Protect and detect: staying ahead of payments regulation, sanctions and fraud

Regulators are busy laying the groundwork for wholesale payments to become faster, cheaper, and more transparent.

With the roll-out of ISO 20022, PSD3 on the horizon, SEPA Instant Payments becoming mandatory, and the UK’s New Payments Architecture replacing Faster Payments and eventually BACS, European treasury teams are facing significant change. Meanwhile, corporate sanctions management remains in one of its most complex phases from the past decade. And fraud prevention continues to be a critical concern, as fraudsters evolve at least as quickly as the safeguards developed to keep them out. 

Nothing is certain but death and taxes – or so the saying goes. But regulation could arguably be added to the list, especially in the world of payments. As innovation continues to hot up, with everything from variable recurring payments to Central Bank Digital Currencies (CBDCs) in the spotlight, regulators are working hard to ensure the framework around payments matches the pace and direction in which the industry is travelling. And always with an eye on balancing consumer and business protection against commercial needs, economic drivers, and competitive innovations. 

But payments regulation isn’t always a case of playing catchup with tech and behavioural trends. In fact, PSD2 (and the corresponding UK Payment Services Regulations – PSRs) was the catalyst for arguably one of the most significant shifts in the payments arena in recent times – open banking. Today, discussions are happening around PSD3, and the latest developments will inevitably impact corporate treasury teams. David Malley, Product Development & Innovation, Payments Centre of Excellence, outlines: “In May 2022 the European Commission (EC) issued a public consultation to gather evidence for its review of PSD2. Then, in February 2023, the EC presented a study on the application and impact of PSD2. This outlines whether the objectives of the original directive have been met and explores what improvements should be made in the next iteration. And in the UK, HM Treasury has been asking similar questions through its ‘Call for Evidence’ on the PSRs.”


“Strong Customer Authentication (SCA) has helped to reduce fraud losses and even eliminate certain forms of attack, but threats keep evolving.”


Then, in late June, the European Commission published its legislative proposal for PSD3 [1], it does give a clear indication of the direction of travel. According to Malley, the key areas of focus relevant to corporate treasury teams are:

  • Open banking and the transition to open finance
  • Strong customer authentication requirements – and striking the right balance
  • Combatting fraud more effectively

Open banking turns up a level

The open banking story is often cited as a slow burn, certainly in mainland Europe. After several years of usage, 2021 stats showed that less than 5% [2] of consumers in the EU were leveraging open banking. But the UK surpassed seven million [3] users for the first time in January 2023, indicating an ongoing growth trend.

Malley believes that EU adoption could be increased much further, and more rapidly, with the simplification that PSD3 promises. He explains: “There is broad recognition that the PSD2 provisions on access to accounts were effective in opening up the market, doing what was always intended in terms of authorised third-party access to information or payment initiation.” But, without doubt, open banking could be improved and expanded, he believes. “Some of the open banking requirements under PSD2 are contradictory, particularly where they interface with SCA. There is some welcome clarification under PSD3 and we hope that any future changes to the UK PSRs will simplify the regimen.”

Elsewhere, Malley also sees a need for the development of more standards around APIs, which are one of the core technologies underpinning open banking. In fact, APIs already enable users to easily trigger single payments and create mandates for variable recurring payments (VRPs). Open APIs have also already empowered account-to-account (A2A) payments by removing the barriers of fragmented legacy rails and introducing pay-by-bank capabilities. And as open banking evolves into open finance, enabling a much broader range of data to be shared and creating opportunities for more tailored financial offerings [4], more APIs will enter the mix, hence the growing need for standardisation.

Although the final text, and indeed timeline of PSD3 is still to be determined, corporate treasurers should benefit from the clarification, evolution, and standardisation that is anticipated around open banking. Malley elaborates: “In terms of collecting payments, improvements to open banking will ensure that Payment Initiation Service Provider (PISP) payments are truly competitive. This should then give treasurers some leverage in their negotiations with card providers, for example. More innovative financial solutions should also be able to be plugged directly into bank and corporate systems, thanks to standardised APIs.”

Improving strong customer authentication

The second pillar likely to be addressed under PSD3, SCA, also faces some current challenges, despite its effectiveness. Malley comments: “In both the UK and EU, many market participants would likely say that the SCA requirements, while well-intentioned, are probably over-prescriptive by insisting on two-factor authentication.” Indeed, Malley believes that “SCA can even be considered counterproductive in some situations, especially when we have new tools to predict and prevent fraud, with a focus on risk analysis. The hope is that future developments will place more of an emphasis on outcomes rather than prescriptive factors”.

Avani Patel, Head of Commercial Banking, Fraud Management, adds that: “SCA has helped to reduce fraud losses and even eliminate certain forms of attack, but threats keep evolving and the key challenge is to find an optimum balance between the security of the journey and the user experience as PSD3 progresses.”

