Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
Basically, non-remote fraudulent card transactions usually occur on an individual customer basis, e.g., card and PIN are stolen and fraudulently used, but not on a larger scale. Mostly these cards then are used for fraudulent cash withdrawal. It sounds plausible that cross-border fraudulent cash withdrawal amount is higher because card theft happens more often while customers are travelling. For example, in the past, unauthorized card transactions at ATMs particularly occurred in Latin American and Asian countries, while manipulated payments, e.g. CEO fraud, often went to Asian Countries.
Generally, many losses may result from cross-border e-commerce. Remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups and therefore significantly increasing the numbers.
The higher rate of cross-border fraudulent transfers rather than domestic ones can be explained with reference to obstacles in the processes of recovery and communication with foreign counterparts in case of recall. That is why the former is more attractive to fraudsters.
As regards e-money, it is possible to assume that there are two reasons for the high rate behind the cross-border fraud: the high number of non-EU merchants compared to European merchants which implies a more frequent occurrence of e-commerce transactions, in countries such as the USA and mainland China; concerning non-European transactions, the “One Leg principle” potentially reduces the security of the transactions.
In our view, the safety measures taken by European PSPs are sufficient. We would like to note that the PSD2 SCA requirements have only been in force for a very short time, especially for card payments. In addition, several EU countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
- Cards: For non-remote card fraud, it is mostly individual cases, theft of card and PIN and cash withdrawal with high amounts, whereas for remote card fraud it is mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (social engineering). Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA makes little sense. Evaluations from the second half of 2021 onwards would be more appropriate.
- Credit transfers: Fraud cases are less frequent but with higher amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, it does not appear to be appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems very well. Besides, this is primarily an issue related to payments involving third countries not affected by PSD2.
- Cash withdrawals: EACB members observe a decline in skimming attacks for some time, and cases occur particularly outside the EEA. Average loss amounts are higher.
More generally, the rise in digital transactions which was the result of the Covid-19 emergency and the introduction of new payment instruments, such as SCT Inst, led to an increase in fraudulent attacks based on social engineering and telephone spoofing. In such instances, the fraudster masks the number of the caller by pretending to be the bank. Once the fraudster has gained the trust of the customers, he then convinces the latter to share their personal credentials and authorize payment transactions. In order to prevent these types of fraud, a response coordinated at the European level seems appropriate and should require the participation of telephone operators and manufacturers of smartphone operating systems.
- The main focus of fraud attacks on remote credit transfers is the manipulation of the payer to (consciously) initiate an authorized payment (thus using SCA). In these cases, the authentication with SCA may not be effective in preventing this type of fraud. A typical example is CEO fraud, which occurs rarely but may result in larger individual losses if successful (sometimes several million euros per case). Moreover, it seems to be easier for fraudsters to deceive customers and obtain the complete credentials than to break through the banks' systems. Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact small-value payments (typically without SCA) but are in practice hardly known.
- Most banks applied an exemption to the SCA regarding the types of transfers that experienced lower risk and fraud rates even before the application of PSD2. For instance, recurring credit transfers (exemption under Art. 14 of the RTS "Recurring Transactions") or “giro inpayment transfer” (exemption under. Art. 15 of the RTS " Credit transfers between accounts held by the same natural or legal person") are types of transfers that are characterized by a low level of risk and are therefore unlikely to be subject to fraudulent attacks both before and after the advent of PSD2. Other types of credit transfers, such as batch payments, have for a long time used authentication systems that are similar to the SCA (exemption under Article 17 of the RTS " Secure corporate payment processes and protocols") and therefore capable of preventing possible fraudulent attacks.
- Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if he/she has kept the PIN on or with the card. Spying is relatively rare. Moreover, a fraudulent withdrawal of cash is impossible to recover through the mechanisms established for the Circuits.
- Card payments: In case of fraudulent card payments, the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS was used.
