Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
Cooperation between PSPs and law enforcement is tighter locally and on EEA level comparing to outside EEA cooperation, so fraudsters prefer to operate rather in international level not to be caught easily.
Acquirers are obliged to accept all cards and transactions over the world and cannot control card parameters / set any limitations to the card. If issuer not declining the transaction, the assumption for acquirer is as it’s genuine transaction, confirmed by cardholder. Fraud is reported to acquirers by issuers with delay after cardholders have identified it (can take 1-2 month after actual transaction). So, the acquirers get the information with delay and have less possibilities to prevent fraud.
Even transaction is refunded to the issuer after reported fraudulent, the record in fraud report still remains, and increase the total fraud level for acquirer.
Also, credit transfers and money withdrawals differ from the regular card payments by performing means and fraud options, so the fraud rates are incomparable.
Suggestion would keep the different payment instrument fraud rate analyses separated or make comparisons in just on region bases.
Transactions are initiated by the account holders after social engineering from the fraudsters, such as phishing. The implementation of SCA is not sufficient to prevent fraud in such instances.
PSU bears the losses relating to any unauthorised payment transactions when due to the PSU acting fraudulently or failing to fulfil its obligations as set out in Article 69 of the PSD2 with intent or gross negligence. For instance PSU bears liability in strongly authenticated payments, due to obligation to keep payment instrument and electrical signatures safe and out of third persons possession.
For instance, issuer fraud case but transaction can be charged back by card organisation rules. Issuer initiates chargeback toward acquirer, loss is borne by acquirer bank. From issuer point of view loss has borne by “other” side.
There could be some overlapping with “Card details theft” category fraud reporting.
Under transactions which authenticated via non-strong customer authentication can be reported mail, telephone order transactions or key entered transactions, initiated by the fraudster after having obtained the payer/payee's sensitive payment data.
Due to different interpretations fraud could be reported differently by PSPs.
Clear instructions and definitions would be beneficial. Also as card organisations Visa and Mastercard use fraud split in their reporting as well, we would propose to align the fraud categories with card organisations split, to avoid misinterpretations and confusion.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
Usually, the local legislation is stricter, more transactions forced to strong authentication, less possibilities for fraud. Also, other payment means are in use for local purposes - like bank link payments etc.Cooperation between PSPs and law enforcement is tighter locally and on EEA level comparing to outside EEA cooperation, so fraudsters prefer to operate rather in international level not to be caught easily.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
We cannot actually compare one to one different payment instrument fraud rates (issuer fraud rates to acquirer fraud rates or credit transfers with card payments) as the fraud sources and possibilities to control fraud, differs significantly. For example, issuers are reporting fraud performed with their issued cards. The card parameters (controls means) are set and driven by themselves. Issuer can control fraud by setting tighter transaction amount limits or restrict certain type of transactions in order to decrease possible fraud cases. Also, issuers have “last word” to approve or decline transaction in authorisation and/or authentication process.Acquirers are obliged to accept all cards and transactions over the world and cannot control card parameters / set any limitations to the card. If issuer not declining the transaction, the assumption for acquirer is as it’s genuine transaction, confirmed by cardholder. Fraud is reported to acquirers by issuers with delay after cardholders have identified it (can take 1-2 month after actual transaction). So, the acquirers get the information with delay and have less possibilities to prevent fraud.
Even transaction is refunded to the issuer after reported fraudulent, the record in fraud report still remains, and increase the total fraud level for acquirer.
Also, credit transfers and money withdrawals differ from the regular card payments by performing means and fraud options, so the fraud rates are incomparable.
Suggestion would keep the different payment instrument fraud rate analyses separated or make comparisons in just on region bases.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
Credit transfer transaction amounts are higher, those are easier to convert to the real money comparing to card transactions, as well those are not limited from card payments limitations (like card limits etc.). However, in order to perform those transactions is needed account holder manipulation to force them authenticate themselves during transaction. High value transactions are not possible without strong authentication. That is why fraudsters find different possibilities to perform fraud with SCA.Transactions are initiated by the account holders after social engineering from the fraudsters, such as phishing. The implementation of SCA is not sufficient to prevent fraud in such instances.
Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
Based on PSD2 Art 74, the PSU shall not bear any financial losses in transactions payment service provider does not require strong customer authentication. The credit transfers and cash withdrawals are usually strongly authenticated payments, so 0 liability for PSU is not applicable.PSU bears the losses relating to any unauthorised payment transactions when due to the PSU acting fraudulently or failing to fulfil its obligations as set out in Article 69 of the PSD2 with intent or gross negligence. For instance PSU bears liability in strongly authenticated payments, due to obligation to keep payment instrument and electrical signatures safe and out of third persons possession.
Question 5: Do you have any potential explanations why the percentage of losses borne by the PSUs substantially differs across the EEA countries?
PSU liability can differ due different interpretation of the notion of gross negligence, and the different national legislation.Question 6: Do you have any potential explanations why the industry has reported fraud losses as having been borne mostly or significantly by “others”?
PSP can report its losses and its PSU losses, however losses that can be covered in chargeback processes are borne by other side. In report it is reflected under “other”, as loss is not borne neither by PSP neither by PSU.For instance, issuer fraud case but transaction can be charged back by card organisation rules. Issuer initiates chargeback toward acquirer, loss is borne by acquirer bank. From issuer point of view loss has borne by “other” side.
Question 7: Do you have any views regarding the observed correlation between the value of fraud and the value of losses due to fraud between H2 2019 and H2 2020?
As in calculations taken into account just cash withdrawals and card payments from the perspective of issuers, then the loss cases should respectively come from the cases, issuers and/or PSU bearing the loss. For issuers loss could be raised from non SCA transactions, where PSU is bearing 0 liability (not strongly authenticated payments). For PSU loss can be increased from phishing cases, where account holders have been manipulated to initiate and confirm transactions with strong authentication.Question 8: How do you explain the fact that the manipulation of the payer by the fraudster represents a substantial share of the fraudulent non-remote credit transfers authenticated with SCA? How is this fraud type concretely executed by the fraudsters?
There have been substantial increase of social engineering cases by the fraudsters, such as phishing, smishing etc. Account holders are persuaded to make good investment deals or threatened somebody has overtaken their account and for unblocking it, account holder has to pay and/or authenticate himself by strong authentication mean. During those social engineering cases large amount transactions are initiated from account holder account.Question 9: Do you have any views regarding the types of card payment fraud that have been reported by the industry under the category “issuance of a payment order by the fraudster”, sub-category “others”?
‘Issuance of a payment order by the fraudster’ is a type of unauthorised transaction where a fake payment order is issued by the fraudster after having obtained the payer/payee's sensitive payment data through fraudulent means.There could be some overlapping with “Card details theft” category fraud reporting.
Under transactions which authenticated via non-strong customer authentication can be reported mail, telephone order transactions or key entered transactions, initiated by the fraudster after having obtained the payer/payee's sensitive payment data.
Due to different interpretations fraud could be reported differently by PSPs.
Clear instructions and definitions would be beneficial. Also as card organisations Visa and Mastercard use fraud split in their reporting as well, we would propose to align the fraud categories with card organisations split, to avoid misinterpretations and confusion.