictly necessary for the establishment of such communication channels and should be subject to robust safeguards in conformity with Regulation (EU) 2016/679 in relation to confidentiality, data protection and use of information.

2. The Commission and the European Board of Digital Services shall encourage and facilitate the drawing up of a voluntary code of conduct at Union level to foster prevention, enhance security and combat payment fraud and financial scams, under the conditions set out in Article 45 of Regulation 2022/2065.

3. Electronic communications services providers as defined under Article 2(4), point b of the Directive (EU) 2018/1972 shall take all reasonable organizational and technical measures to detect and prevent fraud within their sphere of competence, in accordance with applicable Union and national law.

Zie over de weigering van een transactie (onverlet artikel 71 AMLR):

Article 65 Refusal to execute a payment order

1. Where all of the conditions set out in the payer’s framework contract are met, and without prejudice to the obligation to refrain from executing the transaction under article 71 AMLR, the payer’s payment service provider shall not refuse to execute an authorised payment transaction, irrespective of whether the payment order is placed by a payer, including through a payment initiation service provider, or by or through a payee, unless relevant Union or national law provides otherwise.

1.a By way of derogation from paragraph 1 and without prejudice to the obligation to refrain from executing the transaction under Article 71 AMLR, the payer’s payment service provider shall refuse to execute a payment transaction under the conditions provided for in this paragraph.
Without prejudice to Article 69(1), where, based on the transaction monitoring referred to in Article 83 or on any other relevant information available to the payment service provider, the payer’s payment service provider has duly justified and reasonable grounds to suspect that the transaction is fraudulent, the payer’s payment service provider shall suspend the execution of a payment transaction.
Without undue delay from the suspension of the transaction, unless prohibited by other relevant Union or national law, the payment service provider shall notify the payer, in an agreed manner, of any information or action needed from the payer to enable the payment service provider to assess, whether the reasons for such suspension are still justified. The notification shall give the payer sufficient information to enable the payer to understand the risks that the payment service provider has identified. Within the timelines specified in Article 69(1), the payment service provider shall make all reasonable efforts to contact the payer before taking a decision regarding the suspended transaction.
The obligation in the previous subparagraph shall not apply in the case of instant credit transfers. In such cases or where it has not been possible for the payer’s payment service provider to receive infromation from the payer within the timelines specified in Article 69(1), the payment service provider shall assess, based on the transaction monitoring referred to in paragraph 1, and on any other relevant information available to the payment service provider, whether or not to execute the payment order.
For the purpose of this Regulation, the fact that a payment order is unusual shall not by itself constitute reasonable grounds to suspect fraud.

2. Where, on the basis of the assessment in paragraph 1a, the payment service provider refuses to execute a payment order or to initiate a payment transaction, the payer’s payment service provider shall notify the payer and, where applicable, the payment initiation service provider, of the refusal and, the reasons for that refusal and the procedure for correcting the decision to refuse to execute the transaction, unless prohibited by other relevant Union or national law.
The payment service provider shall provide the notification in an agreed manner
and without undue delay, and in any case within the periods specified in Article 69. In the case of instant credit transfers, the payer’s payment service provider shall provide the notification of the refusal within 10 seconds of the time of receipt of the payment order by the payer’s payment service provider, and provide the reasons for the refusal without undue delay, unless prohibited by other relevant Union or national law.
The framework contract may include a condition that the payment service provider may charge a reasonable fee for such a refusal if the refusal is objectively justified, but not in the case of a refusal due to a suspected fraudulent transaction.

3. For the purposes of Articles 69 and 75 a payment order whose execution has been refused shall be deemed not to have been received.

Zie voorts artikel 69 lid 2a. over het achterhouden van een transactie:

2a. By way of derogation from paragraph 2 and without prejudice to the obligation to refrain from executing the transaction under article 71 AMLR, if, based on the transaction monitoring referred to in Article 83 or on any relevant information available to the payment service provider, there are reasonable grounds to suspect a fraudulent payment transaction, the payee’s payment service provider may postpone making the funds available to the payee. The payee’s payment service provider shall, without undue delay and within a maximum of two working days from the discovery of the suspicion, assess whether the reasons for such postponement are still justified. Moreover, without undue delay after the discovery of the suspicion, the payee’s payment service provider shall notify the payer’s payment service provider and the payee of the assessment that is being conducted, unless prohibited by other relevant Union or national law, in order to allow both the payee and the payer to express their views and where necessary, to contest the decision to postpone making the funds available. On the basis of this assessment, the payee’s payment service provider shall either make the funds available to the payee or, if the transaction is deemed fraudulent, return the funds to the payer’s payment service provider.

