Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
Generally, many losses may result from cross-border e-commerce: remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups, and therefore significantly increasing the numbers.
From our members’ experience, the data collected reflects a very low level of prevalence and shows that the safety measures taken by European PSPs are sufficient. We would like to note that the EBA RTS on SCA & CSC under PSD2 have been in force only for a very short period of time, especially for card payments. In addition, several countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
- Cards. For non-remote card fraud, it’s mostly individual cases (i.e., theft of card and PIN and cash withdrawal of high amounts), whereas for remote card fraud it’s mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (so-called social engineering). Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA may not be entirely accurate. Instead, evaluations of data collected from the second half of 2021 would be more appropriate.
- Credit transfers. Cases are less frequent but with higher fraud amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, we do not consider entirely appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems – which is in fact so secure that fraudster have to exploit human fallacies. Besides, this is primarily an issue from payments with third countries not regulated by PSD2.
- Cash withdrawals. We have seen a decline in skimming attacks for some time, cases now occur mainly outside the EEA. However, the average loss amounts are higher.
Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact low-value payments (typically without SCA) but are in practice hardly known.
Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if they have kept the PIN on or with the card, or if they have shared it with third parties. Spying is a relatively rare occurrence.
Overall, we believe that card payments should also be considered as the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS on SCA & CSC was used.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
The data collected confirms our members’ view that fraud is more prevalent in cross-border transactions outside EEA, in particular for cards. This is due to the fact that law enforcement and prosecution is more difficult (also across member states). In addition, there are reasons to believe it is also due to geographical characteristics: non-remote fraudulent card transactions usually occur on an individual customer basis, e.g., card and PIN are stolen and fraudulently used, but not on a larger scale. Stolen cards are mostly used for fraudulent cash withdrawal. We consider plausible that cross-border fraudulent cash withdrawals are higher because card theft happens more often while customers are travelling.Generally, many losses may result from cross-border e-commerce: remote fraudulent card transactions predominantly occur on a larger scale, with fraud attacks, phishing, smishing, targeting larger customer/card groups, and therefore significantly increasing the numbers.
From our members’ experience, the data collected reflects a very low level of prevalence and shows that the safety measures taken by European PSPs are sufficient. We would like to note that the EBA RTS on SCA & CSC under PSD2 have been in force only for a very short period of time, especially for card payments. In addition, several countries have not started reporting the corresponding data. Therefore, we assume that it would still be too early to draw profound conclusions.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
In principle, the patterns can be explained in terms of instruments:- Cards. For non-remote card fraud, it’s mostly individual cases (i.e., theft of card and PIN and cash withdrawal of high amounts), whereas for remote card fraud it’s mostly bulk cases/fraud attacks with card data obtained from hacking and phishing for high velocity/low value amounts which are hard to distinguish from high velocity genuine transactions. In addition, increasingly remote fraud cases happen with direct fraudster/customer interaction for scam transactions (so-called social engineering). Basically, an evaluation of the card losses for the year 2020 and thus before the obligation to perform SCA may not be entirely accurate. Instead, evaluations of data collected from the second half of 2021 would be more appropriate.
- Credit transfers. Cases are less frequent but with higher fraud amounts, as the payer is often manipulated by social engineering attacks. Typically, this includes CEO fraud, business email compromise or phishing. In addition, we do not consider entirely appropriate to include the category "manipulation of the payer" in the scope of the review. This category is based on social engineering and therefore does not reflect the security of the payment systems – which is in fact so secure that fraudster have to exploit human fallacies. Besides, this is primarily an issue from payments with third countries not regulated by PSD2.
- Cash withdrawals. We have seen a decline in skimming attacks for some time, cases now occur mainly outside the EEA. However, the average loss amounts are higher.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
The main focus of fraud attacks on remote credit transfers is the manipulation of the payer to (consciously) initiate an authorized payment (thus using SCA). A typical example is CEO fraud, which occurs rarely but may result in larger individual losses if successful (sometimes several million euros per case). Moreover, it seems to be easier for fraudsters to deceive customers and obtain the complete credentials than to break through the banks' systems.Fraud attacks on remote credit transfers regarding unauthorized transactions can only impact low-value payments (typically without SCA) but are in practice hardly known.
Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
Credit transfers: These could primarily be credit transfers authorized by the customer (using SCA). Fraud would be caused by social engineering.Cash withdrawals: As a rule, a PIN must be entered to withdraw cash. The cardholder is liable if they have kept the PIN on or with the card, or if they have shared it with third parties. Spying is a relatively rare occurrence.
Overall, we believe that card payments should also be considered as the majority of losses are borne by others or by the PSP. These could be transactions in which an exception under the RTS on SCA & CSC was used.