Restoring Trust in European Payments: What EFRI’s Elfriede Sixt Says Must Change—Now

By FinTelegram Editorial Desk

Europe built instant, low‑cost payment rails—and accidentally created a paradise for cyber‑fraud. That’s the core message in a new academic paper by Elfriede Sixt, Chairwoman of EFRI and partner in the C42 project, who lays out a data‑driven indictment of today’s liability rules and a blueprint to fix them. Drawing on 1,750 victim cases across 20 countries (losses: €62.5m), Sixt shows how “authorised” push payments induced by deception remain largely unreimbursed, while even clearly unauthorised cases are inconsistently handled across Member States. The result is a double protection gap that erodes trust and rewards bad actors embedded in Europe’s payment stack. European Payment Rails

What Sixt finds

• Europe’s “payment paradox.” Regulators modernised the rails (SEPA Instant & the 2024 Instant Payments Regulation), but consumer protection hasn’t kept pace. APP (authorised push‑payment) fraud shifted losses onto consumers, and redress is fragmented and slow. European Payment Rails
• Evidence at scale. EFRI’s dataset documents pig‑butchering/investment scams where most funds move via “authorised” transfers or CNP card payments; victims encounter denial, delay, and blame when they seek refunds. Psychological harm and trust loss are widespread, with 39% closing long‑standing bank relationships after the experience. European Payment Rails
• Gatekeeping failures in the rails. The same small circle of PSPs/acquirers/EMIs and certain banks repeatedly appear at the monetisation layer, onboarding high‑risk merchants, mis‑coding MCCs, and letting mule stacks run. This is contingent, not inevitable—many institutions don’t show these patterns, which supports shifting default liability to the actors best placed to prevent abuse. European Payment Rails
• Named case studies.
  • Payvision (ING): processed high‑risk “investment” flows, including networks tied to Gal Barak/Uwe Lenhoff; internal figures attribute ~€154m CNP volume to the “Wolf of Sofia” group alone. European Payment Rails
  • Wirecard: operated as a global fraud enabler before its collapse, legitimising illicit flows via acquiring units and subsidiaries. European Payment Rails
  • Københavns Andelskasse (DK): pass‑through hub for scam proceeds; later fined DKK 794m for AML failures. European Payment Rails
• ADR that doesn’t redress. FIN‑NET and national ombuds schemes are obscure, uneven, and rarely binding; in EFRI’s cohort, no meaningful relief came through ADR. European Payment Rails

Download the Research Paper here.

What Sixt demands

Sixt argues for outcome‑based reimbursement for all fraud‑induced payments—treat consent obtained through deception as no consent—and then align liability with functional control in the scam chain. Her blueprint includes:

• Reimbursement anchor at the payer’s ASPSP, with calibrated recourse down‑chain (beneficiary PSPs, acquirers, platforms, telcos). European Payment Rails
• Redefine “consent.” Fraud‑induced authorisations become unauthorised in law, triggering immediate refund rules. European Payment Rails
• FIN‑NET 2.0 (binding EU‑level ADR) with deadlines, presumptions, and disclosure so victims aren’t re‑victimised. European Payment Rails
• EU Fraud Data Framework to close opacity gaps and surface cross‑institutional risk signals (mules, layering, MCC camouflage). European Payment Rails
• Technology duties for PSPs and platforms: name/IBAN checks (CoP/VoP), real‑time analytics, kill‑switches, cross‑sector intel sharing. European Payment Rails

The legislative moment: PSR Article 59 is not enough

Europe’s Payment Services Regulation (PSR) is the vehicle to fix the gap. Parliament’s 2024 stance broadened coverage and explored shared, cross‑sector liability (PSPs, ECSPs, platforms). But the Council’s 18 June 2025 “General Approach” retreats to a narrow trigger—refunds only if the fraudster impersonated the consumer’s PSP (“bank spoofing”)—with a 15‑business‑day refund clock. That leaves most induced‑consent scams (fake tax, police, brand, marketplace) out of scope and keeps platforms/telcos largely off the hook.

Sixt’s view: two PSR landings are realistic, but only the broader reimbursement model aligns incentives across the scam chain and restores trust. Otherwise, Europe cements an equilibrium that rewards institutions and harms consumers. European Payment Rails

Why this matters now for cyberfinance: illegal casinos & crypto

The paper’s lens on MLaaS (Money‑Laundering‑as‑a‑Service) explains why illegal online casinos and unlicensed crypto platforms keep thriving: they rely on regulated on/off‑ramps—acquirers, PSPs, EMIs, beneficiary banks, and exchanges—to collect, layer, and cash‑out at scale. Where onboarding/monitoring is weak (or willfully blind), these actors become financial crime enablers. Tightening KYCC/EDD, MCC governance, inbound risk‑scoring, mule controls, and beneficiary‑side holds/recalls is essential—and must be backed by default liability so the least‑cost avoiders actually invest in prevention. European Payment Rails

Crypto‑native rails don’t sit outside this: scam funds frequently bridge to EMIs/banks for monetisation. Without outcome‑based reimbursement and binding ADR, victims of crypto‑themed pig‑butchering and casino funnels will keep absorbing losses while intermediaries capture fees.