Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
It is important to take note anyway that these findings seem to validate that the changes introduced by PSD2 do not seem to have had a significant impact on fraud levels overall. Structural patterns in cross border or internal fraud levels have remained very similar, and total fraud rates are similar, although with different structure.
Although the SCA regulation has had positive impacts in reducing some types of fraud, we should keep in mind that the fluid and evolving nature of fraud require also an evolving framework to fight it. Therefore it should be natural that the security requirements for remote payments should also evolve, and above all allow for the market to adjust in the future. By embedding detailed SCA definitions and solutions, the current level 2 legislation has some unintended consequences, namely::
i) At least one payment solution that has extremely low level of fraud has been considered not compliant: MB NET This solution consistently has the lowest fraud rate when compared to all other online payment solutions in Portugal. It was however considered non compliant, simply because it doesn’t fit with the strict definition of SCA as specified in the Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC;
ii) Fraudsters have since adapted their modus operandi to explore new fragilities, which has led to massive fraud migration to scamming, social engineering and other methods that circumvent SCA as it is defined. The constant evolving nature of fraud must be taken into consideration, with legislation focusing more in defining principles and outcomes instead of describing specific solutions, which has proven to become technically obsolete at a fast pace.
With the implementation of SCA, we have realized that some products had to be modify in order to be compliant with the current definitions, leading to a worse user experience and with no improvement in fraud rates reduction.
A specific example of the Portuguese payments market is the case of MB NET. Essentially, MB NET is an innovative free-of-charge service developed by SIBS that allows consumers to make secure online payments with a one time, limited use virtual card.
MB NET is a service designed with the purpose of preventing fraud in e-commerce and it is by design resilient to card data compromise, phishing, malwares and data breaches. The service was launched in 2001 Main features of the service: i) 3-D Secure Virtual Card ii) Single or Multiple Purchase on the same merchant iii) consumer has control over the maximum amount allowed and the expiration date of the card; iv) SCA is used in all steps that lead to the creation of the virtual card
When comparing the fraud data of the MB NET service with the fraud data of card purchases (total) – card-present and card-not-present – this service demonstrates its capacity in both reducing fraud and increasing confidence on online purchases, in line with the Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC). The main reason that led to changes in a service that objectively offered such security level relates to the strict requirements laid down on Articles 19 Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC) and its related Annex.
If the RTS, were based on outcomes, and not specific processes or technologies, it would reduce the risk of considering payment solutions as non-compliant when they have proven to be effective to deter and prevent fraud, even if they do not fit exactly in the detailed rules. An alternative could be to evaluate exemptions to SCA based on a payment solution fraud rate, instead of the overall fraud rate of a PSP.
We would highlight, that the fraud levels for MB NET in 2020 and 2021 (Jan-Sept) when compared with the fraud levels for card not present with SCA is 3x lower for attempted fraud and 5.4 lower for effective fraud.
The data we have been collecting since 2019 regarding remote card payments with SCA authentication and without SCA authentication have been showing a decrease in fraud rates for payments without SCA and an increase in payments with SCA. More specifically, in 2019 for card not present without SCA had a 23 bps fraud rate, whilst card not present with SCA had a 3,8 bps fraud rate.
In March 2020, machine-learning tools were deployed to tackle fraud, focused in card not present without SCA (since this was where the highest level of fraud was located and SCA rules were coming into application).
In 2021, fraud rates for card not present without SCA were down to 12 bps (11bps reduction) and for card not presented with SCA authentication were up to 14 bps (almost 10bps increase:
• The decrease for fraud in card not present without SCA demonstrates the effectiveness of the machine-learning tools that were deployed in Portugal
• The significant increase of level of fraud in card not present with SCA in Portugal is a product of a higher volume of transactions using SCA, migration of fraud patterns to scams and social engineering as well as targeted fraud at some of the SCA exemptions.
As reported by some other entities, we have seen an increase of phishing. If we compare data from 2020 and data from 2021, the increase of phishing, fake links/websites as well as sms are up 800%.
We would highlight that by default, identifying fraud in secure transactions is much harder because
i) We assume that if the PSU did SCA then potential fraud situations would be more easily detected and blocked by the PSU;
ii) Historically there has always been lowest level of fraud in fully secure transactions, which makes the behavioral models of machine-learning less likely to detect potential fraud situations;
iii) Most of the fraud is based in social engineering, which implies manipulation of the victim or stolen credentials;
iv) Usually based in complex and sophisticated fraud operations that use the same channels previously used by the PSU for other transactions;
If we exclude some of the most traditional types of fraud, we’ve witnessed an increase in the following types of fraud:
i) Phishing with the aim of stealing personal credentials: from May to November 2021 up to 300 links leading to fake websites and pages were reported in Portugal alone;
ii) Low value transactions: there has been an increase of fraud levels by making transactions below the €30 threshold and thus benefit from the SCA exemption.
Our general perception is that the SCA should not by itself be the tool to achieve the goal of providing more customer trust. Currently one of the highest fraud incidence is directly linked to the stealing of personal credentials. This type of fraud is complex, sophisticated, lasts longer in time, moves higher amounts of money and has a bigger impact in consumers trust in the payments system.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
Historically, cross-border card payments have had higher fraud rates in comparison with domestic transactions. These findings are consistent with previous analysis made by the ECB and National Member States annual reports on fraud and payments security). In addition, the data under analysis was collected shortly after the PSD2 RTS on SCA and CSC entered into application, and several countries have not yet reported their data, making it hard to draw definitive conclusions on this basis.It is important to take note anyway that these findings seem to validate that the changes introduced by PSD2 do not seem to have had a significant impact on fraud levels overall. Structural patterns in cross border or internal fraud levels have remained very similar, and total fraud rates are similar, although with different structure.
