Thank you for the reply.
I can refer to the recent guidance from the EDPB on fraud prevention in the financial services sector and the interplay between PSD2 and GDPR. The guidance states:
2.3 Fraud prevention
Article 94 (1) PSD2 states that Member States shall permit processing of personal data by payment systems and payment service providers when necessary to safeguard the prevention, investigation and detection of payment fraud. The processing of personal data strictly necessary for the purposes of preventing fraud could constitute a legitimate interest of the payment service provider concerned, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. Processing activities for the purpose of fraud prevention should be based on a careful case by case evaluation by the controller, in accordance with the accountability principle. In addition, to prevent fraud, controllers may also be subject to specific legal obligations that necessitate the processing of personal data.
The above provides little clarity, especially as fraud prevention techniques often use explicit device fingerprinting methods to ensure a robust link between identity holder and mobile device is created (and indeed shared across service providers to maintain system integrity). These binding methods (it seems) are being ported to applicable sectors, including where wallets are used for identity verification and authentication. This is especially concerning as fraud prevention mechanisms are directly tied to identity verification and authentication processes.