The latest report from the European Banking Authority (EBA) reveals some unusual fraud levels across the EU, with incomplete and sometimes "implausible" data meaning it is difficult to get a full picture on the impact of the revised Payment Services Directive (PSD2) in reducing fraud.
Although the quality of data submitted has improved on previous reporting periods, the EBA’s latest payments fraud report is still unable to provide an overview of PSD2’s impact on payment fraud in all 27 EU member states, as well as the European Economic Area members.
“The geographical scope of the dataset is incomplete and inconsistent across the reporting periods,” the EBA points out in its discussion paper.
The reason for this is that several national authorities decided to comply with the EBA Guidelines on fraud reporting with a delay, opting to rather implement them at the same time as the revised European Central Bank regulation on payment statistics, which starts this year.
Although the EBA has “exceptionally” accepted this, it does mean that not all competent authorities have submitted data to the banking watchdog.
Meanwhile, the EBA also pointed out that it had “excluded” data submitted that has “substantial” sets missing and/or “significant outlier” figures, which it felt was presumably due to errors.
For this reason, only 18 of the 30 EEA states are included in the discussion paper. The most notable absentees include France and Germany, the two largest economies in the region, and the Netherlands.
Moreover, fraud data on transactions initiated by payment information service (PIS) providers have been particularly poor and often implausible, according to the EBA.
This suggests that PIS providers are not compliant with applicable requirements, which the authority has committed to further investigating.
Confusion over SCA numbers
The EBA is looking for feedback on how reporting can be improved in this area. The Paris-based supervisor has launched a consultation on the matter, that will run until April 19.
The EBA is asking such questions within the consultation as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared with payments that are not authenticated with SCA.
For example, the report ponders on whether this is due to spoofing and/or authorised push payment fraud, as well as whether exemption, such as merchant initiated transactions and one-leg-out transactions, may also be to blame.
The consultation paper also considers issues such as why cross-border transactions are higher, why payment service users (PSUs) are bearing most of the losses due to fraud and why this differs throughout the EEA member states.
For example, losses borne by card payments by PSUs in Belgium and Norway equate to 45 and 42 percent, respectively. Meanwhile, the number is much lower in Hungary and Portugal, at 9 and 8 percent respectively.
And when it comes to cash withdrawals, 97 percent of losses are borne by PSUs in Bulgaria, Greece and Croatia. Yet, in Ireland, 94 percent of the losses come from payment service providers and, in Estonia, this number comes to 100 percent.
What do the stats say?
The average value of a fraudulent credit transfer was €4,191 in the second half of 2020, well above the levels of other payment instruments. Despite this, the fraud rate for credit transfers was comparatively low.
For example, credit transfer fraud represented just 0.001 percent of the total value of transactions. By contrast, card payments, the most frequently used payment instrument among reported countries, also had the highest rates of fraud compared with other payment instruments. In particular, transactions reported by acquirers had a fraud rate of 0.05 percent.
There was also a significant variation of fraud rates across the different markets, which could be partially reflective of different payment mixes and preferences in different countries.
For example, markets with a high proportion of e-commerce may find card fraud to be at a higher rate as card-not-present fraud is often significantly higher compared with in-person card usage.
Although the data from the EBA does not necessarily reflect this. In terms of card fraud as reported by acquirers, Ireland has the highest rate at 0.1 percent of transactions, compared with the lowest, Norway, with 0.0003 percent.
Meanwhile, the report found that although cross-border transactions represent a relatively small share of total transactions (2 percent of credit and cash transfers, 15 percent of card payments reported by issuers and 28 percent reported by acquirers), the proportion of fraudulent activity for these types of transactions was significantly higher.
For example, fraudulent cross-border transactions represent 17 percent of all fraudulent cash withdrawals, 31 percent of fraudulent credit transfers, 81 percent of fraudulent card payments reported by issuers and 94 percent of fraudulent card payments reported by acquirers.
The EBA suggests the high levels of cross-border fraud may have been skewed by the impact of the COVID-19 pandemic. “The context may have reduced the opportunities of frauds for cross-border non-remote payments but increased the relevance of targeting remote payments from the fraudsters’ perspective,” the report said.