The upcoming PSD3 and Payment Services Regulation (PSR) mark a major turning point for fraud detection across Europe. For the first time, Electronic Communications Service Providers (ECSPs) — mobile and telecom operators — are expected to play a formal role in helping detect and prevent financial fraud.
This shift has far-reaching implications not only for banks and payment providers, but also for telcos who have traditionally operated outside the regulatory framework of financial services.
Why Involve Telcos?
Because the fraudsters already have!
Social engineering scams and impersonation frauds often rely on telecom-based manipulation:
- SIM-swap attacks to take control of banking sessions
- Call forwarding to intercept OTPs
- Remote access tools hidden in smartphone sessions
- Spoofed calls from “bank staff” or “police officers”
To fight these tactics, PSR proposes cross-sector collaboration between PSPs and ECSPs — sharing signals in real time to prevent fraudulent transactions before they happen.
What PSD3/PSR Will Require?
While banks and payment providers will be directly regulated under PSD3/PSR, telcos will be brought in through national telecom regulators under the European Electronic Communications Code (EECC).
The requirements in practice:
- ECSPs must provide fraud-relevant data, such as SIM change flags or call forwarding status.
- Financial institutions must ingest and act on this data — using it in real-time fraud scoring.
- National frameworks will define how data is shared and under what lawful basis.
This won’t be optional.
Financial institutions that ignore available telecom signals may be held liable for preventable fraud.
What This Means for Financial Institutions?
- Banks must establish data-sharing channels with telecoms — directly or via trusted intermediaries.
- PSPs must be able to ingest telecom risk signals in real time, integrate them into their fraud engines, and provide an audit trail of decisions
- Using telecom data must respect GDPR — meaning consent, retention limits, and lawful basis must be baked in
With our upcoming upgrade of Legatus Bridge with Telecom Intelligence add-on, Legatus will enable financial institutions to:
- Ingest ECSP signals (SIM swaps, call forwarding, device anomalies)
- Normalize and score them in real time
- Apply flexible rules: warn, challenge, or block payments
- Maintain full auditability and GDPR-aligned consent logic
Legatus will always help PSPs stay ahead of regulatory timelines while significantly improving defense against impersonation and APP fraud.
When Will This Apply?
- PSR obligations for PSPs: Likely from 2026
- PSD3 fraud mandates: Expected by 2027
- ECSP collaboration frameworks: rollout likely between 2026–2028.
Ready to Collaborate Across Sectors?
The financial and telecom industries are converging in the fight against fraud. Legatus gives you the tools to meet this challenge — intelligently, securely, and ahead of the curve.