Lessons from Deloitte’s PSD3 Survey in the Age of Instant Payments

Instant payments in Europe are no longer a nice-to-have; they’re a regulatory requirement and a strategic necessity. Since 9 January 2025, banks across the euro area have been required to accept instant credit transfers (SEPA Instant) and perform daily sanctions screening under the Instant Payments Regulation (IPR).

By October 9, 2025, banks must go even further: support outbound instant payments and implement Verification of Payee (VoP) (i.e. IBAN–name matching) to guard against misdirected payments and scams.

In this context, readiness becomes a decisive differentiator. Deloitte’s recent Instant Payments under PSD3 survey of six Anti-Financial Crime (AFC) solution providers offers valuable insight into how prepared the market truly is for these changes. 

This post aims to distill key survey themes, introduce a four-dimensional readiness framework, and outlines how financial institutions can translate regulatory urgency into strategic advantage. 

Why readiness matters for Instant Payments and PSD3

The regulatory imperative

• The move to real-time payments compresses the window for intervention to seconds. Under IPR, SEPA instant transfers must settle in under 10 seconds, 24/7/365.
  
• PSD3 and the forthcoming Payment Services Regulation (PSR) will further shift fraud liability toward banks and PSPS, unless they can demonstrate that a transaction was authorized or aided by the customer.
  
• In 2022, the European Banking Authority reported payment fraud in the EU/EEA reached €4.3 billion.
  
• Instant credit transfers, according to EBA’s 2022 data, show notably higher fraud rates compared to traditional credit transfers.
  
• Some market commentators cite that fraud rates for instant credit transfers are 10× higher than for regular credit transfers.
  

The broader meaning of readiness

Readiness means being equipped, technically, operationally, and strategically to meet real-time payment requirements and emerging fraud patterns. 

A readiness lens helps institutions:

• Assess their current state – where are the weak points in systems and workflows?
  
• Target investments – which gaps most threaten compliance or resilience?
  
• Align with business strategy – turning compliance-driven upgrades into growth enablers.
  

Insights from Deloitte’s 2025 Vendor Survey

Deloitte’s study of six Anti-Financial Crime (AFC) technology providers offers a window into how vendors and by extension, their client banks are adapting to PSD3 and IPR mandates. 

Diverse functional strengths

• All surveyed vendors addresses AML, sanctions screening and fraud, but with differing emphasis.
  
• Two vendors lacked dedicated fraud modules,  focusing primarily on AML and sanctions, while relying on configurable rules for fraud detection. .
  
• Others led with AI-based sanction screening or AI-assisted alert handling workflows.
  

The key takeaway: there is no single dominant solution, no “one-size-fits-all.” Banks must map their own readiness priorities AML, sanctions, fraud or operational resilience, against vendor strengths. 

False positive optimization as a core readiness metric

Vendors reported 30% to 90% reductions in false positives. However, Deloitte cautioned that results depend on starting baselines. Institutions with older systems see larger gains, while those with modern platforms achieve more incremental gains.

Readiness is not only about reducing false positives but also about improving true positive precision, ensuring that the alerts which do reach investigators are accurate, actionable, and high-impact. The right balance between efficiency and detection quality determines whether compliance teams are merely busy or truly effective. 

Reducing false positives isn’t just a metric; it’s a readiness enabler, freeing up compliance capacity and improving customer experience. 

Partnership-driven approach as a differentiator

Some providers stood out not through features alone but through embedded and consultative engagement with financial institutions, co-developing risk strategies, continuously tuning models, and integrating with client teams. 

We at ThetaRay believe in a consultative model that strengthens readiness by ensuring systems evolve alongside regulation and financial crime trends. 

Four Dimensions of Readiness 

Below is a framework that institutions can use to self-assess against peers and vendor capabilities.

Dimension	Key Questions & Metrics	Why It Matters
Cost of Operation	What is your false positive rate? How many manual reviews per transaction? How much effort goes into model tuning and maintenance?	Inefficient controls increase operational cost and slow responsiveness as payment volumes grow.
Technology Readiness	Can your infrastructure handle real-time throughput without latency? Is it modular, API-enabled, and resilient?	IPR demands sub-10-second settlement, 24/7 uptime, a requirement that legacy systems often struggle to meet. PSD3 reinforces governance, liability and fraud management expectations that make this operational reliability essential.
Compliance Integration & Workflow	Are VoP, fraud screening, sanctions screening, and AML monitoring unified or siloed? Do they operate seamlessly in the same payment path?	Fragmented controls cause gaps, delays, or potentially introduce additional friction for compliance.
Scalability & Resilience	Can your system scale with instant payment volumes and regulatory evolution (e.g. AMLA)?	Instant payments will soon be the default. Systems must evolve continuously, not be rebuilt every few years.

Assigning internal scores (e.g., 1–5) across these dimensions will help banks visualize readiness, gaps, prioritize investment, plan remediation, and track progress over time. 

Building a strategic readiness roadmap

Here’s guidance on translating readiness insights into action: 

Prioritize readiness gaps by business impact

• A bank scoring low on technology readiness should prioritize modernizing its infrastructure for throughput and latency, since even the most advanced detection models are ineffective if systems can’t keep up.
  
• If compliance integration is the weakest link, consolidating siloed controls can reduce friction and operational overhead far more effectively than marginal gains in model accuracy.
  

Match vendor strengths to institutional needs 

Use readiness scores to guide vendor selection: 

• Institutions emphasizing AML/sanctions-oriented, should favor providers excelling in AI-based solutions for AML and sanctions screening.
• Those with high fraud exposure should prioritize fraud prevention, fraud analytics and adaptive alert management.
• Complex organizations should work with consultative partners who co-develop and continuously refine solutions, combining collaboration with a best-of-breed approach that reflects the reality that no single solution fits every institution. 
• Adopt a future-proof framework that adapts seamlessly to evolving regulations while minimizing operational disruption. 
  

Integrate readiness into broader business strategy

Regulatory programs like the Instant Payments mandate and PSD3 compliance should be viewed not as standalone efforts, but as integral components of broader digital transformation and growth initiatives. Strategic investment in payment infrastructure yields lasting gains in operational agility, scalability, and customer confidence. 

Treat readiness as continuous

Given the rapid evolution of financial crime techniques, emerging regulations, and shifting customer behavior, readiness should not be viewed as a one-time exercise. Institutions should reassess their readiness periodically to track progress and reallocate resources as risks and priorities evolve. 

Conclusion

The IPR, PSD3, and PSR are distinct initiatives, yet together they are reshaping the European payments landscape. While IPR enforces real-time settlement, PSD3 and PSR redefine conduct, consumer protection, and liability, collectively raising the bar for operational and compliance readiness. 

Compliance alone is no longer enough. True differentiation lies in readiness, the ability to act quickly, safely, and confidently across technology, operations and risk. 

Deloitte’s survey highlights that the market remains unevenly prepared. The opportunity lies in turning these insights into internal readiness spanning cost, technology, compliance, and scalability. 

By treating readiness as a strategic, continuous discipline, institutions can make smarter investments, select the right partners, and strengthen both their regulatory resilience, and competitive edge in the era of instant payments.