EBA publishes Opinion on new types of payment fraud and possible mitigations
RegCORE Client Alert | Banking Union | Capital Markets Union | EU Digital Single Market
QuickTake
On 29 April 2024, the European Banking Authority (EBA) published an opinion on new types of payment fraud and possible mitigants, addressed to the EU co-legislators and the EU Commission (the Opinion). Available here.Show Footnote The Opinion is based on the EBA's assessment of fraud data for the year 2022, which showed that instant payments feature notably higher fraud rates than traditional credit transfers, and that a relevant part of the fraud losses are borne by the customers, especially for credit transfers. The Opinion also identified three categories of emerging fraud types, namely manipulation of the payer, mixed social engineering and technical scam as well as the manipulation of the payee.
The Opinion welcomes the new security provisions included in the EU Commission's proposals for the Payment Services Regulation (PSR) and a Third Payment Services Directive (PSD3) as well as the recently adopted Instant Payments Regulation, which aim to enshrine anti-fraud requirements for retail payments for several years. 3 However, the opinion also recommends additional measures to address the dynamic nature of fraud observed, and to help further strengthen the forthcoming legislative framework. These measures include, inter alia, clarifying the application of Strong Customer Authentication (SCA), requiring PSPs to offer customers the possibility to set payment limits, enhancing transaction monitoring (TM) by both payer's and payee's PSPs, requiring PSPs to share fraud-related information among themselves and specifying the liability rules in case of disputes about suspected fraud between customers and PSPs.
This Client Alert should be read in conjunction with further analysis (including on PSR/PSD3) available from PwC Legal’s dedicated EU Regulatory Compliance Operations, Risk and Engagement (EU RegCORE) centre.
Key takeaways from the draft RTS
The Opinion articulates recommendations for additional security measures, which have benefited from recent fraud prevention experiences by national competent authorities (NCAs) in their jurisdictions, and which can be grouped into four main categories:
- measures related to the access to a payment account and the issuing of payment transactions/orders;
- measures related to the TM;
- measures related to the procedure for the enrolment of a customer device as a second factor of the SCA; and
- measures related to the provision of customer assistance with regards to any security aspects of the service and notification of anomalies and suspected fraud.
The Opinion also advises the EU co-legislators and the EU Commission to set out requirements for a fraud risk management framework to be put in place by PSPs, as part of the existing broader framework on risk management policies under PSD2 and the EU’s Regulation on digital operational resilience for the financial sector (DORA). Such framework would provide for periodical fraud risk assessment, a fraud risk statement, regular monitoring of own fraud levels, and regular update of the security measures implemented to mitigate the risk of fraud.
Furthermore, the Opinion advises to strengthen and harmonise the supervision of fraud management, leveraging on supervisory best practices used in some Member States, as well as the fraud data collected under the reporting framework already implemented under PSD2. To achieve this, the Opinion suggests further requirements in the PSR, such as requiring NCAs to regularly monitor fraud data collected from the relevant PSPs at national level, to follow up possible outliers, and to monitor the correct recourse to SCA and SCA exemptions by PSPs.
Crucially, the Opinion also suggests some additional measures that go beyond the EU Commission's proposals, and that would require further legislative and regulatory changes, as well as operational and compliance adjustments by the PSPs and the PSUs. These measures include the following:
- Clarifying the application of SCA and its exemptions, and ensuring that the two SCA factors belong to different categories (knowledge, possession, or inherence) and are not compromised or shared by the PSU.
- Requiring PSPs to offer customers the ability to set payment limits for different types of transactions and payment instruments, and to respect a delay of at least 24 hours for any request to increase the limit. 31
- Enhancing the TM by both the payer's and the payee's PSPs, and requiring them to exchange information on the risk profile and the fraud status of the transactions, as well as to notify the PSUs of any anomalies or suspected fraud.
- Requiring PSPs to share fraud-related information with other PSPs, NCAs, and the EBA, and to create a single EU-wide platform for information sharing, subject to security requirements and data protection rules.
- Specifying the liability rules in case of disputes about suspected fraud between the PSUs and the PSPs, and clarifying the concepts of authorised and unauthorised transactions, gross negligence, and reimbursement.
Finally, the Opinion advises the EU co-legislators and the EU Commission to consider further strengthening the fraud data sharing amongst PSPs envisaged in Art. 9 of the PSR proposal, by creating a single EU-wide platform for information sharing, subject to appropriate security requirements. The Opinion does not provide further details on the design, governance, or operation of such platform, but implies that it would facilitate the detection and prevention of fraud across the EU payment services market.
Key considerations for financial services firms
The Opinion has significant implications for financial services firms operating or providing payment services in the EU, as it may entail additional compliance costs and operational changes, as well as potential benefits and opportunities, depending on the final shape and scope of the new legal framework.
Some of the main practical implications for financial services firms are:
- PSPs will have to implement the IBAN/Name check for all credit transfers in Euro, both domestic and cross-border, by the deadlines set out in the Instant Payments Regulation, which vary depending on the currency and the location of the PSPs. This will require PSPs to ensure the technical compatibility and interoperability of their systems and processes with the service provider designated by the ECB, and to inform their customers of the functioning and implications of the service, including the possibility of receiving notifications of mismatch between the IBAN and the name of the beneficiary, and the option to cancel or confirm the payment order.
