The Conversion-Compliance Balance –How to Optimise Checkout Without Violating PSD3 or AMLD6

Optimising a checkout seems simple in theory: make it fast, make it familiar, make it easy for customers to pay. But in 2026, merchants face a new reality. Conversion no longer depends only on design and user experience it is now tightly connected to regulatory compliance. With PSD3, the Payment Services Regulation (PSR), and AMLD6 reshaping the rules across Europe, every optimisation decision carries a legal implication. A smoother flow must still respect authentication requirements, data protections, fraud monitoring and transaction reporting.

For many businesses, this creates a delicate balance. Remove too much friction, and the merchant risks violating PSD3 or weakening fraud defences. Add too many checks, and customers abandon the process before completing their payment. High-risk sectors feel this pressure even more, where issuers and PSPs apply stricter oversight and expect merchants to demonstrate strong, explainable compliance at every step.

The challenge, then, is not choosing between conversion and compliance. It is learning how to align both, so customers move through checkout confidently while the merchant satisfies the regulatory expectations that govern modern payments. This blog explores how merchants can optimise their payment journeys without crossing the lines drawn by PSD3, AMLD6 and emerging fraud-control standards and why the right balance leads to better performance, not compromise.

What PSD3 and AMLD6 Actually Mean for Checkout Flows

PSD3 and AMLD6 are often discussed in regulatory terms, but their impact is most visible at checkout. Both frameworks aim to create safer, more transparent payment journeys, and they influence how merchants design every step of the customer experience.

PSD3 focuses heavily on authentication, consumer protection and data handling. Its central requirement Strong Customer Authentication isn’t new, but the expectations around consistency, resilience and fraud-data sharing are increasing. Merchants must ensure that authentication is reliable, clearly communicated and not bypassed through “creative” UX design. Redirects, consent steps and identity checks must be presented honestly, not hidden behind custom interfaces.

AMLD6 takes a broader view. It expands liability across the payment chain and requires stronger monitoring of suspicious patterns. For checkout design, this means that merchants cannot remove or obscure steps related to KYC, risk checks or data capture when required. High-risk merchants in particular must ensure that attempts, declines and anomalies are traceable and explainable.

Together, PSD3 and AMLD6 require a checkout that is clean, transparent and defensible but not necessarily slow. With the right optimisation strategy, compliance can exist alongside high conversion rather than competing with it.

Frictionless vs Compliant: Understanding the Legal Trade-Offs

Merchants often view friction and compliance as opposing forces. The assumption is simple: smoother flows convert better, while compliant flows slow customers down. In reality, the balance is more nuanced. Some steps that feel like friction are legally required under PSD3 or AMLD6, while other steps are added unintentionally through design decisions, PSP limitations or outdated checkout logic.

A frictionless checkout that ignores regulatory expectations is not just risky, it is unsustainable. PSD3 requires clear authentication journeys, unambiguous consent and transparent data processing. AMLD6 demands stronger behavioural monitoring and proper handling of potentially suspicious activity. Attempting to remove or disguise these steps to speed up the experience may create a short-term lift in conversion, but it exposes merchants to penalties, acquirer scrutiny and potential service termination.

The real trade-off is not friction versus compliance. It’s recognising which friction is mandatory and which is avoidable. When merchants streamline the avoidable elements, unnecessary redirects, confusing language, and excessive form fields the overall flow becomes both compliant and performant. A well-balanced checkout respects the rules but still feels intuitive, predictable and user-friendly, proving that conversion and compliance don’t have to compete.

Mapping Checkout Friction: What Is Mandatory vs What Isn’t

Not all friction is created equal. Some steps in the checkout journey exist because they are required by PSD3 or AMLD6, while others come from design choices or legacy configurations that add friction without improving security. Understanding the difference helps merchants streamline their flows without risking non-compliance.

What friction is mandatory?

Certain actions cannot be removed or disguised. PSD3 requires clear Strong Customer Authentication, transparent consent for data use and reliable redirection paths for open-banking payments. AMLD6 requires appropriate checks when transactions appear unusual, when high-risk customers trigger thresholds or when identity verification is needed. These steps form part of the legal structure around payments.

