Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
Additionally, cross-border payments typically involve riskier segments, especially when larger-values are involved. For instance, in 2021, three of the fastest growing cross-border trade categories at PayPal were the typically riskier segments of travel & events, cosmetics, and fashion. (See PayPal’s Q4-21 Investor Update, slide 16). Moreover, there are variations in the mix of payment products various markets prefer (e.g., ACH v. Cards) that can both impact the fraud risk profile as well as loss reporting (e.g., different payment products have different customer complaints processes and it is not always straightforward to distinguish between fraud and customer complaints due to, for instance, lost / damaged goods).
In 2020, the impact of the COVID-19 pandemic, and the impact it had on consumer habits and trends, is moreover non-negligible, as pointed out in the Discussion Paper. The increase in demand for distance and touch-free payments meant that more people started buying online – including new demographics, such as the “silver tech” (individuals over the age of 50 who began shopping online during the pandemic). Additionally, the context of the pandemic provided fertile ground for social engineering fraud to prosper.
However, fraud, generally and including in cross-border payments, can be appropriately managed and mitigated by PSPs, in order to ensure frictionless, cross-border e-commerce and digital growth. PSPs’ risk management frameworks look at several factors (business models, financials, intent, etc.), of which customer identity is but one. All pillars are needed for effective management of risks – simply focusing on customer identity is not enough to ensure a robust framework.
We would moreover agree with the EBA’s observations regarding different fraud typologies and underline that SCA does not prevent all types of fraud. Whilst SCA has indeed made it more difficult for fraudsters to access payment accounts and initiate payment transactions, fraudsters have also adapted. We have seen shifts in the behavior of some sophisticated fraud groups toward more advanced methods, often investing more time and resources per attack to either try to overcome SCA or scam the genuine customer (e.g., use social engineering to obtain payment credentials, deploy OTP bots, etc.). Given authentication alone is not sufficient against such sophisticated trends, the fraudsters are able to exploit accounts with higher average losses.
Fraud is very dynamic and constantly evolving, therefore, monitoring for new trends is always necessary and PSPs need to be nimble and flexible to respond to new patterns. For example, the modus operandi of some fraud groups has shifted to longer time periods from peeking events to monetization and it more often includes changes to customer profile information (that will eventually help / facilitate final monetization). In order to keep up with these sophisticated actors, PSPs need to deploy holistic controls (including but not limited to authentication) and need flexibility to be able to adapt and innovate.
Within the context of the PSD2 review, we would therefore encourage the EBA and EU Commission to consider amending the approach to authentication, more specifically SCA, so that it is truly risk-based and outcomes-oriented. Such an approach would recognize that multiple dimensions of risk management (not only active authentication) contribute to effective protection and enable the appropriate trade-offs between them.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
We would argue that a higher share of cross-border fraud in the total volume of fraud is not unusual, as cross-border transactions can inherently be riskier than domestic payments. Many sophisticated fraud groups operate on a global scale: they look for opportunities / vulnerabilities and dynamically change what segments, products, or market participants to target across the globe. This contrasts with genuine clients typically transacting more frequently in their own domestic market (as pointed out in the Discussion Paper).Additionally, cross-border payments typically involve riskier segments, especially when larger-values are involved. For instance, in 2021, three of the fastest growing cross-border trade categories at PayPal were the typically riskier segments of travel & events, cosmetics, and fashion. (See PayPal’s Q4-21 Investor Update, slide 16). Moreover, there are variations in the mix of payment products various markets prefer (e.g., ACH v. Cards) that can both impact the fraud risk profile as well as loss reporting (e.g., different payment products have different customer complaints processes and it is not always straightforward to distinguish between fraud and customer complaints due to, for instance, lost / damaged goods).
In 2020, the impact of the COVID-19 pandemic, and the impact it had on consumer habits and trends, is moreover non-negligible, as pointed out in the Discussion Paper. The increase in demand for distance and touch-free payments meant that more people started buying online – including new demographics, such as the “silver tech” (individuals over the age of 50 who began shopping online during the pandemic). Additionally, the context of the pandemic provided fertile ground for social engineering fraud to prosper.
However, fraud, generally and including in cross-border payments, can be appropriately managed and mitigated by PSPs, in order to ensure frictionless, cross-border e-commerce and digital growth. PSPs’ risk management frameworks look at several factors (business models, financials, intent, etc.), of which customer identity is but one. All pillars are needed for effective management of risks – simply focusing on customer identity is not enough to ensure a robust framework.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
PayPal has no significant comments on the patterns that are outlined in this chapter, as they are broadly in line with what we have observed in the market. In terms of our own experience, we would highlight the importance, for future fraud reports, for the EBA to look at e-money transactions as a separate category, distinct from credit transfers and card transactions.We would moreover agree with the EBA’s observations regarding different fraud typologies and underline that SCA does not prevent all types of fraud. Whilst SCA has indeed made it more difficult for fraudsters to access payment accounts and initiate payment transactions, fraudsters have also adapted. We have seen shifts in the behavior of some sophisticated fraud groups toward more advanced methods, often investing more time and resources per attack to either try to overcome SCA or scam the genuine customer (e.g., use social engineering to obtain payment credentials, deploy OTP bots, etc.). Given authentication alone is not sufficient against such sophisticated trends, the fraudsters are able to exploit accounts with higher average losses.
Fraud is very dynamic and constantly evolving, therefore, monitoring for new trends is always necessary and PSPs need to be nimble and flexible to respond to new patterns. For example, the modus operandi of some fraud groups has shifted to longer time periods from peeking events to monetization and it more often includes changes to customer profile information (that will eventually help / facilitate final monetization). In order to keep up with these sophisticated actors, PSPs need to deploy holistic controls (including but not limited to authentication) and need flexibility to be able to adapt and innovate.
Within the context of the PSD2 review, we would therefore encourage the EBA and EU Commission to consider amending the approach to authentication, more specifically SCA, so that it is truly risk-based and outcomes-oriented. Such an approach would recognize that multiple dimensions of risk management (not only active authentication) contribute to effective protection and enable the appropriate trade-offs between them.