- PSPs will have to comply with the enhanced TM requirements proposed by the EC in the PSR, and possibly with the additional measures recommended by the EBA, such as performing TM before the execution of the transaction, applying TM to all electronic payment channels, screening received payment transactions, and sharing fraud related information with other PSPs. This will require PSPs to invest in advanced and real-time TM systems and tools, to establish effective and secure communication and cooperation mechanisms with other PSPs and authorities, and to balance the need to prevent and detect fraud with the need to ensure a smooth and efficient payment experience for their customers.
- PSPs will have to offer their customers the possibility to set daily or per payment limits for each payment instrument, and to respect a proper delay for any resulting increase of spending limits to come into effect. This will require PSPs to adjust their systems and processes to enable and monitor such limits, and to communicate clearly and transparently with their customers about the default and customised values and their implications for the security and convenience of the payment service.
- PSPs will have to ensure that the two SCA factors belong to at least two different categories, as clarified by the EBA, and to follow a specific procedure for the enrolment of a customer device as a second factor of the SCA, involving an appropriate elapse of time and an alert to the already enrolled device. This will require PSPs to review and update their SCA methods and solutions, and to ensure their compliance with the RTS and the EBA guidelines on SCA and common and secure communication.
- PSPs will have to provide customer assistance with regards to any security aspects of the service and notification of anomalies and suspected fraud, including the possibility that the customer promptly reaches out to trained staff and that the relevant case is timely followed up by the PSP, as needed. This will require PSPs to establish and maintain adequate and accessible customer service channels and resources, and to train their staff on the relevant security and fraud prevention issues and procedures.
- PSPs will have to put in place a fraud risk management framework, including a regular fraud risk assessment, a fraud risk statement, a regular monitoring of own fraud levels, and a regular update of the security measures implemented to mitigate the risk of fraud. This will require PSPs to integrate and align their fraud risk management policies and practices with their existing risk management frameworks under PSD2 and DORA, and to report and disclose their fraud risk and performance indicators to the relevant authorities and stakeholders.
- PSPs will have to comply with the clarified liability rules in the PSR, in particular the delineation between authorised and unauthorised transactions and the concept of gross negligence, as advised by the EBA. This will require PSPs to review and update their contractual terms and conditions with their customers, and to ensure a fair and consistent application of the liability rules in case of disputes over suspected fraud, taking into account all the relevant factors and circumstances of each case.
In terms of the improvements required to fraud risk management framework, PSPs may also need to adapt their systems, processes, policies, and governance to establish a fraud risk management framework, which would require them to:
- Conduct periodic fraud risk assessments, taking into account the fraud data, the fraud typologies, the customer behaviour, the market developments, and the regulatory requirements.
- Produce a fraud risk statement, which would describe the fraud risk appetite, the fraud risk profile, the fraud risk mitigation measures, and the fraud risk monitoring and reporting mechanisms.
- Monitor their own fraud levels on a regular basis, using appropriate indicators and benchmarks, and comparing them with the market averages and the regulatory thresholds.
- Update their security measures on a regular basis, taking into account the fraud risk assessment results, the customer feedback, the market innovations, and the regulatory changes.
PSPs may also need to comply with the clarified liability rules in the PSR, which would require them to:
- Prove that the transaction was authorised by the PSU, and that the PSU did not act fraudulently or with gross negligence, in order to avoid the liability for the reimbursement of the transaction amount.
- Define the concept of gross negligence in a clear and objective manner, and not in a way that would shift the burden of proof to the PSU or that would unduly restrict the PSU's rights.
- Refund the PSU without undue delay, and in any case within 15 days, unless there are reasonable grounds to suspect fraud by the PSU, in which case the PSP must inform the NCA of the reasons for the refusal.
Finally, PSPs may need to participate in the pan-EU information sharing platform, which would require them to:
- Comply with the security requirements and the data protection rules for the treatment of fraud data, and to ensure the confidentiality, integrity, and availability of the data.
- Exchange fraud data with other PSPs, NCAs, and the EBA, using standardised formats and protocols, and to use the data for fraud detection and prevention purposes only.
- Contribute to the development and the maintenance of the platform, and to cooperate with the EBA and the NCAs in the oversight and the governance of the platform.
Outlook
While the Opinion is from a formal perspective not legally binding it does reflect the EBA's supervisory and policy views. Notably it communicates the EBA’s expectations on the future development of the EU payment services legislation and supervision by NCAs, who must follow the EBA’s expectations. Therefore, it is relevant for financial services firms that provide or use payment services in the EU, as it indicates the possible direction and scope of the upcoming regulatory changes and the potential implications for their business models, risk management, compliance, and customer relations.
Depending on the outcome of the legislative process and the implementation of the proposed measures, financial services firms may need to adapt their systems, processes, policies, and procedures to meet the new requirements, as well as to monitor and report on their fraud performance and mitigation actions. Moreover, financial services firms may also need to engage with their customers, counterparties and regulators to ensure a smooth transition and a clear understanding of the new rules and responsibilities.
Financial service firms that are active or interested in the EU payment services market should carefully review the Opinion and its implications and prepare for the upcoming regulatory changes and the market expectations.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.
Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.
Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.