Fraud prevention

The third pillar Malley sees as being critical to PSD3 and the PSRs’ review is fraud – with a focus on making electronic payments safer. He says: “There are various ways to achieve this, but in the UK, HM Treasury is certainly looking at slowing down certain high-risk consumer payments as a means to introduce ‘good’ friction and enable thorough checking. Of course, we support good friction, but it has to be sparingly used.” 

Fraud prevention is a particular focus for regulators given the rise of authorised push payment (APP) scams, linked to the rise of real-time payments – which are irrevocable – and evolving technology, says Patel. She comments: “APP scams happen when a person or business is tricked into sending money to a fraudster posing as a genuine payee. The criminal might pretend to be from the payer’s bank, a government entity, a utility company, or housing conveyancer, for example. Often there is a time-sensitive element to the request, and the fraudster will say that money needs to be moved ASAP, putting pressure on the payer.” In the UK alone in 2022 there were 207,372 incidents of APP fraud with gross losses of £485.2m [5]. “Among the tools and services UK banks offer to help fight APP fraud and reduce misdirected payments are confirmation of payee [CoP] and request to pay,” says Patel. “As David mentioned, it is also about introducing ‘good’ friction into the payment process in order to allow time to determine that a payment is ‘right’ – and we are likely to see more focus from regulators on this in the future.”

All hail ISO 20022

Alongside PSD3 and the reviewed PSRs, one initiative that should help to reduce fraud through the standardisation of payments and the proliferation of rich data is ISO 20022 XML. Malley comments: “As all treasurers will know by now, SWIFT’s ISO 20022 migration will drive better quality of outgoing messaging and ultimately improve cross-border payments and reporting.” Although the majority of ISO 20022 work and benefits will fall on financial institutions, corporates will ultimately benefit from enriched data, believes Malley. “With improved data, as well as tracking and tracing capabilities, corporates may find themselves able to project inbound and outbound flows more accurately, in turn helping to optimise working capital. Structured remittance data should also lead to improved reconciliation and enable further automation in workflows. These are just two examples, but more use cases will become evident as the ISO migration takes hold.”


It is no surprise, then, that one of the tenets of the UK’s New Payments Architecture (NPA) is to adopt ISO 20022 as soon as possible – as a means of keeping the UK at the forefront of payments innovation. The NPA will replace the existing UK Faster Payments scheme and lays out the framework for a replacement to the BACS scheme, in time. And in April 2023, the NPA certification-testing window opened for all interested financial institutions. Malley adds: “It’s now expected that NPA will replace Faster Payments in 2026. And Pay.UK is targeting 2028 for the BACS replacement.” 

In the meantime, there will be a consultation later this year on how BACS should move across to NPA. “This is something I urge corporate treasurers and their payables departments to look out for because it could be quite a significant change – certainly beneficial but it needs to happen in a measured way that corporates are prepared for.” At the same time, the UK has been looking to build more innovative elements into its real-time gross settlement (RTGS) engine. The UK RTGS Roadmap 2024, issued by the Bank of England (BoE) in February 2023, will see the service gradually extending its hours of operation, in a phased approach, perhaps ultimately moving to 24/7 says Malley – although this will present many challenges and is a long way off.

“The roadmap also outlines plans for a new channel to send and receive payments alongside the SWIFT network. This includes considerations about providing a common contingency messaging channel – a solution available to all participants, including a protocol and an infrastructure for data transfer.” In addition, the consultation also outlined a new approach to CBDCs and the wholesale market, which the BoE sees as being fulfilled through the RTGS, says Malley. “There is more focus on a retail CBDC at present in the UK. But the wholesale element is also important. And the key is how you can synchronise settlement so that the payment and asset exchange happen simultaneously.”

Meanwhile, in Europe, the European Commission published proposals for the regulation of a digital euro in June. And there is more progress being made in the wholesale CBDC conversation in mainland Europe than the UK, with pilots happening in France and Switzerland, for example. Malley believes this could have potential impacts for treasurers in terms of the future of payments (the sixth instalment of this series will provide more detail on CBDCs and how treasurers can prepare).

SEPA Instant becomes mandatory

Just as the UK is revisiting its instant payment mechanisms and engines, Europe is also revising its real-time payments landscape. “The European Commission has mandated that instant payments in euro must be available to all citizens and businesses holding a bank account in the EU and in EEA countries,” says Malley. The proposal, which amends and modernises the 2012 regulation on the Single Euro Payments Area (SEPA), aims to ensure that instant payments in euro are affordable, secure, and processed without hindrance across the EU. This will rely on increasing trust in instant euro payments, with an obligation on providers to verify the match between the bank account number (IBAN) and the name of the beneficiary provided by the payer in order to alert the payer of a possible mistake or fraud before the payment is made [6].