What friction is avoidable?

Many pain points come from the merchant side overly long forms, unnecessary data capture, forced account creation, confusing error messages or poor sequencing of authentication screens. These are not compliance requirements, they are design oversights. Simplifying them can lift conversion without touching mandatory checkpoints.

The goal is not to minimise steps, but to remove the ones that don’t serve either compliance or user clarity. When merchants understand which friction belongs to which category, they gain control over the experience while staying fully aligned with regulatory expectations.

PSD3 and SCA: How to Simplify Authentication Without Violations

Strong Customer Authentication (SCA) remains one of the most visible compliance steps in the checkout journey, and PSD3 is expected to bring even tighter expectations around consistency and user clarity. But SCA does not need to feel disruptive. In many cases, the problem isn’t the authentication itself, it’s how the process is presented.

Biometric authentication is usually the smoothest route. When available, merchants should prioritise issuer methods that rely on fingerprint, facial recognition or device-level confirmation. These methods satisfy PSD3 requirements while producing minimal friction for customers. Where biometrics aren’t supported, clear, well-timed prompts help prevent confusion during authentication steps.

Merchants can also make use of exemption logic, provided it is implemented responsibly and supported by the PSP or acquirer. Low-value payments, trusted beneficiaries and certain recurring transactions may not require full SCA under PSD3, but exemptions must be applied transparently. Trying to avoid SCA through indirect or misleading design patterns risks regulatory breaches and issuer pushback.

The key is understanding that SCA isn’t optional, but the user experience around it is entirely within the merchant’s control.

A clean, predictable authentication flow helps customers feel secure while ensuring the merchant meets PSD3 expectations without compromising conversion.

Fraud Controls That Reduce False Declines AND Support Compliance

Fraud controls are often seen as barriers to conversion, but the right tools can achieve the opposite effect. When merchants rely on outdated or overly rigid fraud rules, legitimate customers are declined unnecessarily. This not only hurts revenue but also signals weak compliance practices under AMLD6 and PSD3, where regulators expect more intelligent monitoring.

Using intelligence instead of blunt rules

Modern fraud systems rely on behavioural analytics, device intelligence and issuer-aligned signalling rather than simple rule engines. These tools help identify unusual activity without blocking normal customer behaviour. For example, recognising trusted devices or regular spending patterns can prevent false declines while still catching high-risk anomalies.

At the same time, better fraud screening strengthens compliance. AMLD6 expects merchants and PSPs to monitor payment behaviour and escalate suspicious activity. When fraud controls produce clean, explainable outcomes, they meet these obligations and improve approval rates at the same time.

The best fraud strategies balance sensitivity and accuracy. They reduce unnecessary friction, avoid blanket declines and give issuers the confidence that the merchant is managing risk appropriately creating a smoother, more compliant checkout flow overall.

AMLD6 and High-Risk Verticals: Checkout Implications

AMLD6 raises the standard for how transactions are monitored, assessed and escalated, and its impact is especially noticeable in high-risk sectors such as digital entertainment, gaming, nutraceuticals, travel, and cross-border services. These industries already attract stricter scrutiny from acquirers and issuers, but AMLD6 increases expectations around how merchants identify and respond to unusual behaviour at checkout.

Why high-risk merchants must adjust their checkout logic

AMLD6 expands criminal liability across the payment chain, meaning merchants, PSPs and even technical facilitators may be held responsible for failing to detect suspicious patterns. For checkout design, this means merchants cannot prioritise speed at the expense of compliance. Situations that require additional checks such as inconsistent customer details, unusual transaction size, velocity anomalies or mismatched locations must be handled transparently, even if extra steps momentarily slow the flow.

In high-risk verticals, issuers expect traceable, well-structured interactions. A rushed or overly simplified checkout can create unknowns that trigger automatic declines or acquirer intervention. By contrast, a clean, well-documented user journey gives PSPs confidence that the merchant is applying AMLD6 expectations correctly.