Zie over dat onderwerp ook artikel 110c:

Article 110c Amendment to Regulation (EU) No 2024/886

Article 5a is amended as follows:
The following paragraph 6a is inserted:

‘6a. In order to prevent fraud and in accordance with Regulation (EU) xxxx of the European Parlament and of the Council of xxx on payment services in the internal market and amending Regulation (EU) No 1093/2010, the payment service provider may decide not to execute the instant credit transfer, upon careful assessment of the risk of fraud and damage.’ In such case, the payer and, where applicable, the payment initiation service provider, shall be notified by the payment service provider of the payer within 10 seconds of the time of receipt of the payment order for an instant credit transfer by the payer’s PSP and, in accordance with paragraph 5, the payment service provider of the payer shall immediately restore the payment account of the payer to the state in which it would have been had the transaction not been initiated.’

Op grond van artikel 80 van het voorstel mogen betaaldienstverleners bijzondere persoonsgegevens verwerken:

Article 80 Data protection

Payment systems and payment service providers shall be allowed to process special categories of personal data as referred to in Article 9(1) of Regulation (EU) 2016/679 and Article 10(1) of Regulation (EU) 2018/1725 to the extent necessary for the provision of payment services and for compliance with obligations under this Regulation, in the public interest of the wellfunctioning of the internal market for payment services, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons, including the following:

(a) technical measures to ensure compliance with the principles of purpose limitation, data minimisation and storage limitation, as laid down in Regulation (EU) 2016/679, including technical limitations on the re-use of data and use of state-of-the-art security and privacy-preserving measures, including pseudonymisation, or encryption;
(b) organizational measures, including training on processing special categories of data, limiting access to special categories of data and recording such access.

Artikel 83 gaat over transactiemonitoring:

Article 83 Transaction monitoring mechanisms

Payment service providers shall have transaction monitoring mechanisms in place that:

(a) support the application of strong customer authentication in accordance with Article 85;
(b) exempt the application of strong customer authentication based on the criteria under Article 85(11), subject to specified and limited conditions based on the level of risk involved, the types and details of the data assessed by the payment service provider;
(c) enable payment service providers to prevent and detect potentially fraudulent payment transactions, including transactions involving payment initiation services.

1a. The payment service provider of the payer shall carry out the transaction monitoring referred to in paragraph 1 prior to the execution of a payment transaction. Without prejudice to Article 69(2), the payment service provider of the payee shall also carry out transaction monitoring of received payment transactions.
Where such monitoring does not take place in a specific transaction, the payment service provider shall bear liability for the damage incurred. The payer shall not bear any financial consequences from that specific transaction, except where the payer has acted fraudulently.
The burden to prove that there was no breach of this Article shall be on the payment service provider.

1b. Without prejudice to this Article, the provisions of Chapter 4 of this Regulation are applicable in cases when the payment service user is entitled to a refund from the payment service provider of a fraudulent payment transaction based on the liability shift in this Article.

2. Transaction monitoring mechanisms shall be based on the analysis of previous payment transactions and access to payment accounts online. Processing by the payment service provider of the payer shall be limited to the following data, insofar as necessary to achieve required for the purposes referred to in paragraph 1:

(a) information on the payment service user payer, including the environmental and behavioural characteristics which are typical of the payment service user payer in the circumstances of a normal use of the personalised security credentials;
(b) information on the payment account, including the payment transaction history;
(c) transaction information, including the transaction amount, payment instrument, if applicable, currency, date and time of execution, as well as and unique identifier of the payee;
(d) session data, including the device internet protocol address-range from which the payment account has been accessed, from which the transaction was initiated and from which the transaction was authenticated.;
(e) device data, including device identifiers from which the transaction was initiated and from which the transaction was authenticated.

Processing by the payment service provider of the payee shall be limited to the following data, insofar as necessary to achieve the purpose referred to in paragraph 1, as applicable:

(a) information on the payee;
(b) information on the payment account of the payee, including the payment transaction history;
(c) transaction information, including the transaction amount, payment instrument, if applicable, currency, date and time of execution, as well as the name of the payer;
(d) session data;
(e) device data, including device identifiers.

Article 83a Fraud data sharing

1. Payment service providers shall exchange data with other payment service providers who are subject to an information sharing arrangement as referred to in paragraph (3) to the extent strictly necessary to comply with their obligations in Article 83(1), point (c), where the payment service provider has reasonable and objective grounds to suspect fraudulent behaviour by a payment service user. The catalogue of data to be shared shall be limited to the data listed in Article 83(2), including the payment service provider’s account of the reasonable and objective grounds that gave rise to the suspicion of fraudulent behaviour on basis of that data. Information on the environmental and behavioural characteristics which are typical of the payer in the circumstances of a normal use of the personalised security credentials shall be excluded from data sharing under this Article.

1a. Payment service providers shall implement appropriate technical and organisational measures, including measures to allow pseudonymisation, to ensure a level of security and confidentiality proportionate to the nature and extent of the information exchanged.

