The Gist

Reuters reported on the new PSD3 agreement and the increased pressure it will place on banks to prevent fraud even as instant payments remove their ability to pause suspicious transactions.

Banks are about to face higher liability under PSD3 at the same time instant payments remove their last opportunity to intervene. Traditional fraud controls can’t stop phishing because phishing links have no historical data for detection systems or AI to analyse. This keeps customers in a permanent state of vigilance and leaves banks exposed.

The EU’s new payment rules introduce stronger liability for fraud, higher expectations for customer protection and tighter standards for payment service providers. On paper this looks like progress. In practice it exposes a problem the security industry has never solved and forces banks to rethink where protection actually happens.

Instant payments remove the last buffer banks once relied on

PSD3 makes banks responsible when fraud occurs and their controls fail. Instant payments remove the time window banks once relied on to freeze or recall suspicious transfers. When money moves immediately, every downstream control the industry depends on loses its value. There’s no pause for intervention, no behavioural scoring window and no chance to undo a fraudulent payment once a customer has approved it.

This means banks now face a new reality. The only place fraud can be prevented is upstream, before a customer ever engages with a phishing lure. The industry has treated this moment as an education problem for decades. It’s not. It’s the single point in the entire fraud chain where every major loss begins, yet it remains the only point the traditional security model cannot protect.

Why conventional security fails banks and their customers

Conventional security fails here for a simple reason. Detection needs data. But phishing succeeds because the URLs used in these attacks have no history, no signals and nothing for AI or reputation systems to analyse. Criminals exploit this architectural weakness, not human behaviour. This is why banks still tell customers to be vigilant and check links themselves. The controls they rely on cannot make the decision on the customer’s behalf.

PSD3 unintentionally magnifies this problem by increasing liability while removing the last buffer of time in which a fraud team could intervene. Banks are expected to absorb greater responsibility without being given tools that actually prevent the fraud upstream. Strong authentication, risk checks and transaction monitoring all activate after trust has already been misplaced. When instant payments remove the gap between approval and settlement, those downstream controls can’t act fast enough to matter.

Banks are being held accountable for outcomes created by an architecture they cannot control. That changes now.

Zero Trust for web links gives banks control at the moment of trust

The industry needs a model that treats the moment of trust as the moment of protection. That requires Zero Trust for web links, where every URL is treated as untrusted until it has been verified as legitimate. It’s a clean break from threat detection, and it’s the first approach that gives banks control over the exact point where phishing succeeds.

MetaCert pioneered this model. Instead of trying to detect what’s dangerous, MetaCert verifies what’s legitimate. When a customer encounters a link that claims to be from their bank, a payment platform, a marketplace, a colleague or a government agency, MetaCert checks that link against a registry of URLs that have already been authenticated as belonging to the real organisation. If the URL has not been verified, it’s treated as untrusted until proven otherwise. This removes the need for customers to inspect URLs manually or rely on gut instinct in the moment that matters most.

What this means for banks: reduced risk, reduced liability, stronger compliance

For banks, this shifts fraud prevention upstream in a way that reduces liability, operational cost and regulatory exposure. It allows a bank to show that it implemented a real Zero Trust control at the point where phishing begins, not after the customer has already been deceived. It also provides evidence that the bank took every reasonable step to prevent fraud, which strengthens PSD3 compliance, reduces disputes and shortens reimbursement cycles. When a customer was protected by a Zero Trust control before authorising a payment, the bank can demonstrate that it fulfilled its obligations long before the money moved.

What this means for customers: real protection instead of vigilance

For customers, it replaces vigilance with certainty. When they receive an invoice, a payment request, a login page, a social media profile or a QR code, they don’t have to guess whether it’s legitimate. MetaCert’s Link Verifier sits inside the share menu of every mobile app and on every iPhone and Android device. With a simple long press on any link, the customer can see whether the URL belongs to the organisation it claims to represent. They don’t need to copy and paste. They don’t need specialist knowledge. The answer appears instantly because MetaCert did the verification work in advance.

This is what actual protection looks like in a world of instant payments. It allows the decision to be made safely before trust is triggered, not after the transaction has occurred. It helps banks prevent the phishing events that lead to APP fraud, account takeovers and data theft. And it gives customers a clear protective layer they can use across SMS, email, WhatsApp, social media, marketplaces, browsers and QR codes.

Momentum is shifting: the appetite for upstream protection is already here

The payments sector already understands the urgency of this shift. At Sibos, hosted by SWIFT, MetaCert was awarded the Established Trendsetter award, reflecting a growing appetite for upstream protection and a recognition that conventional security models can’t withstand the speed and scale of today’s fraud environment. PSD3 will accelerate this shift even further, and banks will now move towards controls that protect customers where fraud actually starts, not where it ends.