If a criminal tricks you into paying, you should get your money back — no matter who they pretended to be. Sign to tell the EU to fix this now

Why we petition
Scammers tricked you into sending money. You entered the code because you were lied to. Your bank refused to refund and blamed you. Banks profit from fast, digital payments — and they also hold the keys to stop fraud: they control the rails, can run name–IBAN checks, show clear warnings with friction/cooling-off, apply risk-based holds and behavioural monitoring, and shut down mule accounts. If anyone can prevent and fix these losses, it’s the banks.

Lawmakers across the world are finally waking up: those who profit from the rails must also own the risk. The EU is rewriting its rules right now.

The fix should be simple — refund all tricked payments. But after heavy lobbying by the banking industry, the EU’s latest position would refund only when the criminal pretends to be your bank.

If the criminal pretends to be the police, a regulator, an investment firm, or anyone else, the bank can still say: “no refund.”

That’s arbitrary. Same trick. Same loss. Fraud is fraud. We demand that the EU require banks to refund ALL tricked payments — not just the “pretend-to-be-your-bank” cases.

Deception is not consent. And the EU promised that digital finance would not weaken consumer protection. Keep that promise

Who we are
We are the European Funds Recovery Initiative (EFRI), a non-profit representing 1,600+ victims across 20 countries who lost €60.5m+ to cyber-enabled investment scams and other payment frauds. 96% of losses were authorised after social engineering or remote-access manipulation. Victims are overwhelmingly long-standing retail banking customers. They are not reckless; they are targeted.

The problem in one sentence
EU law still treats tricked payments as “authorised” merely because technical authentication was completed — even where the payer’s will was vitiated by criminal deception. The result: victims carry the loss while PSPs that operate and profit from the rails bear almost none of the cost.

Why the proposed rules fail

On 18 June 2025, the Council approved its General Approach to the new refund rules in the PSR/PSD3 package. It claims “better protection,” but Article 59 PSR (Council text) requires reimbursement only when the fraudster pretends to be the consumer’s own PSP using channels attributed to that PSP. 

Impersonation of the police, regulators or investment scammers? Out of scope. Same deception, same harm — different outcome.  

This approach:

• Rewards form over substance — it toggles protection based on who the fraudster pretended to be, not on the outcome (a transfer caused by deception).
• Undermines technology-neutrality — liability hinges on the criminal’s pretext, not on whether consent was freely and knowingly given.
• Erodes trust — refused victims often terminate long-standing banking relationships and reduce digital payment usage — the opposite of Europe’s policy goals.

Our demands — fix PSR/PSD3 in trilogues
We call on EU co-legislators to adopt the following outcomes-based protections:

• Broaden Article 59: Reimbursement must cover all APP fraud where consent was obtained by deception or coercion — including impersonation of police, regulators, courts, merchants, utilities, or any other “relevant entity,” not only the consumer’s PSP.
• Define “authorisation” properly: Clarify that “authorisation” requires free and informed consent. Where consent is vitiated by deception, the payment is to be treated as unauthorised for liability allocation.
• Shared liability and incentives: Place primary reimbursement liability on the payer’s PSP, with a corresponding liability-sharing and recourse regime across the payee’s PSP and intermediaries when AML/KYC, mule-account, or fraud-monitoring failures contributed.
• Effective pre- and post-transaction duties: Impose duty to warn with friction, real-time risk-based holds, and documented customer-contact protocols. Failure to comply should shift liability.
• Real fraud-data sharing: Replace narrow or after-the-fact data-sharing with a proactive, cross-PSP mechanism that flags suspected mule accounts quickly and prevents onward movement of funds.
• Accessible, binding redress: Require fast, binding ADR for cross-border cases and end jurisdictional buck-passing. Consumers must have a workable, EU-wide route to decisions and refunds.
• Preserve the promise of digital finance: Write into the recitals and operative provisions that consumer protection may not be eroded by digitisation, and require periodic public reporting on APP-fraud reimbursement rates by PSP and Member State.

The human and economic case
Payment Fraud is not a niche problem. It is industrialised crime that exploits the same digital payment rails that policy makers promote. Losses are large; psychological harms are severe; trust is evaporating. When honest users cannot rely on the system to put them back where they were before a crime, they retreat from digital payments — harming Europe’s competitiveness and innovation agenda.

Fraud is fraud. Whether the criminal dresses up as a bank clerk, a police officer, a regulator or an investment adviser should not decide whether a European family gets its life savings back.

We urge the Council, Parliament, and Commission to close this loophole now and to ignore the banking lobby. All the European big banks (Deutsche Bank, ING,.. show up in the criminal court files of the scammers, they enabled the scammers to rip off tens of thousands of innocent European consumers), they are best fitted to address the fraud and it is about time to hold them responsible.