ARTICLE
20 May 2024

EBA Publishes Opinion On New Types Of Payment Fraud And Possible Mitigations

PL
PwC Legal Germany

Contributor

PwC Legal Germany logo
In today’s rapidly evolving marketplace, our clients are increasingly concerned with business collaborations, restructuring, mergers and acquisitions, financing and questions of social responsibility. They need legal security when dealing with such complex issues. That is why we work closely with PwC’s tax, human resources and finance experts and draw on the resources of our legal network in more than 100 countries to deliver comprehensive advice. Whether a global player, a public body or a wealthy individual, each client can rely on a personal account manager to address his or her specific legal needs. This dedication helps us ensure our client’s long-term business success. PwC Legal. More than 220 lawyers at 18 locations. Integrated legal advice for the real world.
Explore
On 29 April 2024, the European Banking Authority (EBA) published an opinion on new types of payment fraud and possible mitigants, addressed to the EU co-legislators and the EU Commission (the Opinion).
European Union Finance and Banking
Photo of Michael Huertas
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

QuickTake

On 29 April 2024, the European Banking Authority (EBA) published an opinion on new types of payment fraud and possible mitigants, addressed to the EU co-legislators and the EU Commission (the Opinion). Available here.1 The Opinion is based on the EBA's assessment of fraud data for the year 2022, which showed that instant payments feature notably higher fraud rates than traditional credit transfers, and that a relevant part of the fraud losses are borne by the customers, especially for credit transfers. The Opinion also identified three categories of emerging fraud types, namely manipulation of the payer, mixed social engineering and technical scam as well as the manipulation of the payee.

The Opinion welcomes the new security provisions included in the EU Commission's proposals for the Payment Services Regulation (PSR) and a Third Payment Services Directive (PSD3) as well as the recently adopted Instant Payments Regulation, which aim to enshrine anti-fraud requirements for retail payments for several years. 3 However, the opinion also recommends additional measures to address the dynamic nature of fraud observed, and to help further strengthen the forthcoming legislative framework. These measures include, inter alia, clarifying the application of Strong Customer Authentication (SCA), requiring PSPs to offer customers the possibility to set payment limits, enhancing transaction monitoring (TM) by both payer's and payee's PSPs, requiring PSPs to share fraud-related information among themselves and specifying the liability rules in case of disputes about suspected fraud between customers and PSPs.

This Client Alert should be read in conjunction with further analysis (including on PSR/PSD3) available from PwC Legal's dedicated EU Regulatory Compliance Operations, Risk and Engagement (EU RegCORE) centre.

Key takeaways from the draft RTS

The Opinion articulates recommendations for additional security measures, which have benefited from recent fraud prevention experiences by national competent authorities (NCAs) in their jurisdictions, and which can be grouped into four main categories:

  1. measures related to the access to a payment account and the issuing of payment transactions/orders;
  2. measures related to the TM;
  3. measures related to the procedure for the enrolment of a customer device as a second factor of the SCA; and
  4. measures related to the provision of customer assistance with regards to any security aspects of the service and notification of anomalies and suspected fraud.

The Opinion also advises the EU co-legislators and the EU Commission to set out requirements for a fraud risk management framework to be put in place by PSPs, as part of the existing broader framework on risk management policies under PSD2 and the EU's Regulation on digital operational resilience for the financial sector (DORA). Such framework would provide for periodical fraud risk assessment, a fraud risk statement, regular monitoring of own fraud levels, and regular update of the security measures implemented to mitigate the risk of fraud.

Furthermore, the Opinion advises to strengthen and harmonise the supervision of fraud management, leveraging on supervisory best practices used in some Member States, as well as the fraud data collected under the reporting framework already implemented under PSD2. To achieve this, the Opinion suggests further requirements in the PSR, such as requiring NCAs to regularly monitor fraud data collected from the relevant PSPs at national level, to follow up possible outliers, and to monitor the correct recourse to SCA and SCA exemptions by PSPs.

Crucially, the Opinion also suggests some additional measures that go beyond the EU Commission's proposals, and that would require further legislative and regulatory changes, as well as operational and compliance adjustments by the PSPs and the PSUs. These measures include the following:

  • Clarifying the application of SCA and its exemptions, and ensuring that the two SCA factors belong to different categories (knowledge, possession, or inherence) and are not compromised or shared by the PSU.
  • Requiring PSPs to offer customers the ability to set payment limits for different types of transactions and payment instruments, and to respect a delay of at least 24 hours for any request to increase the limit. 31
  • Enhancing the TM by both the payer's and the payee's PSPs, and requiring them to exchange information on the risk profile and the fraud status of the transactions, as well as to notify the PSUs of any anomalies or suspected fraud.
  • Requiring PSPs to share fraud-related information with other PSPs, NCAs, and the EBA, and to create a single EU-wide platform for information sharing, subject to security requirements and data protection rules.
  • Specifying the liability rules in case of disputes about suspected fraud between the PSUs and the PSPs, and clarifying the concepts of authorised and unauthorised transactions, gross negligence, and reimbursement.

Finally, the Opinion advises the EU co-legislators and the EU Commission to consider further strengthening the fraud data sharing amongst PSPs envisaged in Art. 9 of the PSR proposal, by creating a single EU-wide platform for information sharing, subject to appropriate security requirements. The Opinion does not provide further details on the design, governance, or operation of such platform, but implies that it would facilitate the detection and prevention of fraud across the EU payment services market.

Key considerations for financial services firms

The Opinion has significant implications for financial services firms operating or providing payment services in the EU, as it may entail additional compliance costs and operational changes, as well as potential benefits and opportunities, depending on the final shape and scope of the new legal framework.

