.svg)
Advocates for the tech industry have warned that the European Parliament’s push to include social media and telecommunications firms in the Payment Services Regulation (PSR) fraud regime are misguided, and could backfire for consumers.
In countries such as the UK, payment service providers (PSPs) are held liable and obligated to pay out when instances of authorised push payment (APP) fraud arise.
The financial sector, via trade associations such as the European Payment Institutions Federation and the European Banking Federation, has been pushing for fraud liability to be shared beyond just PSPs.
The sector has argued that online platforms should be held more accountable than they currently are.
It seems the European Parliament agrees — its position on the PSR, which was passed at plenary in April, reads: “Online platforms can also contribute to increasing instances of fraud.”
“Therefore, they should be held liable where fraud has arisen as a direct result of fraudsters using their platform to defraud consumers, if they were informed about fraudulent content on their platform and did not remove it.”
Taking on big tech
The final text of the Parliament’s position is limited to relatively niche instances, and would not capture all the way banks warn that social media platforms such as Meta are allowing fraud to happen.
However, it does open up the possibility for imposing on these platforms a legal liability that has not previously been the case.
"At the moment, under PSD2, it is very difficult to address this type of fraud,” commented Julien Sad, a senior associate at Bird & Bird. “Typically, PSUs [payment service users] who are victims of APP frauds will claim that the payment transaction was unauthorised, which is not obvious since, by essence, the transaction was authorised by the PSU; although, that transaction was fraudulent since PSUs were actually manipulated by the fraudster.”
Sad, who is based in Brussels, explained that often PSUs will try to get a refund from their PSP on the basis of the revised Payment Services Directive (PSD2), as well as anti-money laundering legislation, and a general duty of care, arguing that the transaction was unauthorised.
“Case law is very divided on this question,” he said. “Some courts take the view that the payment was perfectly authorised, leaving no room for debate. However, other courts believe that consent was misrepresented. The situation is highly inconsistent."
From a regulatory certainty perspective, this is far from ideal, and Sad pointed out that this is why it is trying to be addressed under a new regime in the PSR.
“The European Commission’s approach is currently limited to cases where fraudsters impersonate the PSP, rather than broader social engineering scams,” he said. “This excludes situations where an accountant is tricked into initiating the payment by his alleged CEO, or where fraudsters pose as merchants.”
“What Parliament is attempting to do is expand the scope of fraud cases, with the European Parliament suggesting that protections should extend to any scenarios of impersonate fraud."
Pushback from industry
The Parliament’s position has attracted criticism from some stakeholders, including the Computer and Communications Industry (CCIA) Europe, whose membership includes firms such as Meta.
“The Parliament’s proposed shared-liability regime would ultimately encourage blame-shifting,” said Boniface de Champris, senior policy manager at the CCIA.
“If it becomes mandatory to reimburse consumers automatically, banks would be incentivised to try to shift that reimbursement liability to telecom providers or online platforms. Moreover, it would reduce consumer vigilance, rather than fostering it,” he cautioned.
“Tackling payment fraud requires a coordinated, cross-sectoral approach between banks, telecoms and online platforms,” added de Champris.
“Shared liability would only undermine cooperation. Fraud and scams already make up a significant part of tech firms’ preventative efforts.”
“Online platforms are required to remove illegal content as soon as they become aware of it, and also have a strong business incentive to reduce fraud, as it directly impacts their users,” he said.
Matthias Bauer, director at the European Center for International Political Economy (ECIPE), agreed with this.
"I strongly favour improved collaboration and cooperation over imposing liability, which comes with significant drawbacks,” he said.
According to Bauer, “liability could create enforcement challenges, discourage banks from monitoring their own transactions, and result in a flood of claims from banks shifting their duty of care on online platforms”.
“Operationally, detecting suspicious behaviour is complex, and banks that frequently reimburse customers may struggle with disputes,” he said.
“If identifying fraud remains near-impossible, repeated claims could escalate into legal conflicts and, over time, create a large-scale subsidy programme for law firms that further complicates the existing system."
De Champris said that “rather than introducing this flawed liability regime, the EU should focus its efforts on fostering collaboration between banks, online platforms and telecom operators”.
Further, he pointed out the regulatory issues with a broad liability regime. For example, he said, the General Data Protection Regulation (GDPR) represents “a barrier to sharing information about identified scammers. Platforms cannot share these details with other providers or banks, even when acting proactively.”
He also noted the relevance of the international element of much fraudulent activity — most occurs outside Europe, so law enforcement means to intervene are limited.
“When law enforcement is powerless, platforms and telecom providers are equally constrained,” he said.
“Simply introducing a liability regime where everyone is held responsible but lacks the necessary tools to act would be ineffective. It would only result in blame-shifting rather than real solutions.”
How things may unfold
ECIPE’s Bauer suggested that the final text may not include this liability regime, and the way some in the European Commission have reacted suggests he could be right.
As covered by Vixio, Nuno Epifânio, a policy officer at the European Commission’s financial services department (DG FISMA), told the audience at EBAday 2024 that attempts to extend liability through the PSR are misguided.
“One of the usual mistakes made about the PSR is that people think it should regulate everything and you should not look at other pieces of legislation,” he said.
“That is the wrong assumption, because if you are to consider telcos or online operators and whether they are liable or should have a role in preventing fraud, you have to look at the Digital Services Act or the Privacy Directive.”
The difficulty, the senior official said, is putting all of these EU legislative acts together, and making them consistent, “and not to be coming up with solutions that don’t work out”.
It is important not to diverge from the logic already laid down in legislation such as the Digital Services Act (DSA), he said.
Bauer said that his “understanding is that the European Council may take a more nuanced position, while Parliament is overshooting here”.
“The DSA prohibits general monitoring, and my gut feeling is that reason will ultimately prevail. In the end, we will likely arrive at a much narrower set of obligations, focusing on PSPs rather than online platforms, perhaps similar to the approach taken in Singapore,” he said, referencing the recently enacted Shared Responsibility Framework in the Asian city-state.
However, he suggested that he felt the European Commission “is currently also seeking to build up leverage over trade with the United States, and this particular issue could be part of their strategy”.
“It may become a component of a new tech regulation toolkit focusing on US-headquartered online platforms. The amendment originates from the European Parliament, whereas the Commission initially suggested a much more balanced approach,” he said.
However, the tides have shifted with the election of President Donald Trump, who has begun implementing tariffs on the EU.
“This is why they may now consider this as part of their expanded regulatory toolkit, as it serves as a more effective bargaining chip. One example is the EU’s Cloud Certification Scheme,” he said.
