.svg)
EU lawmakers’ plans to make tech and telecom firms liable for fraud in the Payment Services Regulation (PSR) might clash with sector regulation, a senior official at the European Commission has said, pouring cold water on plans favoured by many payments firms.
In April, members of the European Parliament (MEPs) approved an amendment to the PSR that would hold big tech and telecom firms accountable for failing to prevent fraud, following intense lobbying by the payments and fintech industry.
This mirrors similar debates happening in the UK, where banks have released research on how many scams stem from platforms owned by Meta, for example, and have persistently pressed for more accountability.
Nuno Epifânio, a policy officer at the European Commission’s financial services department (DG FISMA), told the audience at EBAday in Lisbon this week that fraud liability is one of the biggest topics being negotiated by the European Parliament and the Council as they grapple with the PSR and other draft legislation.
“I know that this is a very important issue for credit institutions, and the question is, why aren’t other stakeholders in the banking chain being held liable for fraud transactions, like telcos or online search engines?” he said, speaking in a personal capacity on the panel. “What does the upcoming PSD3, PSR and the IP regulation mean for the payments sector?”
He noted the European Parliament’s proposal to extend liability to other sectors, and similar conversations at the EU Council, which represents national governments. But he said the PSR is not necessarily the best place to do that.
“One of the usual mistakes made about the PSR is that people think it should regulate everything and you should not look at other pieces of legislation,” he said. “That is the wrong assumption, because if you are to consider telcos or online operators and whether they are liable or should have a role in preventing fraud, you have to look at the Digital Services Act or the Privacy Directive.”
The difficulty, the senior official said, is putting all of these EU legislative acts together, and making them consistent, “and not to be coming up with solutions that don’t work out”. It is important not to diverge from the logic already laid down in legislation such as the Digital Services Act, he said.
Epifânio explained that legislators are now looking at what they could realistically do in negotiations.
Authorised payment fraud is being discussed in the Council, he said. “That is usually a very heated discussion, as we are alluding to introducing subjective elements that are in a way linked to what the intention of the payer was when he or she authorised or took the steps to authorise a payment transaction.”
This will have to be paired with safeguards to avoid abusive behaviour by payers but in principle, Epifânio suggested that if the intention was not to authorise a certain transaction, there should be questions about liability. “It’s fair to say that most of the Parliament and the Council are heading in that direction,” he said.
Focus on fraud
Fraud has become one of the biggest topics for EU legislators as they negotiate and shape what the EU’s payments legislation will look like.
One idea being touted by some lobbyists in Brussels is for there to be an overarching fraud strategy, echoing the EU’s Retail Payments Strategy in 2020, which has guided work on legislation such as the Instant Payments Regulation, and the still to be completed Payments Services Directive (PSD3), PSR and the work relating to the digital euro and open finance.
While the European Parliament has focused on issues like liability from big tech and telco firms, national governments have become more focused on the criterion for issues like gross negligence.
For example, a progress report on the PSR and PSD3 issued by Belgian officials currently chairing the Council negotiations underscores the shift towards including subjective elements in the concept of "authorisation" and the proposed criteria for assessing "gross negligence", noting that further amendments may be necessary for optimal implementation.
According to the report, a majority of EU countries have rejected an objective approach to fraud liability, and instead favour one that includes subjective elements.
Belgian officials have said their feedback shows that the concept of "authorisation" should be nuanced and balanced, and additionally there is a need to mitigate the potential risks that a purely subjective approach could pose to payment service providers (PSPs) liability and the burden of proof.
The proposed amendment to the PSR includes a list of criteria for assessing "gross negligence", with wording agreed upon by the majority of member states and incorporating some of their suggestions.
But Belgian officials, who will hand over the chair to Hungary at the end of June, note that further detailed amendments may be necessary to ensure the criteria are optimal.
