.svg)
A landmark report by the Euro Retail Payments Board (ERPB) Working Group on Fraud Prevention warns of a growing epidemic in retail payment fraud, and advocates cross-sector collaboration and data sharing to protect consumers across Europe.
In the report, the ERPB, established by the European Central Bank (ECB) in 2013, stresses the need to quickly address evolving threats such as social engineering, identity theft and deep fakes, and notes that cross-border fraud is increasingly challenging for individual payment service providers (PSPs) and authorities to manage.
Emphasising the need for public-private collaboration, the report includes insights from a wide range of stakeholders, including consumer and merchant groups, PSPs, central banks, the European Banking Authority, the European Commission, the European Data Protection Board and Europol.
It comes at the same time as crucial payments legislation, such as the Payment Services Directive (PSD3) and the Payment Services Regulation (PSR), which are being scrutinised by the EU’s political institutions.
"Fraud is a critical issue being viewed from multiple perspectives. The Payment Services Regulation has heightened awareness in Brussels, and it remains a key topic for both the banking industry and policymakers,” said Douglas Lockhart, policy advisor on payments at trade association WSBI-ESBG.
Lockhart, who contributed to the development of the report, told Vixio that it is essential to evaluate the tools needed to effectively combat fraud and address key questions around liability.
Four gamechangers
Ultimately, the report focuses on four possible “gamechangers” to improve the oversight of and outlook for payments fraud.
The four "game changers" focus on strengthening retail payment fraud prevention in the EU by encouraging cross-sector collaboration, improving data sharing in the ecosystem, enhancing regulatory enforcement and bolstering consumer protection through better product design.
The first gamechanger calls for an EU network to coordinate fraud prevention, signposting stakeholder responsibilities and improving cooperation between public and private players, while the second gamechanger emphasises the creation of an EU-wide platform for sharing aggregated fraud data in real time, involving PSPs, law enforcement and telecom companies, while ensuring compliance with data privacy and anti-money laundering rules.
The third gamechanger aims to harmonise regulatory enforcement across sectors, with a focus on aligning the application of the General Data Protection Regulation (GDPR) for fraud prevention, reviewing telecom legislation and fostering cooperation between telecoms, social media platforms and payment providers.
Meanwhile, the fourth gamechanger places emphasis on secure product design, and calls for mandatory fraud risk assessments for new products before launch and regular assessments for existing technologies such as AI, so that misuse can be better prevented.
The GDPR problem
One of the most pressing issues identified by the ERPB Working Group is the way data privacy laws, particularly the GDPR, can inadvertently hamper efforts to fight fraud.
According to the report, the GDPR can limit the ability of organisations to quickly share fraud-related information between financial institutions, regulators and law enforcement.
It calls for a more flexible interpretation of the regulation when it comes to sharing sensitive data for the purposes of fraud prevention.
"GDPR is often seen as a major obstacle to fraud prevention, particularly when it comes to the role of data,” said Lockhart.
He explained that the ability to share data between banks, firstly, but also third parties is essential, raising important questions about what types of data should be shared.
“A clear taxonomy for identifying data would be helpful. GDPR presents challenges, not just in terms of rationale but also due to the divergence in its application across the EU.”
For instance, Lockhart pointed out that the Netherlands has a more restrictive interpretation of what banks can do, and cross-border data transfers are difficult because of differing interpretations among the member states.
“Fraudsters may exploit these limitations, as data cannot easily flow between EU member states. A flexible and adaptable approach, allowing industry actors and regulators to collaborate, would be a significant step forward."
The report also says that too much caution in applying the GDPR creates gaps in communication that fraudsters can exploit, and underlines that inconsistent GDPR interpretations across EU member states allow fraudsters to capitalise on regulatory differences, which slows down critical fraud detection and prevention processes.
The working group is pushing for the EDPB and other regulatory bodies to work together to find a balance between privacy and effective fraud prevention, and recommends that the GDPR’s application be reconsidered in certain fraud prevention scenarios, such as real-time data sharing between PSPs, law enforcement and telecommunications providers.
The report stresses that the current limitations are allowing criminals to move money and execute fraudulent schemes before authorities can intervene, and recommends addressing this by classifying fraud-related data into different categories, with varying levels of sensitivity.
Here, aggregated and anonymised data could be shared broadly without violating the GDPR, while more detailed information, such as names and payment details linked to confirmed fraud, could be shared between trusted entities under clearer legal frameworks.
Regulatory problems
Among various regulatory issues that the ERPB says are blocking progress, the report raises concerns about Article 83(3) of the PSR proposal, which delays data sharing until two fraud reports are filed.
It argues that this stymies prevention, and recommends allowing PSPs to share information after one report for faster intervention.
The report also emphasises the need for a unified EU-wide data-sharing platform to improve real-time communication on fraud risks between PSPs, law enforcement, telecom providers and online platforms.
In addition, it calls for stronger involvement from telecom companies and platforms, noting that fraudsters often use phone calls and SMS to impersonate trusted authorities.
Current EU laws, such as the ePrivacy Directive, which has been in force since 2002, limit telcos' ability to block fraudulent communications, according to the report.
The ERPB advocates revising these laws to allow telecom providers to scan and block spoofed calls or messages in real time, and gives the example of Finland, where national legislation already empowers telecom providers to take more proactive fraud prevention measures, and recommends similar actions take place across the EU.
E-commerce and social media
E-commerce and social media platforms are central to the ERPB’s recommendations, having become key tools for fraudsters to create fake websites, profiles and phishing links.
The report stresses the need for these companies to take a more proactive role in fraud prevention by swiftly identifying, blocking and removing fraudulent content.
Fraudsters often create fake accounts and impersonate legitimate businesses to lure in victims, especially for scams involving investment fraud and identity theft.
In its report, the ERPB points out that little has been done to prevent products entering the market that risk encouraging fraud, despite legislation having recently been passed that could have, such as the Digital Services Act (DSA) and the AI Act.
“New apps are introduced for deepfake video or voice recognition. A voice can be replicated after 15 seconds of recording,” the report points out, noting how deepfake video or voice can be used for impersonation fraud.
The ERPB said that AI and voice recognition have proved to be “very efficient tools” for fraudsters, but that no fraud risk assessments were made for the AI Act and the Digital Services Act.
To protect consumers against fraud, the report says that systematic risk assessments need to be conducted. “To avoid that harm is done in the first place, such assessment should be done before a product/technique is launched to the market”.
“Such risk assessments should also take into account other objectives such as privacy and accessibility and suggested fraud prevention measures should not disproportionately hinder the fulfilment of these objectives,” the report recommends.
The ERPB calls for closer collaboration between online platforms and law enforcement, recommending their integration into the EU-wide fraud data-sharing network to quickly share intelligence on fraudulent accounts and suspicious activities with PSPs, law enforcement and telecom providers.
