EU member states and the European Parliament have reached a political agreement on new rules aimed at better protecting consumers from online fraud, unexpected charges and data misuse, parliament said last week.

Under the deal, customers will have to be clearly informed of all fees before making a payment, including currency conversion costs and ATM withdrawal charges, regardless of who operates the machine.

The measures also aim to secure access to cash in rural and remote areas, as retailers will be allowed to provide withdrawals of up to €150, and at least €100, without requiring a purchase, as mentioned in Philenews.

At the same time, the agreement seeks to open up competition in the payments market. Negotiators backed measures to remove obstacles for open-banking services, ensuring that authorised account-information and payment-initiation providers can access account data on a non-discriminatory basis.

The legislation lists prohibited barriers to data access, while mobile-device makers and e-service providers will have to allow front-end applications to store and transmit the data needed to process payments on fair and reasonable terms.

Consumers will also gain greater control over how their data is used. Payment service users will have access to a dashboard showing which third parties have been granted rights to view their account information, with the option to manage or revoke those permissions.

The package introduces stronger liability rules for fraud. Certification Service Providers (CSPs) that fail to implement adequate prevention mechanisms will be responsible for customer losses.

They will have to verify that the payee’s name and unique identifier match, refuse suspicious orders and alert the payer when discrepancies arise. Providers must also apply strong customer authentication and carry out risk assessments, while offering optional spending limits and self-exclusion tools.

Where a fraudster initiates or alters a transaction, the payment service provider (PSP) will be fully liable. Receiving PSPs will be required to freeze any transaction deemed suspicious.

To tackle impersonation scams, where criminals pose as bank staff to convince customers to authorise payments, PSPs will have to refund the entire amount, provided the victim reports the fraud to the police and informs their provider.

Online platforms will face new responsibilities as well. They will be liable to CSPs that have compensated victims if they fail to remove fraudulent content once notified, strengthening obligations already set out under the Digital Services Act.

Advertisers of financial services will also have to demonstrate to large online platforms and search engines that they are properly licensed, or legally exempt, in the jurisdiction where the service is offered.

Moreover, the agreement requires that users have access to human customer support rather than relying solely on automated systems, and it provides for public funding to help educate consumers on avoiding fraud.