Instant payments, instant risk: rethinking authentication under IPR and PSD3

The European payments landscape sees key shifts every few years. Two of this decade’s major transformations are the EU Instant Payments Regulation (IPR), already in motion for receiving banks and set to be enforced with the addition of all non-Euro EEA members by 2028, and PSD3 with its associated PSR, expected to come into force this year and then implemented by Member States within 18 months.

The IPR changes will mean that consumers will be able to transact faster, but on the flip side, banks and PSPs will have less time to perform anti-fraud checks. PSD3 on the other hand is set to shift liability for fraud and scams more heavily onto banks rather than customers.

This creates a high-risk situation: faster payments, fewer intervention points, and full financial responsibility for fraudulent payments.

Strong Customer Authentication as introduced by PSD2 has long been established as the way to mitigate payment fraud. But different techniques and technologies produce different results.

In this article, we dissect these regulations, extract the most important points from an authentication perspective, and analyse the effectiveness of different technologies to help comply with the stricter compliance rules as set by the IPR and PSD3/PSR.

Under the IPR, SEPA credit transfers will have to be processed in less than 10 seconds, 24 hours a day, 365 days a year. There’s no delay and no downtime.

At the same time, the EUR 100,000 limit on real-time payments has been scrapped. So if a fraudster gets in, they can clear out an account in seconds.

This changes the game completely. Risk engines and post-transaction analysis won’t have time to react and manual reviews will be too late. Once the payment is authorised, it’s effectively completed.

Under PSD3, banks in the EU will be held liable for bank impersonation scams, where a fraudster pretends to be a bank employee. Meanwhile, in the UK, liability is already split between sending and receiving banks for a wide range of fraud types.

Together, these two regulations create a high-risk environment where banks now stand to lose more funds as well as the existing regulatory and reputational fallout that often accompanies scams.

Historically, banks have relied on SMS-based authentication, risk engines, transaction scoring, and manual checks to approve or flag suspicious activity. But with IPR, there’s much less time for these measures. A 10-second window doesn’t allow for step-up SMS OTPs, fallback calls to the customer, or waiting for behavioural analytics to process data.

Real-time payments mean real-time certainty, which begins with real-time identity assurance.

Strong Customer Authentication (SCA) under PSD2 already requires two or more factors such as knowledge (something the user knows), possession (something the user has), and inherence (something the user is).

But many banks still implement SCA in ways that slow users down and leave security gaps. SMS OTPs are at risk of SIM swapping and PINs can be phished.

In the world of IPR and PSD3, these outdated factors are too insecure and too slow. Traditional anti-fraud checks and transaction holds simply won’t work in this new environment. The system will move faster than the fraud team can respond.

Biometrics are the logical answer. They can authenticate identity in less than a second, making them ideal for a real-time payment world, and are much more secure. When implemented correctly, they can prove who someone is in a way that passwords, PINs, and OTPs just can’t match.

But not all biometric systems are created equal.

Local biometrics, like FaceID, Samsung Touch equivalents, are a bank fan favourite, with the majority of European banks using them at the login or transaction approval step. But they have a fundamental issue: they do not prove identity.

The biometric data never leaves the phone, so there’s no way to tie it to the person who went through KYC. If someone else adds their face or fingerprint to the device, the bank can tell that there has been a change, but cannot tell who that new person is. From a compliance and fraud perspective, you’re trusting the device, not the person.

Centralised biometrics, also known as cloud-based biometrics, fix that problem. These systems store biometric data on the cloud and compare the biometric capture, for example when making a payment, to the one taken during KYC.

But these have separate drawbacks that are particularly problematic in light of the IPR. They’re slow. Most take several seconds to complete a match, which is too long when payments need to move in under 10.

To survive in the IPR and PSD3 environment, where payments are real-time and liability is high, banks need biometric systems to do two things well: offer very fast authentication and prove identity beyond any reasonable doubt.

That’s where decentralised biometrics are extremely useful.

These systems work like centralised ones in that they match the authentication template to the one created during KYC. But the key difference is what happens to the data during enrolment.

When a user enrols into a decentralised system, instead of storing their biometric data in the cloud, it is encrypted or transformed directly on the device. The transformed data is then split into a public-private key pair, with the public key stored in the cloud and the private key staying securely on the user’s device.

When someone tries to authenticate, like when approving a payment, their device retrieves the public key, checks it against the private key, and compares that to the fresh authentication template. If everything lines up, the authentication goes through.

What is crucial is that because the data is in cryptographic form, the process is lightning-fast, typically well under half a second. The result is a form of authentication that keeps biometric data private, proves identity, and works in milliseconds.

The introduction of IPR and PSD3 is a turning point for authentication in banking. Institutions that rapidly - and successfully - adapt to these regulations will keep their customers safer and experience less fraud.

The technology to meet these regulations and directors already exists, but implementing it requires rethinking old authentication models and existing assumptions.

About Tobin Broadfoot

Tobin Broadfoot is Director of Product at Keyless, a decentralised biometric authentication company headquartered in London. For more information, visit www.keyless.io.

About Keyless

Keyless is the leader in privacy-preserving biometric authentication, trusted by banks, fintechs, enterprises, and governments to reduce account takeovers, secure high-risk actions, and improve operational efficiency. Available via app and web, its unique Zero-Knowledge Biometrics™ technology delivers multi-factor authentication in one glance in 300 milliseconds without storing biometric data anywhere. Keyless is ISO 27001 and ISO 30107 accredited and is the only company to hold both FIDO Biometrics and FIDO2 certifications.