2. Payment service providers shall not keep data obtained following the information exchange referred to in this paragraph and paragraph 1 for longer than it is necessary for the purposes laid down in Article 83(1a) but no longer than 5 years after the suspected fraudulent transaction has taken place.

3. The information sharing arrangements shall specify the details of participation and the details of operational elements, including the use of dedicated IT platforms. Before concluding such arrangements, payment service providers shall jointly carry out a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679 and, where applicable, prior consultation of the supervisory authority in accordance with Article 36 of that Regulation.

Waarom ontbreekt lid 4?

5. Payment service providers shall not rely solely on the information received in the context of the data sharing referred to in para. 1 to comply with the requirements of this Regulation and shall not draw conclusions or take decisions that have an impact on the business relationship with the payment service user or on the execution of a payment transaction on the basis of information received from other payment service providers who are subject to an information sharing arrangement without having assessed that information.

6. For the purposes of this Article, Member States shall ensure that appropriate measures are in place so that the payment service providers are also able to share the data referred to in paragraph 1 with the relevant national authorities in accordance with national law.

Article 83b Platform on combatting fraud

1. The Commission shall establish a Platform on combatting fraud in the area of payments services in the Union (the ‘Platform’). Its composition shall be a broad and balanced mix of representatives and experts from both the public and private sectors, who have proven knowledge and experience in the field of payment services fraud.

2. The Platform shall:
(a) advise the Commission on developing and monitoring the implementation of legal acts aimed at combatting fraud in the area of payment services;
(b) issue recommendations to the Commission and the European Board of Digital Services for the purpose of the drawing up of the voluntary code of conduct referred to in Article 59a(3);
(c) share information on and analyse trends in fraud in the area of payment services;
(d) share information on measures to combat fraud in the area of payments services, including mitigation measures;
(e) share information on ways to improve cross-border and cross-sectoral cooperation on the means of combatting fraud in the area of payment services.

3. The Platform shall be chaired by the Commission and constituted in accordance with the horizontal rules on the creation and operation of Commission expert groups.

4. The Platform shall report annually on its activities to the European Parliament and the Council.

In artikel 91 van het PSR-voorstel zijn bepalingen opgenomen over de bevoegdheden van autoriteiten in verband met opsporing en handhaving, onder meer het mogen betreden van woningen en bedrijfsruimten (lid 5 sub (d)), het opvragen telecomgegevens (lid 5 sub (e)), het in beslag nemen van vermogensbestanddelen ( (lid 5 sub (f)), het beperken van toegang tot online interfaces en dergelijke (lid 5 sub (h)), het verbieden van aanbod van diensten (lid 5 sub (i)), openbaarmaking van de maatregelen (lid 5 sub (o) en (r)) en het publiek informeren (lid 5 sub (q)).

In artikelen 96 tot en met 99 zijn pittige sancties opgenomen, die ook uit periodieke betalingen kunnen bestaan (artikel 98).

Tot slot

Om de preciese betekenis van de voorstellen te overzien is nadere studie nodig. De volgende opmerkingen kunnen al gemaakt worden.

Risico voor wederpartijen
De vergemakkelijkte toegang tot bankrekeninginformatie (de laatste alinea in het citaat uit de aankondiging) kan risico’s opleveren voor de wederpartijen bij de transacties van degene die toestemming geeft.
Voorbeeld daarvan (noemde ik al eerder) is de rekeninghouder  – bijvoorbeeld een supermarkt – die zijn rekening openstelt voor ‘innovatieve’ techbedrijven, die vervolgens met de gegevens van de klanten van de supermarkt aan de haal kunnen gaan.

Nieuwe kans voor het bancaire sleepnet?
Het is interessant om te zien of via de weg van PSR en PSD3 het bancaire sleepnet (met gezamenlijke transactiemonitoring) mogelijk zal worden gemaakt, mogelijk in combinatie met de faciliteiten die in het AML Package zijn opgenomen.
Zo’n financiële surveillance staat op gespannen voet met de grondrechten van Europese burgers, zoals onder meer vastgelegd in de AVG en het Handvest.

Meer informatie:

• Persbericht van 18 juni 2025 (Engelstalig)
• Council mandate for negotiations on the payment services regulation, de tekst van het ontwerp PSR met de voorstellen van de Raad, 266 pagina’s
• Council mandate for negotiations on the payment services directive, de tekst van het ontwerp PSD3 met de voorstellen van de Raad, 125 pagina’s
• Capital markets union explained (background information)

Eerdere artikelen over PSR en PSD3
In 2023 schreef ik over het pakket waar deze twee voorstellen deel van uitmaken, waarvan ook het open finance voorstel – Regulation on a framework for financial data access (FIDA Regulation) – deel uitmaakt, lees ook dit. Het persbericht van vandaag gaat daar niet over.