- SCT Instant: Taking into account the immediate nature of the payment, it is more difficult to block the fraudulent transaction in advance, as well as the subsequent recall of the operation, because the fraudster has already come into possession of the defrauded amount.
It should be noted that the same dynamic applies to e-money, as the increasingly widespread use of 3DS does not allow the issuer to recover the defrauded amounts.
The types of card payment fraud are reported as "issuance of a payment order by the fraudster", under the sub-category "others" also when they are based on social engineering techniques that induce the customer to make payments to the fraudster without the need for card theft or counterfeiting. Furthermore, even in cases where the card is associated with a digital wallet, it is still possible to perpetrate such fraud without coming in physical possession of the card.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
The data compiled by the EBA confirm the EACB members’ view that fraud is more prevalent in cross-border transactions outside EEA, in particular for cards.Basically, non-remote fraudulent card transactions usually occur on an individual customer basis, e.g., card and PIN are stolen and fraudulently used, but not on a larger scale. Mostly these cards then are used for fraudulent cash withdrawal. It sounds plausible that cross-border fraudulent cash withdrawal amount is higher because card theft happens more often while customers are travelling. For example, in the past, unauthorized card transactions at ATMs particularly occurred in Latin American and Asian countries, while manipulated payments, e.g. CEO fraud, often went to Asian Countries.
Generally, many losses may result from cross-border e-commerce. Remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups and therefore significantly increasing the numbers.
The higher rate of cross-border fraudulent transfers rather than domestic ones can be explained with reference to obstacles in the processes of recovery and communication with foreign counterparts in case of recall. That is why the former is more attractive to fraudsters.
As regards e-money, it is possible to assume that there are two reasons for the high rate behind the cross-border fraud: the high number of non-EU merchants compared to European merchants which implies a more frequent occurrence of e-commerce transactions, in countries such as the USA and mainland China; concerning non-European transactions, the “One Leg principle” potentially reduces the security of the transactions.
In our view, the safety measures taken by European PSPs are sufficient. We would like to note that the PSD2 SCA requirements have only been in force for a very short time, especially for card payments. In addition, several EU countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
In our view, the patterns can be explained in terms of payment instruments and not in terms of geographic differences within the EEA.- Cards: For non-remote card fraud, it is mostly individual cases, theft of card and PIN and cash withdrawal with high amounts, whereas for remote card fraud it is mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (social engineering). Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA makes little sense. Evaluations from the second half of 2021 onwards would be more appropriate.
- Credit transfers: Fraud cases are less frequent but with higher amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, it does not appear to be appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems very well. Besides, this is primarily an issue related to payments involving third countries not affected by PSD2.
- Cash withdrawals: EACB members observe a decline in skimming attacks for some time, and cases occur particularly outside the EEA. Average loss amounts are higher.
More generally, the rise in digital transactions which was the result of the Covid-19 emergency and the introduction of new payment instruments, such as SCT Inst, led to an increase in fraudulent attacks based on social engineering and telephone spoofing. In such instances, the fraudster masks the number of the caller by pretending to be the bank. Once the fraudster has gained the trust of the customers, he then convinces the latter to share their personal credentials and authorize payment transactions. In order to prevent these types of fraud, a response coordinated at the European level seems appropriate and should require the participation of telephone operators and manufacturers of smartphone operating systems.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
In our view, there are two main reasons why the fraud rate of remote credit transfers is higher for SCA-authenticated payments rather than for non-SCA-authenticated payments:- The main focus of fraud attacks on remote credit transfers is the manipulation of the payer to (consciously) initiate an authorized payment (thus using SCA). In these cases, the authentication with SCA may not be effective in preventing this type of fraud. A typical example is CEO fraud, which occurs rarely but may result in larger individual losses if successful (sometimes several million euros per case). Moreover, it seems to be easier for fraudsters to deceive customers and obtain the complete credentials than to break through the banks' systems. Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact small-value payments (typically without SCA) but are in practice hardly known.