“Effective sanctions screening is vital for corporate treasurers at a time when geopolitical events and outdated systems in parts of the banking sector have increased the risks of operating internationally.”


In addition, the proposal requires the removal of friction in the processing of instant euro payments, while preserving the effectiveness of screening of persons that are subject to EU sanctions, through a procedure whereby payment service providers (PSPs) will verify their clients against EU sanctions lists at least daily, instead of screening all transactions one by one [7]. 

According to Malley, it is likely to be the end of 2024 before sending and receiving instant euro payments is mandatory for EU PSPs in the Eurozone (who offer their customers the sending and receiving of euro credit transfers) and the end of 2026 before they also become mandatory for EU PSPs outside the Eurozone. “While there is significant work to be done to implement the changes, we believe the shift from next-day transfers to transactions being completed ‘within ten seconds’ will be broadly beneficial for all involved, including treasury teams,” he observes.

Embracing the change

Summarising the shifts in the regulatory, fraud, and sanctions landscapes, Malley comments: “Change is the way of the world. Treasurers can no longer afford to live in the past or only look at what’s happening in the present. The future is being shaped today, and there are potential cash and risk management benefits to be had by being part of those conversations early on and seizing the opportunities on offer.”

All six-parts of our “Essential Guide to Treasury Payments and Embedded Finance” will be published on our dedicated Hub, so do regularly check this for new instalments. They will also be published on the TMI website, with whom we have collaborated on this series.


[1] Please note: the June proposals actually include several elements. Much of what was in PSD2 is proposed to be in a new Payments Services Regulation, while the Payment Services Directive itself focuses on authorisation of firms including for electronic money. In this article we refer to PSD3 for convenience. The legislative process still has a way to go.

[2], [4] ec.europa.eu - keynpote speech: From Open Banking to Open Finance

[3] openbanking.org.uk - UK reaches 7 million Open Banking users milestone

[5] ukfinance.org.uk - Over £1.2 billion stolen through fraud in 2022, with nearly 80 per cent of APP fraud cases starting online

[6], [7] ec.europa.eu - European Commission proposes to accelerate the rollout of instant payments in euro

This article has been prepared for information purposes only, does not constitute an analysis of all potentially material issues and is subject to change at any time without prior notice. NatWest Markets does not undertake to update you of such changes. It is indicative only and is not binding. Other than as indicated, this article has been prepared on the basis of publicly available information believed to be reliable but no representation, warranty, undertaking or assurance of any kind, express or implied, is made as to the adequacy, accuracy, completeness or reasonableness of the information contained in this article, nor does NatWest Markets accept any obligation to any recipient to update or correct any information contained herein. Views expressed herein are not intended to be and should not be viewed as advice or as a personal recommendation. The views expressed herein may not be objective or independent of the interests of the authors or other NatWest Markets trading desks, who may be active participants in the markets, investments or strategies referred to in this article. NatWest Markets will not act and has not acted as your legal, tax, regulatory, accounting or investment adviser; nor does NatWest Markets owe any fiduciary duties to you in connection with this, and/or any related transaction and no reliance may be placed on NatWest Markets for investment advice or recommendations of any sort. You should make your own independent evaluation of the relevance and adequacy of the information contained in this article and any issues that are of concern to you.

This article does not constitute an offer to buy or sell, or a solicitation of an offer to buy or sell any investment, nor does it constitute an offer to provide any products or services that are capable of acceptance to form a contract. NatWest Markets and each of its respective affiliates accepts no liability whatsoever for any direct, indirect or consequential losses (in contract, tort or otherwise) arising from the use of this material or reliance on the information contained herein. However this shall not restrict, exclude or limit any duty or liability to any person under any applicable laws or regulations of any jurisdiction which may not be lawfully disclaimed.

NatWest Markets Plc. Incorporated and registered in Scotland No. 90312 with limited liability. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority. NatWest Markets N.V. is incorporated with limited liability in The Netherlands, authorised and supervised by De Nederlandsche Bank, the European Central Bank and the Autoriteit Financiële Markten. It has its seat at Amsterdam, The Netherlands, and is registered in the Commercial Register under number 33002587. Registered Office: Claude Debussylaan 94, Amsterdam, The Netherlands. NatWest Markets Plc is, in certain jurisdictions, an authorised agent of NatWest Markets N.V. and NatWest Markets N.V. is, in certain jurisdictions, an authorised agent of NatWest Markets Plc. NatWest Markets Securities Japan Limited [Kanto Financial Bureau (Kin-sho) No. 202] is authorised and regulated by the Japan Financial Services Agency. Securities business in the United States is conducted through NatWest Markets Securities Inc., a FINRA registered broker-dealer (http://www.finra.org), a SIPC member (www.sipc.org) and a wholly owned indirect subsidiary of NatWest Markets Plc.

Copyright © NatWest Markets Plc. All rights reserved.

scroll to top