In short, AMLD6 doesn’t force merchants to create complex flows, it forces them to create explainable ones. When high-risk merchants configure checkout journeys that demonstrate clear intent, consistent data and proper escalation, they protect both their approval rates and their regulatory position.

Optimising UX Inside AML/KYC Constraints

KYC and AML checks are often the most sensitive parts of the user journey. They are essential, but if not handled carefully, they can introduce friction that feels unnecessary or confusing. The challenge is to surface these checks in a way that protects compliance while still supporting a smooth, trustworthy experience for customers.

Many merchants make the mistake of placing verification steps too early or presenting them without a clear context. Users who do not yet feel committed to the transaction are more likely to drop off when asked for documents or additional information. A better approach is to introduce KYC elements at natural decision points immediately after intent is confirmed or when a regulatory trigger appears and explain why the additional step is required. Transparency reduces frustration and increases completion rates.

Another important factor is pacing. If a high-risk customer triggers a threshold under AMLD6, the extra check cannot be removed, but it can be made more intuitive. Simple language, clean instructions and visible progress indicators help users understand what is happening and what is expected from them. Where possible, merchants should minimise repeat data entry by using pre-filled fields or secure, one-time verification links.

Optimising UX within AML/KYC constraints is not about cutting steps; it is about designing them intelligently.

When verification is contextual, predictable and clearly explained, customers experience it as part of a legitimate security process rather than an obstacle to completing their payment.

Orchestration’s Role in Balancing Conversion & Compliance

As regulatory demands grow, orchestration has become a practical way for merchants to maintain strong conversion without compromising compliance. Instead of relying on a single gateway or rigid routing logic, an orchestration layer gives merchants the ability to adapt authentication, risk checks and routing decisions in real time all while keeping the user experience consistent.

For compliance, orchestration offers something traditional gateways cannot: transparency and control over how each transaction is handled. Merchants can enforce PSD3-aligned SCA flows, ensure sensitive data is processed correctly and apply AMLD6-required monitoring rules without rebuilding their entire checkout. When an acquirer rejects a transaction for regulatory reasons, the orchestration layer can reroute it to a compliant alternative or apply a different authentication step, reducing unnecessary declines.

From a conversion perspective, orchestration smooths out the friction created by mandatory checks. It can prioritise biometric SCA paths when available, select the acquirer most likely to approve the transaction and avoid issuer behaviours that typically lead to false declines. This means the customer experiences a faster, cleaner flow, even when the underlying compliance logic is complex.

Ultimately, orchestration acts as a bridge between the legal and commercial priorities of 2026 payments. It allows merchants to meet the demands of PSD3 and AMLD6 while still presenting a checkout journey that feels modern, intuitive and reliable.

PSP/Acquirer Configuration Mistakes That Harm Both Conversion & Compliance

Many checkout issues that merchants experience are not caused by UX design or customer behaviour; they originate in how payments are configured at the PSP or acquirer level. Routing rules, authentication settings, MCC classification and fraud thresholds all influence whether a transaction is approved or blocked. When these settings are misaligned, conversion drops and compliance risk rises at the same time.

One common problem is setting fraud filters too aggressively. Merchants often assume that stricter rules reduce risk, but in reality, they create artificial declines that issuers interpret as poor-quality traffic. This weakens approval rates and signals to regulators that the merchant may not be applying balanced, AMLD6-aligned monitoring. Another recurring issue is outdated SCA configurations. If the PSP forces unnecessary challenges or does not support the right exemptions under PSD3, customers face friction that is neither helpful nor legally required.

Acquirer-level settings also play a larger role than many merchants realise. Incorrect MCC codes, missing location data or misapplied recurring payment flags can all trigger issuer suspicion. These errors are not visible to the customer, yet they can have a material impact on both approval rates and regulatory perception. Clean technical signalling is one of the strongest indicators of a well-managed, compliant checkout environment.

When compliance goes wrong: common failures and penalties

Compliance failures often occur not because merchants intentionally ignore rules, but because their PSP configuration does not reflect current PSD3 or AMLD6 expectations. Examples include missing customer authentication logs, unsupported fraud-monitoring logic, or routing transactions through acquirers that have stricter sector controls. When these issues appear consistently, acquirers may raise monitoring flags, apply additional reserve requirements or, in more serious cases, terminate services.