- Most banks applied an exemption to the SCA regarding the types of transfers that experienced lower risk and fraud rates even before the application of PSD2. For instance, recurring credit transfers (exemption under Art. 14 of the RTS "Recurring Transactions") or “giro inpayment transfer” (exemption under. Art. 15 of the RTS " Credit transfers between accounts held by the same natural or legal person") are types of transfers that are characterized by a low level of risk and are therefore unlikely to be subject to fraudulent attacks both before and after the advent of PSD2. Other types of credit transfers, such as batch payments, have for a long time used authentication systems that are similar to the SCA (exemption under Article 17 of the RTS " Secure corporate payment processes and protocols") and therefore capable of preventing possible fraudulent attacks.
Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
- Credit transfers: These could primarily be credit transfers authorized by the customer (using SCA). Fraud would be particularly due to social engineering. One should also bear in mind that often the operating limits for credit transfers are higher than those of the cards and therefore the fraud losses are potentially higher too.- Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if he/she has kept the PIN on or with the card. Spying is relatively rare. Moreover, a fraudulent withdrawal of cash is impossible to recover through the mechanisms established for the Circuits.
- Card payments: In case of fraudulent card payments, the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS was used.
- SCT Instant: Taking into account the immediate nature of the payment, it is more difficult to block the fraudulent transaction in advance, as well as the subsequent recall of the operation, because the fraudster has already come into possession of the defrauded amount.
Question 5: Do you have any potential explanations why the percentage of losses borne by the PSUs substantially differs across the EEA countries?
EACB agrees with what is described in point 57 of the EBA Discussion Paper. We would also recommend coming up with a more detailed definition, at a European level, of the meaning of “gross negligence” when the bank has good reasons to suspect bad diligence on behalf of the client.Question 6: Do you have any potential explanations why the industry has reported fraud losses as having been borne mostly or significantly by “others”?
In principle, there are more players involved in card payments than in credit transfers, and they manage risks within the payment chain as potential liability carriers: There are three liability carriers in PSD2 fraud reporting: the reporting payment service provider (issuer), the payment service user (payer/customer) and "others". In the area of credit cards, a large part of the fraud can be charged back to the merchant banks (acquirers), especially because fraud transactions mainly take place in e-commerce without the use of 3D Secure. For card payments in e-commerce, it used to be the case that retailers preferred to accept high levels of fraud at their own risk rather than support an SCA. Therefore, the liability carrier here is the acquirer and is thus entered under "Other".Question 7: Do you have any views regarding the observed correlation between the value of fraud and the value of losses due to fraud between H2 2019 and H2 2020?
The increase in losses recorded between the second half of 2019 and the second half of 2020 could be justified by the gradual entry into operation of SCT Inst, which has led to a greater number of losses because of two reasons: the immediate nature of the payment; the greater difficulty in identifying the fraudulent transaction in advance.It should be noted that the same dynamic applies to e-money, as the increasingly widespread use of 3DS does not allow the issuer to recover the defrauded amounts.
Question 8: How do you explain the fact that the manipulation of the payer by the fraudster represents a substantial share of the fraudulent non-remote credit transfers authenticated with SCA? How is this fraud type concretely executed by the fraudsters?
The evidence that is currently available does not allow us to answer this question.Question 9: Do you have any views regarding the types of card payment fraud that have been reported by the industry under the category “issuance of a payment order by the fraudster”, sub-category “others”?
Subcategory “others” is reported whenever facts are unclear, e.g. the customer cannot explain the loss of his authentication instruments. Possible explanation is also family fraud (flatmates use the card) or friendly fraud (unjustified disputes by the cardholder).The types of card payment fraud are reported as "issuance of a payment order by the fraudster", under the sub-category "others" also when they are based on social engineering techniques that induce the customer to make payments to the fraudster without the need for card theft or counterfeiting. Furthermore, even in cases where the card is associated with a digital wallet, it is still possible to perpetrate such fraud without coming in physical possession of the card.