Although the SCA regulation has had positive impacts in reducing some types of fraud, we should keep in mind that the fluid and evolving nature of fraud require also an evolving framework to fight it. Therefore it should be natural that the security requirements for remote payments should also evolve, and above all allow for the market to adjust in the future. By embedding detailed SCA definitions and solutions, the current level 2 legislation has some unintended consequences, namely::
i) At least one payment solution that has extremely low level of fraud has been considered not compliant: MB NET This solution consistently has the lowest fraud rate when compared to all other online payment solutions in Portugal. It was however considered non compliant, simply because it doesn’t fit with the strict definition of SCA as specified in the Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC;
ii) Fraudsters have since adapted their modus operandi to explore new fragilities, which has led to massive fraud migration to scamming, social engineering and other methods that circumvent SCA as it is defined. The constant evolving nature of fraud must be taken into consideration, with legislation focusing more in defining principles and outcomes instead of describing specific solutions, which has proven to become technically obsolete at a fast pace.
With the implementation of SCA, we have realized that some products had to be modify in order to be compliant with the current definitions, leading to a worse user experience and with no improvement in fraud rates reduction.
A specific example of the Portuguese payments market is the case of MB NET. Essentially, MB NET is an innovative free-of-charge service developed by SIBS that allows consumers to make secure online payments with a one time, limited use virtual card.
MB NET is a service designed with the purpose of preventing fraud in e-commerce and it is by design resilient to card data compromise, phishing, malwares and data breaches. The service was launched in 2001 Main features of the service: i) 3-D Secure Virtual Card ii) Single or Multiple Purchase on the same merchant iii) consumer has control over the maximum amount allowed and the expiration date of the card; iv) SCA is used in all steps that lead to the creation of the virtual card
When comparing the fraud data of the MB NET service with the fraud data of card purchases (total) – card-present and card-not-present – this service demonstrates its capacity in both reducing fraud and increasing confidence on online purchases, in line with the Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC). The main reason that led to changes in a service that objectively offered such security level relates to the strict requirements laid down on Articles 19 Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC) and its related Annex.
If the RTS, were based on outcomes, and not specific processes or technologies, it would reduce the risk of considering payment solutions as non-compliant when they have proven to be effective to deter and prevent fraud, even if they do not fit exactly in the detailed rules. An alternative could be to evaluate exemptions to SCA based on a payment solution fraud rate, instead of the overall fraud rate of a PSP.
We would highlight, that the fraud levels for MB NET in 2020 and 2021 (Jan-Sept) when compared with the fraud levels for card not present with SCA is 3x lower for attempted fraud and 5.4 lower for effective fraud.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
In this chapter, we would like to highlight the patterns we have seen emerging in the last few years in Portugal regarding fraud, which we believe are worth noticing and differ from the conclusions made in paragraphs 32, 33 and 34.The data we have been collecting since 2019 regarding remote card payments with SCA authentication and without SCA authentication have been showing a decrease in fraud rates for payments without SCA and an increase in payments with SCA. More specifically, in 2019 for card not present without SCA had a 23 bps fraud rate, whilst card not present with SCA had a 3,8 bps fraud rate.
In March 2020, machine-learning tools were deployed to tackle fraud, focused in card not present without SCA (since this was where the highest level of fraud was located and SCA rules were coming into application).
In 2021, fraud rates for card not present without SCA were down to 12 bps (11bps reduction) and for card not presented with SCA authentication were up to 14 bps (almost 10bps increase:
• The decrease for fraud in card not present without SCA demonstrates the effectiveness of the machine-learning tools that were deployed in Portugal
• The significant increase of level of fraud in card not present with SCA in Portugal is a product of a higher volume of transactions using SCA, migration of fraud patterns to scams and social engineering as well as targeted fraud at some of the SCA exemptions.
As reported by some other entities, we have seen an increase of phishing. If we compare data from 2020 and data from 2021, the increase of phishing, fake links/websites as well as sms are up 800%.
We would highlight that by default, identifying fraud in secure transactions is much harder because
i) We assume that if the PSU did SCA then potential fraud situations would be more easily detected and blocked by the PSU;
ii) Historically there has always been lowest level of fraud in fully secure transactions, which makes the behavioral models of machine-learning less likely to detect potential fraud situations;
iii) Most of the fraud is based in social engineering, which implies manipulation of the victim or stolen credentials;
iv) Usually based in complex and sophisticated fraud operations that use the same channels previously used by the PSU for other transactions;
If we exclude some of the most traditional types of fraud, we’ve witnessed an increase in the following types of fraud:
i) Phishing with the aim of stealing personal credentials: from May to November 2021 up to 300 links leading to fake websites and pages were reported in Portugal alone;
ii) Low value transactions: there has been an increase of fraud levels by making transactions below the €30 threshold and thus benefit from the SCA exemption.
Our general perception is that the SCA should not by itself be the tool to achieve the goal of providing more customer trust. Currently one of the highest fraud incidence is directly linked to the stealing of personal credentials. This type of fraud is complex, sophisticated, lasts longer in time, moves higher amounts of money and has a bigger impact in consumers trust in the payments system.