Payment service providers (PSPs) are being forced to rethink how they balance security with customer experience as regulation shifts to Payment Services Directive 3 (PSD3) from PSD2.

Strong Customer Authentication (SCA) remains essential for combating fraud but applying it to every transaction can add friction that frustrates customers, potentially impacting revenue. To address this, the regulatory technical standards allow the use of transaction risk analysis (TRA) to exempt low‑risk transactions from SCA where firms can demonstrate strong controls, effective monitoring and consistently low fraud rates.

Fraud risk management is an increasing focus in PSD3, introducing significant financial penalties for non-compliance with fraud prevention and SCA requirements (up to at least 10% of annual turnover for companies). Expectations around data quality, behavioural analytics, fraud modelling and reporting will also increase substantially, and the regulation is moving away from prescriptive SCA exemption checklists to proving consistently low fraud levels through risk-based controls. In this environment, full TRA capability is a must-have.

What is transaction risk analysis?

TRA is the practice of risk-assessing electronic transactions in real time, using machine learning to look for anomalies or unusual patterns that could indicate fraud or regulatory violations. Transactions deemed low risk can be exempted from SCA. A compliant TRA engine will analyse multiple data points to distinguish legitimate transactions from potential fraud including:

• Spending patterns of the individual payment service user.
• Behavioural biometrics such as typing patterns and mouse movements.
• Historical transaction data for all users.
• Location and device indicators.
• Cyber‑risk indicators and known fraud typologies.

These factors are combined to produce a transaction‑level risk score that supports a consistent, explainable and auditable SCA exemption decision.

PSD3: what’s changing?

PSD3 further strengthens expectations for contextual, risk‑based authentication, and firms will need to upgrade their fraud management capabilities accordingly. Key enhancements include:

Richer transactional and behavioural data: more granular inputs to improve fraud detection accuracy.

Advanced behavioural analysis: machine learning‑ready analytics to identify subtle anomalies.

Improved fraud detection models: more rigorous validation, documentation and model lifecycle management.

Stronger operational and incident response integration: likely aligned with Digital Operational Resilience Act (DORA) obligations.

Enhanced transparency and reporting: more detailed regulatory reporting for fraud rates and risk model performance.

Although PSD3 is an EU directive, UK regulators are expected to adopt aligned requirements to maintain payment services interoperability and market confidence.

Regulatory obligations for implementation of TRA

Payment service providers using the SCA exemption based on TRA must undertake:

• Annual internal audits of their TRA methodology, model and fraud rate reporting, which will require support of technology and payments specialists.
• Independent external audits at least every three years by competent subject matter experts.
• Ongoing monitoring to ensure fraud rates stay below regulatory thresholds.
• Accurate and timely reporting to regulators (eg FCA in the UK).
• Failure to meet these obligations could result in restrictions on SCA exemptions, increased fraud liability and regulatory scrutiny.

Benefits of transaction risk analysis readiness

The shift to PSD3 will reshape how firms balance security, fraud prevention, user experience and regulatory risk. Those that enhance TRA capabilities early will benefit from:

• Lower friction and higher payment conversion rates.
• Stronger fraud prevention and reduced losses.
• Greater operational resilience.
• Reduced regulatory exposure.
• Increased consumer trust and commercial competitiveness.

How RSM can support your PSD3 TRA compliance

Our Technology Risk Assurance team brings deep expertise across payments regulation, fraud risk management, cyber security, operational resilience and technology assurance. We support banks, building societies, e‑money institutions, payment institutions and fintechs to confidently navigate PSD2, PSD3, Open Banking, Pay.UK, PCI-DSS and SWIFT obligations.

We have extensive experience assessing fraud risk engines, TRA models and SCA exemption processes, and can provide both internal audit assurance, internal audit support and independent third-party assessment services. Our engagements provide clear, actionable insights to strengthen your compliance posture.

To discuss how RSM can support your PSD3 readiness or to arrange an independent TRA external audit, please contact Riza Unal, Sheila Pancholi or Steven Snaith.

Latest related insights