Payments Insights #2 –
EBA Opinion on Payment Fraud and Possible Mitigants

On the 29^th of April 2024, the European Banking Authority (the ‘EBA’) published an opinion (the ‘Opinion’) in which it assesses payment fraud data and identifies new types and patterns of payment fraud while developing proposals to mitigate them. In this second Payments Insight we highlight some of the most important key considerations emerging from the EBA’s Opinion.

The power of the EBA to issue this Opinion stems from Articles 1(5), 8(2)(g), 9(4), and 16a(1) of Regulation (EU) No 1093/2010. These provisions empower the EBA to promote a uniform approach to the regulation and supervision of innovative financial activities. Additionally, the EBA is tasked with providing opinions to the European Parliament, the Council, or the Commission, whether at their request or on its own initiative, on matters within its remit.

In this Opinion, the EBA makes reference to the following aspects relating to fraud arising from the use of regulated payment services:

• Instant Payments : The EBA notes that instant payments feature higher fraud rates than regular credit transfers. In such cases, the EBA highlights the importance of payment service providers (‘PSPs’) to ensure that there are appropriate security safeguards in place for instant payment transfers to mitigate the risk of fraud, more importantly with the application of the Instant Payments Regulation.¹

• Strong Customer Authentication (‘SCA’): The EBA also observed that, while SCA requirements are mandatory in line with PSD2²  and the EBA regulatory technical standards (‘RTSs’) for strong customer authentication, fraudsters still have adapted their techniques to undertake complex fraud and leverage on social engineering.

• Cross-Border Transactions: The EBA states that fraud rates for cross-border transactions were much higher than for domestic transactions. The EBA further opines that this may be primarily due to insufficient cross-border cooperation among PSPs and other involved parties, as well as the uneven application of SCA requirements in the EU’s financial laws.

• Emerging Fraud Types: A list of emerging fraud types was compiled by the EBA, which includes: the manipulation of the payer through social engineering, mixed social engineering with technical scams (e.g. using phishing techniques) and the enrolment process compromise fraud which is a complex scan geared towards enrolling the fraudsters’ devices as a second factor of the SCA to be used with personal security credentials stolen through other techniques.

Measures for Consideration in the Negotiation of the PSD3/PSR Proposals

In its Opinion, the EBA recommends further measures in relation to the proposed PSD3⁴  and PSR⁵  as follows:

1.  Reinforced security measures for PSPs:

In relation to payment accounts and issuing of payment transactions/orders, the EBA is proposing a clarification that the two SCA factors should belong to at least two different categories.⁶  The EBA further proposes a requirement for PSPs to offer the payment service users the possibility to set daily or per-payment limits for each payment instrument, providing a proper delay for any resulting increase of spending limits to come into effect. With regard to transaction monitoring, the EBA recommends that a specific requirement should be introduced to require transaction monitoring to be performed before the execution of a transaction and a clarification that the monitoring ought to be applied to all electronic payment channels through which a given payment instrument is used by the payment service users.

Additionally, all PSPs ought to share fraud related information⁷ (not only unique identifiers/IBANs of the payee) among themselves to enhance transaction monitoring. In relation to the procedure for the enrolment of a customer device as a second factor of the SCA, a suggestion is also being proposed to ensure an elapse of time from the user’s request before the new customer device is effectively enrolled and, in case of the enrolment of a further customer device, a requirement for PSPs to timely send an alert to the payment service users’ personal device already enrolled.

2. Fraud risk management by PSPs on top of mandatory security requirements

The EBA opines that proportionality should be a key factor when establishing a fraud risk management framework to be put in place by PSPs as part of the existing broader framework on risk management policies under the PSD2 and Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (commonly referred to as DORA).

3.  Amended liability rules

It is observed by the EBA that the increasing number of payment fraud is being done by “authorized push payment” where the payer is manipulated into making a payment to the fraudster. Moreover, there is no clear delineation between authorised and unauthorised transactions in the PSD2 and the interpretation in of the notion of ‘gross negligence’ may also explain that the highest percentage of losses in case of fraudulent credit transfers are borne by the user.

Thus, it is being recommended that the proposed PSR specifies the following requirements: (a) where a payer denies having authorised a transaction, the use of SCA should not in itself be sufficient to prove that the payment transaction was authorised by the payer or that the payer acted fraudulently; (b) that in case of payer-initiated transactions, a transaction denied by the payer cannot be considered as authorised where the payment order was initiated by a fraudster, even if it was subsequently authenticated by the PSU and; (c) to clarify that, without prejudice to Art. 5(c)(8) of the Instant Payments Regulation, a transaction denied by the payer cannot be considered as authorised where the payer was not made aware of a mismatch between the IBAN and the name of the beneficiary.

In relation to the concept of gross negligence, the EBA proposes that one should take into consideration of the case, including the complexity of the fraud, the personal circumstances of the PSU, whether the latter had reasonable grounds for believing that the PSU was making a payment to a legitimate payee, and whether the PSP could have taken additional steps to help prevent the fraud taking place. Furthermore, the Recitals of the proposed PSR should include a list of gross negligence situations by the users. In fat, the EBA tilted towards further liability to the PSPs in certain situations.

4.  Strengthened and harmonised supervision

In relation to harmonisation, the EBA brings forward the inclusion of further requirements in the proposed PSD3 and the PSR in relation to actions that may be taken by the national competent authorities, such as regular monitoring of fraud data, following up on possible outliers and to take supervisory actions as appropriate including the regularly monitoring the correct recourses.

5.  Appropriate security requirements for a single EU-wide platform in relation to fraud

The EBA closes the Opinion by alluding that Article 83 of the proposed PSR should be strengthened with a requirement to have a single EU-wide platform, to be maintained and run by PSPs, for the sharing of fraud data. In addition, there should be appropriate security standards for the treatment of unique identifiers of payees and other fraud related data exchanged, considering personal data protection requirements.

In conclusion, the EBA’s opinion provides a comprehensive assessment of emerging fraud patterns and vulnerabilities in current payment systems, leading to substantive recommendations aimed at enhancing regulatory frameworks. The EBA’s Opinion is pivotal for the forthcoming negotiations on the PSD3 and PSR, where it proposes several amendments which are noteworthy for strengthening security measures, refining fraud risk management strategies, and clarifying liability distinctions. This Opinion is expected to significantly influence the regulatory approach to payment services within the EU.

As Malta continues to position itself as a centre for digital finance within the EU, the EBA’s recommendations could influence local regulatory frameworks significantly. This is because the MFSA has always been initiative-taking in proactively augmenting the Maltese fintech regulatory regime. The emphasis on improving security measures for instant payments and the application of adequate SCA across all transaction types will likely necessitate updates to existing systems by Maltese financial institutions and payment service providers.  Furthermore, the EBA’s call for enhanced cross-border collaboration to manage fraud risks is particularly pertinent for Malta due to its status as a small, interconnected economy with extensive financial links to other EU countries.