The first episode of Fusion Fireside in 2026 takes us to Brussels, where we sit down with Frederik Mennes, Director of Strategy at OneSpan. Frederik brings a rare blend of deep technical expertise and regulatory fluency. What follows is a rich, fast‑moving conversation that bridges deep technical cryptography, evolving fraud tactics, and the sweeping regulatory changes coming with Payment Services Directive 3 (PSD3) and the Payment Services Regulation (PSR).

From Cryptography to Regulation: A Unique Perspective

Frederik’s background is rooted in computer science and advanced cryptography, but his career gradually expanded into the world of regulation and fraud prevention. That combination – technical depth plus regulatory fluency – gives him a rare vantage point on how cybersecurity, fraud, and legislation intersect.

He notes that while he no longer uses cryptography daily, understanding the underlying mechanics of security systems helps him anticipate market needs and guide product strategy.

Insights from the Fireside

Several observations stood out during the chat with Frederik:

• Fraud has evolved – and regulation must evolve with it: PSD2 focused on account takeover and introduced strong customer authentication (SCA). Today, fraud has shifted to authorized push payment (APP) scams, which SCA alone cannot stop. PSD3 responds to this shift with broader, more holistic fraud‑prevention requirements.
• Liability is a delicate balancing act: Frederik highlights the tension between protecting consumers, avoiding over‑burdening banks and ensuring fairness when fraud originates outside the banking ecosystem. The ability to transfer liability to social media and telecom providers is a major step toward aligning responsibility with the true origin of fraud.
• Regulation must keep pace with technology: Frederik points to AI agents – software that autonomously performs tasks like payments – as a looming challenge. Future regulation will need to answer questions such as:
  • How do you authenticate an AI agent?
  • How do you detect fraud when user behaviour is no longer visible?
  • Who is liable when an AI agent is manipulated?
  These issues are not addressed in PSD3 but will be unavoidable in the next regulatory cycle.
• Europe is ahead of North America: Compared to the EU and Asia‑Pacific, North America takes a more hands-off approach to fraud regulation. Europe’s leadership means PSD3 will likely influence global standards, just as PSD2 did.

Final Thoughts

PSD3 and PSR represent a major shift in how Europe approaches fraud, liability, and consumer protection.

They introduce:

• A more nuanced liability model

• Stronger fraud‑prevention requirements

• A recognition that fraud often originates outside the banking system

• A framework that will influence global regulation

As Frederik notes, even once PSD3 is finalized, the work is far from over. The European Banking Authority will issue 15–20 additional technical standards, and new technologies – especially AI – will demand further regulatory evolution.

Explore previous episodes:
https://www.threatfabric.com/fusion-fireside