Question ID:
2019_5039
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Fraud reporting
Article:
96
Paragraph:
6
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
Article/Paragraph:
Guideline 1.1
Disclose name of institution / entity:
No
Type of submitter:
Competent authority
Subject Matter:
Reporting of fraud by the acquirers
Question:

Regarding the fraud definition, could you please clarify how the following fraud examples should be classified by the acquirers

Background on the question:

An industry member reverted to us for support on the classification of several examples of fraud, see below.

a) A merchant deliberately requests refunds on his/her own card. The refunds are processed by the issuer, who then requests charge back from the acquirer. Ultimately the acquirer cannot collect the funds from the merchant.

(b) A merchant is in financial difficulties, takes down payment/ prepayment on goods that he/she has no intention of delivering.

(c) A merchant offers a service online that does not exist and takes the funds from cardholders

Date of submission:
12/12/2019
Published as Final Q&A:
24/07/2020
EBA Answer:

Article 96(6) of Directive 2015/2366 (PSD2) requires Member States to ensure that payment service providers (PSPs) provide, at least on an annual basis, statistical data on “fraud relating to different means of payment” to their competent authorities.

In line with this Article, the EBA Guidelines on fraud reporting under PSD2 (EBA/GL/2018/05) as amended by the EBA Guidelines EBA/GL/2020/01, require reporting by PSPs of fraudulent transactions that fall under one of the two categories specified in GL 1.1: “unauthorised payment transactions” as defined in Guideline 1.1 (a); and cases of fraud by “manipulation of the payer”, as defined in Guideline 1.1(b).

As clarified in the EBA Final report on the Guidelines on fraud reporting, the cases where the payer is fraudulent (also known as ‘first party fraud’) are excluded from the scope of the reporting under the Guidelines, on the basis that such fraud does not reflect on the effectiveness of payment systems (see the responses to comments 41 and 57 in the Feedback Table, on pages 73 and 80 of the Final report).

Accordingly, the first example provided by the submitter in a) appears to be a case of first party fraud, that is not covered by the reporting under these EBA Guidelines.

As regards the examples in b) and c), as clarified in the EBA Final report on the Guidelines, in a consistent manner with the exclusion of first party fraud from the scope of the Guidelines, the reporting of fraud on the part of the payee is also excluded from the scope of the Guidelines, unless the fraud has occurred through the use of a means of payment (see the response to comment 57 in the Feedback Table, on page 80 of the EBA Final report).

Therefore, if the payee itself is fraudulent (for instance because it sells fictitious goods or services), but it does not intervene directly in the payment process, this would fall outside the scope of fraudulent transactions that need to be reported under the EBA Guidelines on fraud reporting under PSD2.

By contrast, cases of fraud by “manipulation of the payer”, as defined in Guideline 1.1(b), should be reported under the Guidelines.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA