A guest article by Dirk Mayer, Head of Anti-Fraud Consultants at RISK IDENT

Digital payments require robust security measures to counteract increasing fraud. The Payment Services Regulation (PSR) sets out comprehensive framework conditions for this. Device identification is a key element in meeting these requirements. Its practical significance is evident in the ruling of the Dresden Higher Regional Court (OLG) and the initial findings on liability reversal from the United Kingdom.

The PSR’s requirements for fraud prevention

The PSR is on its way. On 16 June 2025, the new proposal was adopted by the Council. The next step is the trilogue negotiations. Adoption is expected at the end of the year. The new directive aims to increase the security and efficiency of electronic payments. Key points concern fraud prevention and liability.

It imposes a number of obligations on payment service providers (PSPs):

• Strong customer authentication (SCA) for payment transactions: Nothing new for us. Activating a mobile application on a new device also requires SCA and the use of different communication channels.
• Name/IBAN matching: This is also not new and will be mandatory from October 2025.
• Transaction monitoring mechanisms: PSPs are required to implement effective transaction monitoring systems designed to detect and prevent potentially fraudulent transactions. This sounds obvious, but many institutions still have a lot of catching up to do in this area.
• The prescribed mechanisms are based on the analysis of previous payment transactions. Session and device data, including IP address ranges and device identifiers, may also be used explicitly. An ‘unusual’ payment transaction should trigger further investigation.
• Fraud data sharing: The PSR requires the exchange of information between ZDLs about fraudulent activities. The pooling of account numbers (IBANs) and device identifiers known from fraud attempts is likely to be essential here.
• Prevention of spoofing: To prevent spoofing, cooperation between telecommunications companies and ZDLs is required.
• Liability regulation: The ZDL is generally liable for unauthorised payment transactions, as far as current law is concerned. Contrary to previous practice, however, proof of authorisation is not sufficient in this case, as exemption from liability requires gross negligence or fraudulent intent on the part of the payer, and the burden of proof lies with the ZDL. This applies in particular to cases of impersonation fraud, where a customer believes they are responding to a request from the bank. If the PSR’s authorisation requirements are not met, the institution is liable. Failure to use security options will at least seriously impair the payment service providers’ arguments for exemption from liability.

Initial experience from the UK supports the PSR

Concerns that the changed liability rules could tempt customers to act carelessly or even cooperate with fraudsters (moral hazard) are hardly tenable anymore: initial results from the UK show that only 2 per cent of refund claims were rejected due to gross negligence on the part of customers.

At the same time, the reported refund rate of 86 per cent should be a wake-up call for European payment service providers: the figure in Germany is currently less than half that. The practice of refunds in the UK had already shifted with the emerging legal regulation; nevertheless, the rate has risen significantly again since the law was introduced on 7 October 2024.

The ruling of the Dresden Higher Regional Court – consequences for practice

The ruling of the Dresden Higher Regional Court of 5 May 2025 illustrates the complexity of liability distribution in online fraud cases. In this case, a bank customer fell victim to a ‘social engineering’ attack. Fraudsters obtained access data to the customer’s online banking via phishing emails and fake calls (spoofing) and manipulated him into approving ‘orders’ in his TAN app. The money was lost, an absolutely standard case.

The court found that:

• The payments were not authorised by the customer, as he did not know at the time of approval that he was making transfers, but assumed that he was performing a ‘technical update’.
• The savings bank was able to prove the technical authentication of the transactions; the S-pushTAN procedure was assessed as SCA-compliant.
• The court found that the customer had committed a grossly negligent breach of duty in dealing with phishing messages and fake calls, as well as in failing to check the app displays. The customer had not heeded the bank’s security instructions available to him and had ignored clear warning signs.
• However, the decisive factor was the aspect of contributory negligence on the part of the bank. The Dresden Higher Regional Court reduced the bank’s claim for damages against the customer by 20 per cent. The reason: the savings bank had not required strong customer authentication when logging into online banking. This enabled the fraudsters to gain access to sensitive data after a simple login with only a user name and static PIN. This negligence in securing access was considered to be ‘contributory’ to the fraud, as it enabled the fraudsters to take preparatory measures without any further action on the part of the customer.

IP address and the need for higher-quality device identification

An interesting point in the ruling is the role of the IP address:

• The savings bank had determined that the IP addresses from which the fraudulent online banking access originated did not correspond to the plaintiff’s usual IP addresses.
• However, the court found that the deviation in the IP address alone was not a sufficient basis for a warning or refusal to execute the transaction. It stated that an IP address is not a suitable feature for customer authentication, as it ‘does not allow reliable conclusions to be drawn about the identity of the user’. In the cases in question (limit increases, transfers to unknown accounts), the bank’s transaction monitoring mechanisms did not detect any ‘anomalies’ that went beyond normal customer behaviour and would have justified intervention.
• Nevertheless, the Higher Regional Court of Dresden explicitly attributed partial blame to the savings bank for the lack of strong customer authentication when logging into online banking, which enabled the fraudsters to access sensitive data.

This is where the higher quality significance of device identification comes into play:

• While an IP address only identifies the network access point and is often dynamic or can be used by third parties, device identification captures specific, persistent characteristics of the end device, e.g. hardware configuration, software fingerprints, system fonts, installed plugins, behaviour patterns during device use. These ‘device identifiers’ are much more stable and unique than an IP address – and they are a permissible factor of SCA as “possession”.
• The PSR explicitly allows the processing of ‘device data, including device identifiers’ for transaction monitoring. This underlines the regulatory recognition of its value for prevention.
• In the present case, a solution that uses device identification as part of transaction monitoring (or, in this case, as an element of SCA during login) would have detected the fraudsters’ access. The detection of an unknown device could have triggered an immediate, specific warning or an additional, targeted SCA request to prevent the fraudsters from accessing sensitive data.

The Higher Regional Court’s decision must be taken very seriously, especially in light of the new PSR requirements. Although the measures taken by the defendant savings bank were sufficient according to the current requirements, they did not correspond to the current state of the art in terms of fraud prevention.

Conclusion

The ruling of the Dresden Higher Regional Court sends a clear signal to all payment service providers: The consistent development of fraud prevention measures using the latest standards is essential for minimising fraud risks and avoiding accusations of contributory negligence. It would not be surprising if case law were to continue to align itself with the clearly formulated requirements of the PSR. In a legal situation comparable to that of the PSR, the experience gained from UK refunds should send a clear signal. The business case is unquestionable.