Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
One thing that might not be shown by the fraud data reported is that the huge efforts to fight fraud is bearing fruits, a lot is being done to manage the fraud despite the constant growth of the attacks.
The paper already points the fact that, the reporting period still benefited from the supervisory flexibility the EBA had granted and during which there was a low level of industry readiness in the card-based e-commerce environment.
In addition to that, security measures as established in the RTS on SCA, that pretend to be homogenous, make it easier for criminals to learn how the system works and to overcome obstacles, most of which can be previously envisaged. Once they know what they can be confronted to, they find the way to bypass the situation. When security measures are rigid, and do not evolve as the market does, nor at the same rhythm as technology does, the predefined measures are not very effective.
A clear sign of the criminals’ behaviour is the shift from security breach methods to social engineering technics. Now they target customers instead of remote systems’ transactions, so SCA as a regulated security measure is no longer an obstacle for them. More flexibility should be granted to PSPs concerning the methods to apply strong customer authentication and to grant security to their customers’ transactions, and more support would be welcomed in order to implement more preventive [collective] measures.
Concerning credit transfers, as shown in figure 10, about half of the fraudulent credit transfers are authenticated with SCA. The figure 11 shows % of the values of fraudulent remote credit transfers authenticated with SCA. The two figures together suggest that most of the transactions have been authenticated by the users and correctly executed. For authorised transactions, PSD2 allocates liability of the PSP to the correct execution of the payment transaction in accordance with the payment order of the payment service user. In such cases, if the funds involved in a payment transaction reach the wrong recipient as a result of an authenticated transaction by the payer victim of a deception, the payment service providers of the payer and the payee should not be liable but should be obliged to cooperate in making reasonable efforts to recover the funds including the communication of relevant information. Unfortunately, irrevocability of credit transfers does not always facilitate the task and despite the cooperation and efforts deployed by the payer’s PSP and the payee’s PSP, funds cannot be recovered. It is for these cases where dispositions are required to facilitate the recovery of those funds when a fraudulent transaction is involved.
The scenario is different for the cash withdrawals, 100% of which are issued by the fraudster. In those cases, the document reminds that the data collected does not distinguish the transactions authenticated with SCA and without SCA. Additionally, the payments done via a lost and stolen cards are the main fraud type and represent 70 % of the total volume of fraudulent cash withdrawals in H2 2020. PSD2 sets the obligations of the payment service user in relation to payment instruments and personalised security credentials (art. 69) and according to art 52.5. a) users should have been provided with a description of the steps to take in order to keep safe a payment instrument. The figures suggest that payers are bearing the losses in cases where they fail to fulfil one or more of the obligations set out in Article 69 either because they have acted with negligence or have been caught with the guard down and have provided the security elements to criminals to commit their fraud.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
It is known that crime is an international activity, handled by international networks. Fraudsters know about the difficulties of tracking money across countries; therefore, it is not surprising that frauds are more frequent in cross-border transactions compared to the total share of licit cross-border transactions. Physical borders do not disturb fraudsters as they exist for administrative purposes, including crime fighting while payments are benefiting from the integrated market for electronic payments [in euro], with no distinction between national and cross-border payments as key element for the proper functioning of the internal market.Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
As a general comment, we would like to underline the fact the observations are based on partial information, not all countries have responded, and amongst those providing data, a number of inconsistencies have been identified, therefore any conclusion extracted from that data might not be relevant and should not be considered to take concrete measures. It is not said that the data provided by those countries individually considered as sufficiently consistent are comparable with the others’ data. The variety of payment services provided to the customers in the different countries and, in particular, those provided in the digital environment, together with the diverse digital adoption make the comparison inconsistent.One thing that might not be shown by the fraud data reported is that the huge efforts to fight fraud is bearing fruits, a lot is being done to manage the fraud despite the constant growth of the attacks.
The paper already points the fact that, the reporting period still benefited from the supervisory flexibility the EBA had granted and during which there was a low level of industry readiness in the card-based e-commerce environment.
In addition to that, security measures as established in the RTS on SCA, that pretend to be homogenous, make it easier for criminals to learn how the system works and to overcome obstacles, most of which can be previously envisaged. Once they know what they can be confronted to, they find the way to bypass the situation. When security measures are rigid, and do not evolve as the market does, nor at the same rhythm as technology does, the predefined measures are not very effective.
A clear sign of the criminals’ behaviour is the shift from security breach methods to social engineering technics. Now they target customers instead of remote systems’ transactions, so SCA as a regulated security measure is no longer an obstacle for them. More flexibility should be granted to PSPs concerning the methods to apply strong customer authentication and to grant security to their customers’ transactions, and more support would be welcomed in order to implement more preventive [collective] measures.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
This question is partially answered in the previous question (see q. 2). Beyond that, the incidence of the manipulation of the payer by the fraudster (figure 10) for credit transfers explains the rest. Fraudsters are mainly using social engineering technics in a massive way and once they deceive the payer, they have access to SCA elements that they already expect, so the target is the emotional side of payers in order to obtain the SCA elements. Once they control the situation, they are aware that credit transfers are the easiest and quickest way to move the money (irrevocability of credit transfers is the best partner for them). Nowadays, even if money is available (sometimes it is) in the payee’s account, little can be done to recover the funds. Legal dispositions to allow PSPs the recovery of funds in case of fraud, are needed in the legislation in order to protect the users and prevent the systems to be abused by criminals, regardless the country of origin and destination of the involved funds.Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
According to art. 73 in case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, after being aware or being notified of the transaction.Concerning credit transfers, as shown in figure 10, about half of the fraudulent credit transfers are authenticated with SCA. The figure 11 shows % of the values of fraudulent remote credit transfers authenticated with SCA. The two figures together suggest that most of the transactions have been authenticated by the users and correctly executed. For authorised transactions, PSD2 allocates liability of the PSP to the correct execution of the payment transaction in accordance with the payment order of the payment service user. In such cases, if the funds involved in a payment transaction reach the wrong recipient as a result of an authenticated transaction by the payer victim of a deception, the payment service providers of the payer and the payee should not be liable but should be obliged to cooperate in making reasonable efforts to recover the funds including the communication of relevant information. Unfortunately, irrevocability of credit transfers does not always facilitate the task and despite the cooperation and efforts deployed by the payer’s PSP and the payee’s PSP, funds cannot be recovered. It is for these cases where dispositions are required to facilitate the recovery of those funds when a fraudulent transaction is involved.
The scenario is different for the cash withdrawals, 100% of which are issued by the fraudster. In those cases, the document reminds that the data collected does not distinguish the transactions authenticated with SCA and without SCA. Additionally, the payments done via a lost and stolen cards are the main fraud type and represent 70 % of the total volume of fraudulent cash withdrawals in H2 2020. PSD2 sets the obligations of the payment service user in relation to payment instruments and personalised security credentials (art. 69) and according to art 52.5. a) users should have been provided with a description of the steps to take in order to keep safe a payment instrument. The figures suggest that payers are bearing the losses in cases where they fail to fulfil one or more of the obligations set out in Article 69 either because they have acted with negligence or have been caught with the guard down and have provided the security elements to criminals to commit their fraud.