Some of the main practical implications for financial services firms are:

  • PSPs will have to implement the IBAN/Name check for all credit transfers in Euro, both domestic and cross-border, by the deadlines set out in the Instant Payments Regulation, which vary depending on the currency and the location of the PSPs. This will require PSPs to ensure the technical compatibility and interoperability of their systems and processes with the service provider designated by the ECB, and to inform their customers of the functioning and implications of the service, including the possibility of receiving notifications of mismatch between the IBAN and the name of the beneficiary, and the option to cancel or confirm the payment order.
  • PSPs will have to comply with the enhanced TM requirements proposed by the EC in the PSR, and possibly with the additional measures recommended by the EBA, such as performing TM before the execution of the transaction, applying TM to all electronic payment channels, screening received payment transactions, and sharing fraud related information with other PSPs. This will require PSPs to invest in advanced and real-time TM systems and tools, to establish effective and secure communication and cooperation mechanisms with other PSPs and authorities, and to balance the need to prevent and detect fraud with the need to ensure a smooth and efficient payment experience for their customers.
  • PSPs will have to offer their customers the possibility to set daily or per payment limits for each payment instrument, and to respect a proper delay for any resulting increase of spending limits to come into effect. This will require PSPs to adjust their systems and processes to enable and monitor such limits, and to communicate clearly and transparently with their customers about the default and customised values and their implications for the security and convenience of the payment service.
  • PSPs will have to ensure that the two SCA factors belong to at least two different categories, as clarified by the EBA, and to follow a specific procedure for the enrolment of a customer device as a second factor of the SCA, involving an appropriate elapse of time and an alert to the already enrolled device. This will require PSPs to review and update their SCA methods and solutions, and to ensure their compliance with the RTS and the EBA guidelines on SCA and common and secure communication.
  • PSPs will have to provide customer assistance with regards to any security aspects of the service and notification of anomalies and suspected fraud, including the possibility that the customer promptly reaches out to trained staff and that the relevant case is timely followed up by the PSP, as needed. This will require PSPs to establish and maintain adequate and accessible customer service channels and resources, and to train their staff on the relevant security and fraud prevention issues and procedures.
  • PSPs will have to put in place a fraud risk management framework, including a regular fraud risk assessment, a fraud risk statement, a regular monitoring of own fraud levels, and a regular update of the security measures implemented to mitigate the risk of fraud. This will require PSPs to integrate and align their fraud risk management policies and practices with their existing risk management frameworks under PSD2 and DORA, and to report and disclose their fraud risk and performance indicators to the relevant authorities and stakeholders.
  • PSPs will have to comply with the clarified liability rules in the PSR, in particular the delineation between authorised and unauthorised transactions and the concept of gross negligence, as advised by the EBA. This will require PSPs to review and update their contractual terms and conditions with their customers, and to ensure a fair and consistent application of the liability rules in case of disputes over suspected fraud, taking into account all the relevant factors and circumstances of each case.

In terms of the improvements required to fraud risk management framework, PSPs may also need to adapt their systems, processes, policies, and governance to establish a fraud risk management framework, which would require them to:

  • Conduct periodic fraud risk assessments, taking into account the fraud data, the fraud typologies, the customer behaviour, the market developments, and the regulatory requirements.
  • Produce a fraud risk statement, which would describe the fraud risk appetite, the fraud risk profile, the fraud risk mitigation measures, and the fraud risk monitoring and reporting mechanisms.
  • Monitor their own fraud levels on a regular basis, using appropriate indicators and benchmarks, and comparing them with the market averages and the regulatory thresholds.
  • Update their security measures on a regular basis, taking into account the fraud risk assessment results, the customer feedback, the market innovations, and the regulatory changes.

PSPs may also need to comply with the clarified liability rules in the PSR, which would require them to:

  • Prove that the transaction was authorised by the PSU, and that the PSU did not act fraudulently or with gross negligence, in order to avoid the liability for the reimbursement of the transaction amount.
  • Define the concept of gross negligence in a clear and objective manner, and not in a way that would shift the burden of proof to the PSU or that would unduly restrict the PSU's rights.
  • Refund the PSU without undue delay, and in any case within 15 days, unless there are reasonable grounds to suspect fraud by the PSU, in which case the PSP must inform the NCA of the reasons for the refusal.

Finally, PSPs may need to participate in the pan-EU information sharing platform, which would require them to:

  • Comply with the security requirements and the data protection rules for the treatment of fraud data, and to ensure the confidentiality, integrity, and availability of the data.
  • Exchange fraud data with other PSPs, NCAs, and the EBA, using standardised formats and protocols, and to use the data for fraud detection and prevention purposes only.
  • Contribute to the development and the maintenance of the platform, and to cooperate with the EBA and the NCAs in the oversight and the governance of the platform.

Outlook

While the Opinion is from a formal perspective not legally binding it does reflect the EBA's supervisory and policy views. Notably it communicates the EBA's expectations on the future development of the EU payment services legislation and supervision by NCAs, who must follow the EBA's expectations. Therefore, it is relevant for financial services firms that provide or use payment services in the EU, as it indicates the possible direction and scope of the upcoming regulatory changes and the potential implications for their business models, risk management, compliance, and customer relations.

Depending on the outcome of the legislative process and the implementation of the proposed measures, financial services firms may need to adapt their systems, processes, policies, and procedures to meet the new requirements, as well as to monitor and report on their fraud performance and mitigation actions. Moreover, financial services firms may also need to engage with their customers, counterparties and regulators to ensure a smooth transition and a clear understanding of the new rules and responsibilities.

Financial service firms that are active or interested in the EU payment services market should carefully review the Opinion and its implications and prepare for the upcoming regulatory changes and the market expectations.

Footnote

1. Available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Michael Huertas
Michael Huertas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More