- Question ID
-
2024_6989
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
19
- Type of submitter
-
Competent authority
- Subject matter
-
Criteria for selecting the operations to be included in the calculation of fraud rates for the transaction risk analysis (TRA) exemption
- Question
-
Which of the following would be the correct temporal criterion for selecting the unauthorized transactions to be included in the numerator of the fraud rates calculated for the transactions risk analysis (TRA) exemption?
a) the transaction date, i.e., the date on which the transaction was executed regardless of the date on which it is classified as unauthorized or fraudulent
b) the registration date, i.e., the date on which the transaction is registered as unauthorized or fraudulent regardless of the date on which it was carried out
- Background on the question
-
The criterion of taking the transaction date into account (a) is aligned with EBA GL 2018/05 on fraud reporting, however, according to this criterion, if a transaction is deemed fraudulent after the corresponding calendar quarter has ended, it would not have been taken into account in the calculation made for that quarter and neither will it be in the calculation made for any following quarter. Consequently, the resulting overall fraud rate would be underestimated. This scenario can frequently happen in the case of card-based payments.
On the other hand, the registration date approach (b) would allow to consider all fraudulent transactions, although it implies that the numerator would include transactions belonging to previous quarters while the denominator would only include transactions carried out during the relevant quarter. Nevertheless, such asymmetry could be fixed, if required, by also adding the new registered fraudulent transactions belonging to previous quarters to the denominator.Additionally, following Q&A 2018_4045, fraud rates calculations for TRA should be performed once every calendar quarter. Therefore, it is expected that the calculation of said fraud rates shall be carried out at the very beginning of each quarter (one shot) to verify all conditions are satisfied and, in case one of the monitored fraud rates exceeds the applicable thresholds, PSPs shall immediately adapt their processes and report to the competent authority. Consequently, approaches consisting on revising the obtained fraud rates as unauthorized transactions are confirmed seem hardly practicable.
Notwithstanding the above, neither the regulation nor subsequent clarifications specify the criterion to be applied.
- Submission date
- Final publishing date
-
- Final answer
-
Article 19(1) of the Delegated Regulation (EU) 2018/389 refers to the calculation of the overall fraud rate for each type of transaction on a “rolling quarterly basis (90 days)” (calculation once every calendar quarter as further clarified in Q&A 4045).
Accordingly, to ensure that transactions are properly taken into account in the calculation of the fraud rate for the respective quarterly period, payment service providers (PSPs) should take into account the date of the transaction.
Where PSPs register a transaction as fraudulent after the respective quarterly period under Article 19(1) of the Delegated Regulation, PSPs should assess whether the fraud rates for the type of payment transaction for the respective quarter exceeds the applicable reference fraud rate set out in the Annex to the Delegated Regulation and, where applicable, take actions in accordance with Article 20 of the Delegated Regulation in relation to notification to competent authorities or cessation of the exemption based on transaction risk analysis.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.