You believe you're sending a payment request to your daughter, but it turns out to be a fraudster impersonating her on WhatsApp. Or you think you are speaking with your bank, which warns you that your funds are at risk. Increasingly, fraudsters exploit digital communication channels to extract money from victims. In these cases, because you yourself authorised the payment, you are, under current legal frameworks, often held liable for the resulting loss. But is this truly fair?
To better protect consumers in the context of digital payments, Professor of Financial Technology & Law Emanuel van Praag and Professor of European Liability Law Kasper Jansen advocate for a more balanced regulatory approach. Together with academic peers from across the EU and the United Kingdom, they authored the paper Authorised Push Payment Fraud: Suggestions for the Draft Payment Services Regulation, offering recommendations for EU-level legislation aimed at shielding consumers from this increasingly prevalent form of fraud.
The changing face of payment fraud
Payment fraud is no longer confined to stolen cards or compromised PIN codes. Traditionally, fraud cases involved the unauthorised use of stolen cards or login credentials. Such cases fall under the category of unauthorised payments. Today, however, fraud is often executed through so-called 'social engineering' tactics. Criminals deploy psychological manipulation to trick victims into authorising payments themselves, such as through WhatsApp messages from seemingly familiar contacts.
Because the victim explicitly consents to the transaction in these situations, the payment is, in legal terms, considered “authorised.” And therein lies the regulatory gap. Under the European Union’s Payment Services Directive 2 (PSD2), liability for unauthorised transactions lies with the payment service provider, unless the consumer has acted fraudulently, with intent, or with gross negligence. However, where a payment is deliberately authorised, albeit under false pretences, the consumer is generally held liable, as the transaction does not fall under the legal definition of "unauthorised." This means that so-called Authorised Push Payment (APP) fraud currently falls outside the scope of protection afforded by EU legislation. In the Netherlands, banks operate a discretionary goodwill arrangement in such cases, which lacks legal enforceability.
Legislative developments and international academic cooperation
The European Commission recently proposed that payment service providers should bear liability in cases of APP fraud, but only where the fraudster impersonates the victim’s bank or payment service provider. This proposal received broad support from the European Parliament and the Council, both of which advocated for extending liability to other forms of deception, including impersonation via social media or messaging services. This proposed expansion has ignited debate around the proper boundaries of liability.
Professors Van Praag and Jansen took this opportunity to investigate the issue further. Drawing upon their respective fields of expertise, they collaborated with legal scholars from various EU Member States and the UK. The academic response was enthusiastic, and a virtual workshop held in January 2025 laid the groundwork for their joint discussion paper. The result: Authorised Push Payment Fraud: Suggestions for the Draft Payment Services Regulation; a set of carefully considered observations and recommendations for the European legislator.
“Thanks to modern technology, establishing this international collaboration was surprisingly straightforward,” state Van Praag and Jansen. “While the letter of EU law is the same, interpretations and applications across jurisdictions diverge considerably. The practical challenges also differ from country to country, each has its own issues, but the underlying legal questions are often remarkably similar. This comparative perspective proved to be not only enriching but also conducive to consensus on the core recommendations, which was reached more easily than we had expected.”
What needs to change? Seven recommendations for new EU legislation
So what exactly should change? In their report, Van Praag, Jansen and their European colleagues put forward seven specific recommendations for improving EU policy on APP fraud. Their analysis reveals that Member States differ in their treatment of payments made under deception, particularly regarding whether such transactions should still be deemed “authorised.” Moreover, it remains unclear whether, and under what circumstances, payment service providers could be held liable under national legal frameworks supplementing EU law.
The researchers call for a set of clear, harmonised legal rules under the forthcoming Payment Services Regulation. In their view, liability for APP fraud should not be limited to cases involving impersonation of banks. Rather, it should extend to situations where trust in the financial system is otherwise exploited. For example, where a fraudster impersonates a police officer or a financial supervisory authority. They also urge the introduction of a clear definition of “gross negligence,” which currently serves as the threshold allowing banks to avoid liability when the consumer is deemed insufficiently vigilant. In addition, they advocate for granting payment service providers more discretion to temporarily block suspicious transactions, as a protective measure against APP fraud.
A key caveat: limiting EU-level liability
However, the scholars also stress that liability at the EU level should remain limited to cases where consumer trust in the financial system itself has been manipulated. Expanding this scope to include all instances of APP fraud, such as romance scams, should, they argue, be left to the discretion of individual Member States. When a consumer is deceived by a fraudster, this is undoubtedly a tragic experience. However, the integrity of the financial system is not directly at stake. Accordingly, liability for payment service providers in such scenarios is, in principle, not justified.
The Dutch context: a high bar for duty of care
In the Netherlands, victims of APP fraud have sought to hold payment service providers liable not only via the aforementioned goodwill policy but also by invoking the providers’ general duty of care. Thus far, such efforts have met with limited success. Unlike in Belgium, there is no legal barrier to such claims in the Netherlands, but the evidentiary and legal threshold remains high.
Consider a recent case in which a woman lost nearly €39,000 after receiving a call from a fraudster claiming to be from De Nederlandsche Bank, warning her of suspicious activity on her account. Believing the warning to be genuine, she authorised several payments, thinking she was protecting her funds. Rabobank refused to compensate her. The woman filed a complaint with the Dutch Financial Services Complaints Board (Kifid), but the Disputes Committee rejected the claim, reasoning that the payments were authorised and that the fraudster had not impersonated Rabobank, but rather De Nederlandsche Bank, thus falling outside the goodwill policy’s definition of “spoofing.”
“This case highlights the inadequacies of the current legal protections,” note Van Praag and Jansen. “From the consumer’s perspective, there is little difference between a call from one’s own bank and one from the central bank. In fact, a message purporting to come from the latter is arguably even more compelling. If trust in the payment system is to be preserved, more balanced regulation is essential. Our discussions with colleagues from other EU countries reveal that this issue is widely recognised, and that there is a shared need for both enhanced protection and clearly defined limits. Our proposal seeks to meet both needs.”
- Professor
- Professor
- More information
The full legal analysis and policy recommendations of Professors Jansen, Van Praag and their European colleagues are detailed in the paper Authorised Push Payment Fraud: Suggestions for the Draft Payment Services Regulation.
- Related content
