EU Banking Authority Payment Fraud Consult May Impact PSD2

The European Banking Authority (EBA) on Tuesday, April 19 will close a public consultation launched in January to better understand certain trends of payment fraud in Europe, and to figure out the origins of some types of fraud by payment method. 

The discussion paper released by the EBA in January analyzed payment fraud data provided by the national competent authorities (NCA) during 4 semesters, from H1 20219 to H2 2020, for credit card payments, credit transfers and cash withdrawals. While the data is reliable for most of the periods and payment methods, the EBA warned that as the NCA didn’t provide enough information for some segments, the report excluded data for certain countries and periods to avoid inconsistencies. 

The responses provided by stakeholders will likely be used to understand the origins of certain types of fraud and to design better guidelines in the future. The EBA didn’t suggest that this data will also be used for the future amendment of the payment service directive 2 (PSD2) — which, according to the European Commission, could begin preparatory work in 2022 — but such use can’t be ruled out, since the data analyzed in the report is some of the data required by the PSD2. 

The preliminary findings by the EBA are, in most cases, in line with what one could expect for payment transactions. For instance, the fraud rate for credit card transactions is higher (up to 42 times higher) than credit transfers. The data shows that card payments are by far the most frequently used payment instrument, and that these transactions experience higher fraud rates but lower average fraud amounts compared with other selected payment instruments. 

Another expected trend is the fraud rate for domestic versus cross-border transactions. Fraudulent cross-border transactions represent 17 % of fraudulent cash withdrawals, 31 % of fraudulent credit transfers, 81% of fraudulent card payments reported by issuers and 94 % of fraudulent card payments reported by acquirers. If we look at more disaggregated data, the fraud rate of non-remote card payments for domestic payments (within the same country) is just 0.0007% — this figure goes up to 0.002% if the payment is outside the country but still within the European Economic Area (EEA), but this figure goes up to 0.1% if the payment is outside the EEA. 

But perhaps the most interesting part of the report is about the data and trends that are “inconclusive,” according to the EBA. For instance, the report found that the fraud rates in transactions authenticated with Strong Customer Authentication (SCA) were generally lower than in transactions without SCA. However, this doesn’t hold true in remote credit transfers, where the fraud share for credit transfers authenticated with SCA is two times higher compared to transactions without SCA. One possible explanation: authorized push payment fraud. These are transactions initiated by the account holder as a result of a scam, a fake ad or phishing. For these cases the EBA suggests that “the implementation of SCA is not sufficient to prevent fraud.” The EBA is asking stakeholders to provide further explanations that could potentially explain this data. This type of fraud has grown in the last years with the help of social media and due to COVID-19, and some countries like the U.K. are passing new laws (i.e. the Online Safety Bill) that could prevent scammers from using online platforms to reach potential victims. 

Read More: UK Online Safety Bill Can Reduce Authorized Push Payment Fraud 

Another area that may require further analysis is who should bear the losses for fraudulent payments. The data shows that users bear 68% of the losses due to fraudulent credit transfers, and similar data is provided for cash withdrawals. For card payments it is around 30%. Yet, according to the EBA, “this pattern is somewhat at odds with Article 73 of the PSD2, which provides that liability for unauthorized transactions should lie primarily with the Payment Service Providers (PSPs) (unless the user has acted fraudulently).” The data isn’t consistent across Member States either. The EBA doesn’t suggest that it will act to reduce these differences or to make sure that the liabilities lie with the PSPs, but it is noticeable that one third of the questions for the stakeholders in this consultation refer to this particular issue.