- Question ID
-
2024_6989
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
19
- Type of submitter
-
Competent authority
- Subject matter
-
Criteria for selecting the operations to be included in the calculation of fraud rates for the transaction risk analysis (TRA) exemption
- Question
-
Which of the following would be the correct temporal criterion for selecting the unauthorized transactions to be included in the numerator of the fraud rates calculated for the transactions risk analysis (TRA) exemption?
a) the transaction date, i.e., the date on which the transaction was executed regardless of the date on which it is classified as unauthorized or fraudulent
b) the registration date, i.e., the date on which the transaction is registered as unauthorized or fraudulent regardless of the date on which it was carried out
- Background on the question
-
The criterion of taking the transaction date into account (a) is aligned with EBA GL 2018/05 on fraud reporting, however, according to this criterion, if a transaction is deemed fraudulent after the corresponding calendar quarter has ended, it would not have been taken into account in the calculation made for that quarter and neither will it be in the calculation made for any following quarter. Consequently, the resulting overall fraud rate would be underestimated. This scenario can frequently happen in the case of card-based payments.
On the other hand, the registration date approach (b) would allow to consider all fraudulent transactions, although it implies that the numerator would include transactions belonging to previous quarters while the denominator would only include transactions carried out during the relevant quarter. Nevertheless, such asymmetry could be fixed, if required, by also adding the new registered fraudulent transactions belonging to previous quarters to the denominator.
Additionally, following Q&A 2018_4045, fraud rates calculations for TRA should be performed once every calendar quarter. Therefore, it is expected that the calculation of said fraud rates shall be carried out at the very beginning of each quarter (one shot) to verify all conditions are satisfied and, in case one of the monitored fraud rates exceeds the applicable thresholds, PSPs shall immediately adapt their processes and report to the competent authority. Consequently, approaches consisting on revising the obtained fraud rates as unauthorized transactions are confirmed seem hardly practicable.
Notwithstanding the above, neither the regulation nor subsequent clarifications specify the criterion to be applied.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the EBA.