These failures usually share a common pattern: the merchant’s checkout looks smooth to the customer, but the backend signals do not satisfy regulatory standards. PSPs and acquirers interpret this as unmanaged risk. The financial consequence is not just lost transactions it can lead to account freezes, rolling reserves, heightened scrutiny or the need to undergo remediation audits.

The most effective way to prevent these issues is regular, structured review of PSP and acquirer settings. When merchants align their technical configurations with regulatory requirements, they protect both their conversion and their compliance posture.

KPIs That Show Whether You Are Balanced (Not Over- or Under-Complying)

Merchants often struggle to understand whether their checkout is too strict, too lenient or properly aligned with regulatory expectations. Looking at surface-level metrics, such as overall approval rate, rarely provides enough insight. To evaluate whether conversion and compliance are in balance, merchants need to monitor signals that reflect both user experience and regulatory performance.

KPIs that reveal the quality of your balance

A consistently high SCA completion rate is one of the strongest indicators of alignment. When users pass authentication smoothly, it suggests that the merchant is applying PSD3 requirements correctly while keeping the experience manageable. If completion rates drop, it may point to design gaps, wrong exemption usage or poor acquirer configurations.

Another useful metric is the proportion of soft declines that can be successfully recovered. High recovery rates show that the merchant is managing authentication and risk checks intelligently; low recovery rates may indicate excessive or misapplied compliance friction. Similarly, tracking decline reasons, issuer suspicion, velocity checks, and mismatched data helps merchants identify whether AMLD6 monitoring is triggering declines unnecessarily or failing to escalate truly high-risk cases.

A balanced checkout is one where fraud alerts, SCA challenges and routing behaviour all work together to support smooth approvals. When these KPIs move in harmony, merchants can be confident that they are neither over-applying nor under-applying compliance, and that their optimisation strategy is producing sustainable results.

2026 Readiness Checklist: Compliant Optimisation Strategy

Preparing for 2026 means ensuring that your checkout flow can withstand regulatory expectations while still converting effectively. The following checklist summarises the essential elements merchants should have in place as PSD3, PSR and AMLD6 reshape payment journeys across Europe.

A compliant, optimised checkout begins with reliable SCA logic. Merchants should confirm that their PSP supports biometric authentication paths, exemption frameworks and consistent challenge flows. At the same time, AMLD6 requires clear escalation rules for unusual activity, so risk checks must be both explainable and proportionate.

Data integrity is another key consideration. Transaction metadata device signals, recurring identifiers, and location markers must be clean and consistent to support issuer decisioning. Merchants also need visibility over soft declines so that retries can be executed safely and within regulatory boundaries.

Finally, orchestration should be configured to enforce compliance rules while preserving a smooth experience for customers. This means using acquirers that support relevant exemptions, applying authentication routes intelligently and ensuring that every step of the journey is transparent, traceable and regulator-ready.

A merchant who can say “yes” to each item on this list is well-positioned for the regulatory landscape of 2026.

Conclusion

The tension between conversion and compliance has always shaped online payments, but in 2026 the balance becomes even more important. PSD3, PSR and AMLD6 raise expectations around authentication, transparency and monitoring, leaving merchants with little room for shortcuts. Yet these same regulations create an opportunity: when implemented thoughtfully, they support cleaner signals, stronger issuer trust and more predictable approval outcomes.

A successful checkout is not the one with the fewest steps, but the one where every step has a clear purpose. By understanding which elements of friction are legally required and which can be redesigned, merchants can present a journey that feels simple to the customer while satisfying all regulatory obligations behind the scenes. Intelligent use of orchestration, risk tools and PSP configurations strengthens this balance even further.

Merchants who embrace compliance as part of the optimisation process rather than something that competes with it will be the ones who outperform in the years ahead. In a landscape where trust and clarity matter more than ever, the best checkout flows will be those that convert confidently and comply consistently.

---

FAQs