.svg)
The European Banking Authority (EBA) has set out a variety of recommendations for EU legislators to tackle payments fraud, suggesting that current regulatory frameworks do not go far enough.
The regulator on Monday (April 29) published a new opinion identifying new types and patterns of payment fraud, along with proposals to mitigate them, including new requirements on payment services providers (PSPs) to adopt risk management frameworks.
The EBA is lobbying the EU’s political institutions about the Payment Services Directive (PSD3) and Payment Services Regulation (PSR), warning that more work is needed on fraud prevention beyond these legislative files and the recently implemented Instant Payments Regulation (IPR).
The EU banking supervisor also said that although initiatives such as strong customer authentication (SCA) have been successful in reducing some instances of fraud, they have spurred more cases of social engineering fraud as criminals have innovated.
The EBA said that during the PSD3 and PSR negotiations, EU legislators should consider including appropriate security requirements for a single EU-wide platform for information sharing to prevent and detect potentially fraudulent payment transactions.
The EBA also proposed reinforcing security requirements for payment service providers, complementing the IBAN/name check and the fraud mitigation measures included in the PSD3/PSR proposals.
This would be aimed at further strengthening the procedure for the authentication of transactions, mitigating possible vulnerabilities exploited in other phases of the payment process, as well as supporting fraud detection and investigation.
Risk management framework
The Paris-based regulator also called for PSPs to implement a fraud risk management framework, on top of the mandatory security requirements.
The framework could enhance fraud prevention by establishing regular assessments of fraud risks, using data collected under the PSR. This would involve PSPs issuing a fraud risk statement outlining their fraud containment goals.
PSPs would also be tasked with monitoring their own fraud levels on both the payer and payee sides, and additionally, they would need to continually update their security measures based on detected fraud rates and risk assessments to effectively mitigate fraud risks.
The EBA also recommended an amendment to liability rules, including a proper delineation between authorised and unauthorised transactions, as well as the clarification of the concept of “gross negligence”.
Here, the EBA suggested several measures that could be considered to address specific concerns.
For example, regarding transactions where a payer denies authorisation, the EBA proposed to clarify in the PSR that simply using SCA should not be enough to prove the transaction was authorised or that the payer acted fraudulently.
Additionally, for payer-initiated transactions like credit transfers, if a payer denies a transaction initiated by a fraudster, even if authenticated by the payer, it should not be considered authorised.
Moreover, without prejudice to certain regulations, if a payer was not informed of an IBAN/name mismatch due to interception by a fraudster, the transaction should n’o be deemed authorised, according to the EBA.
Identifying negligence
To clarify the concept of gross negligence, meanwhile, the EBA suggests considering all relevant factors in cases of social engineering fraud to assess whether a payment service user (PSU) acted with gross negligence.
Factors here could include the complexity of the fraud, personal circumstances, whether reasonable grounds existed to believe the payment was legitimate and whether additional steps could have been taken by the PSP to prevent fraud.
A non-exhaustive list of circumstances could also be included in the PSR recitals for assessing gross negligence, such as making payments to fraudsters without reasonable grounds, openly providing security credentials to fraudsters, previous victimisation, disregarding fraud warnings and failing to timely report fraud to the PSP.
The EBA also suggests that PSP liability for fraud could be specified in cases where obligations regarding customer assistance are not fulfilled, especially concerning security. Additionally, the regulator has suggested that PSPs could be liable if a fraudster accessed a PSU's personal or account information following a data breach at the PSP prior to the fraud occurring.
The EBA recommends strengthening and standardising supervision of fraud management by drawing from effective practices observed in certain member states, along with utilising fraud data collected through the existing reporting framework under PSD2.
Here, the EBA said that additional requirements within the PSR could be explored. This could involve mandating national competent authorities to routinely oversee fraud data gathered from relevant PSPs at the national level, examining both the payer’s and payee’s PSPs.
This would include ensuring that overall fraud rates across major payment methods remain significantly below predetermined maximum acceptable thresholds established at the EU level, with the EBA suggesting that such assessments could consider statistical fraud data provided in the EBA Guidelines on fraud reporting under PSD2.
The EBA suggested that based on the findings from this monitoring, authorities would be able to address any noteworthy deviations, such as PSPs’ fraud levels nearing or surpassing the designated maximum thresholds, adding that appropriate supervisory actions would then be taken in response.
Further, the EBA said that regulators should regularly monitor PSPs' adherence to the proper use of merchant initiated transactions (MITs) and mail order/telephone order (MOTO) transactions, as well as compliance with the application of SCA and its exemptions, suggesting that this ongoing oversight would create a more consistent and accurate application of security measures across PSPs.
