Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
Basically, non-remote fraudulent card transactions usually occur on an individual customer basis, e.g., card and PIN are stolen and fraudulently used, but not on a larger scale. Mostly these cards then are used for fraudulent cash withdrawal. It sounds plausible that the fraudulent cash withdrawal amount for cross border is higher because card theft happens more often while customers are travelling. For example, in the past, unauthorized card transactions at ATMs particularly occured in Latin American and Asian countries, while manipulated payments, e.g. CEO fraud, often went to Asian Countries.
Generally, many losses may result from cross-border e-commerce: Remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups and therefore significantly increasing the numbers.
From our experience, the data collected reflect a very low level of prevalence and show that the safety measures taken by European PSPs are sufficient. We would like to note that the PSD2 SCA regulations have only been in force for a very short time (especially for card payments). In addition, several countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
Cards: For non-remote card fraud, it’s mostly individual cases, theft of card and PIN and cash withdrawal with high amounts, whereas for remote card fraud it’s mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (social engineering).
Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA makes little sense. Evaluations from the second half of 2021 onwards would be more appropriate.
Credit transfers: Cases are less frequent but with higher fraud amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, it does not appear to be appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems very well. Besides, this is primarily an issue from payments with third countries not affected by PSD2.
Cash withdrawals: We have seen a decline in skimming attacks for some time, cases occur particularly outside the EEA. Average loss amounts are higher.
Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact small-value payments (typically without SCA) but are in practice hardly known.
Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if he or she has kept the PIN on or with the card. Spying is relatively rare.
Nevertheless, card payments should also be taken into account: Here, the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS was used.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
Although for Germany no data is available (of which we are fully aware), we would still like to comment on specific aspects of the report. The data collected confirm our view that fraud is more prevalent in cross-border transactions outside EEA, in particular for cards: this is due to the fact that law enforcement and prosecution is more difficult (also across the member states), but also to geographical characteristics.Basically, non-remote fraudulent card transactions usually occur on an individual customer basis, e.g., card and PIN are stolen and fraudulently used, but not on a larger scale. Mostly these cards then are used for fraudulent cash withdrawal. It sounds plausible that the fraudulent cash withdrawal amount for cross border is higher because card theft happens more often while customers are travelling. For example, in the past, unauthorized card transactions at ATMs particularly occured in Latin American and Asian countries, while manipulated payments, e.g. CEO fraud, often went to Asian Countries.
Generally, many losses may result from cross-border e-commerce: Remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups and therefore significantly increasing the numbers.
From our experience, the data collected reflect a very low level of prevalence and show that the safety measures taken by European PSPs are sufficient. We would like to note that the PSD2 SCA regulations have only been in force for a very short time (especially for card payments). In addition, several countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
In principle, the patterns can be explained in terms of instruments (please see below). We cannot explain them in terms of geographic differences within the EEA.Cards: For non-remote card fraud, it’s mostly individual cases, theft of card and PIN and cash withdrawal with high amounts, whereas for remote card fraud it’s mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (social engineering).
Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA makes little sense. Evaluations from the second half of 2021 onwards would be more appropriate.
Credit transfers: Cases are less frequent but with higher fraud amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, it does not appear to be appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems very well. Besides, this is primarily an issue from payments with third countries not affected by PSD2.
Cash withdrawals: We have seen a decline in skimming attacks for some time, cases occur particularly outside the EEA. Average loss amounts are higher.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
The main focus of fraud attacks on remote credit transfers is the manipulation of the payer to (consciously) initiate an authorized payment (thus using SCA). A typical example is CEO fraud, which occurs rarely but may result in larger individual losses if successful (sometimes several million euros per case). Moreover, it seems to be easier for fraudsters to deceive customers and obtain the complete credentials than to break through the banks' systems.Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact small-value payments (typically without SCA) but are in practice hardly known.
Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
Credit transfers: These could primarily be credit transfers authorized by the customer (using strong customer authentication). Fraud would be particularly due to social engineering.Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if he or she has kept the PIN on or with the card. Spying is relatively rare.
Nevertheless, card payments should also be taken into account: Here, the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS was used.