Approvement of the new EU Instant Payments Regulation!
On 7th February 2024, the European Parliament formally approved the new Instant Payments Regulation.
Under the new regulations for Instant Payments (also known as Real-Time Payments), all European payment providers are required to give their customers the option to conduct Euro-denominated credit transfers that are completed within ten seconds from the time of approval. This service must be available at any moment, on any day and most importantly fees for instant payments must not exceed those of traditional credit transactions, which typically take several days to process.
The European payment industry celebrates!
The European payment industry hails the introduction of Instant Payments, as a major technological innovation in payments, viewing it as a significant enhancement to customer experiences. According to them Instand Payments are expected to further the digitalization of the payment landscape, introduce innovative solutions, and lay the groundwork for a pan-European payment solution, while also boosting market competition. Especially as even non-bank payment institutions (e.g. e-money institutions, including future regulated stablecoin issuers aka e-money token issuers) will be granted direct access to central bank payment systems (e.g. SEPA) under the new legislation.
The non-mentioned Threat coming with Instant Payments - APP scams.
Only randomly is it discussed that the rollout of Instant Payments will most probably result in a massive surge in Authorized Push Payment (APP) fraud incidents for both consumers and businesses in the European Union in the upcoming years. Although experience suggests that it has become a relevant cause of fraud losses in countries with
a large share of instant payments.
This is particularly concerning because the European Union anyway lacks the essential capabilities to fight online fraud efficiently and effecitivly.
Authorized Push Payment Fraud
Online fraudsters invariably rely on (fiat or crypto) payment providers to facilitate access to their ill-gotten gains.
Unauthorized payment fraud occurs when scammers steal credit card or bank account details and use them without the consent of the card or account holders, draining the accounts or making transfers for their own benefit.
Experience suggests that instant payments are a particularly attractive instrument for this type of fraud since they allow for real-time transfer of funds to a bank account (or a succession of bank accounts), which can then be followed by an immediate cash-out, because the e funds become available to the beneficiary right away. This quickly places the transaction out of the reach of the involved PSPs and responsible autho rities.
Authorized (Push) Payment fraud involves fraudsters tricking their victims into willingly making large bank transfers to them. In many cases, this happens via social engineering across social media networks or via telephone (like Gal Bara´s boiler room people convinced the victims to deposit money for the fraudulent trading websites with money mules all over Europe).
Cybercriminals demonstrate remarkable adaptability to new technologies and societal changes and continuously improving their cooperation and specialization. Consequently, the various methods fraudsters use to deceive their victims into sending them money are evolving at an astonishing rate.
A notable example recently highlighted by the media involves scammers who deceived a multinational company into transferring approximately US$26 million by using deepfake technology to impersonate senior executives.
Extent of Authorized Push Payment fraud
For the UK (67 mio inhabitants), often referred to as the headquarters of online fraud, UK Finance released in its Annual Fraud Report that over GBP 1.2 billion were stolen by criminals through financial fraud in 2022. UK Finance split this figure into unauthorized fraud losses across payment cards, remote banking, and cheques that reached £726.9 million in 2022 and authorized push payment fraud losses reaching £485.2 million. However, these figures are based on reported fraud cases. According to new research released by National Trading Standards (NTS), 73% of UK adults – or 40 million people – have been targeted by scams, with 35% – or 19 million – losing money because of this criminal offense. The average amount victims lose is £1,730, but the study found that fewer than a third (32%) report the crime to the authorities.
According to “ScamScope Fraud Report” a new report Authorized Push Payment (APP) scam losses are on the rise and expected to climb to $6.8 billion — a combined compound annual growth rate (CAGR) of 11% — by 2027 across six leading real-time payment markets (U.S., U.K., India, Brazil, Australia and Saudi Arabia)
According to the ScamScope Fraud Report the increase in real-time Payment Transactions correlates with an increase in authorized Push Payment Fraud across these six leading real-time payment markets.
UK´s high APP fraud cases correlate with the introduction of Faster Payments in 2008, Brazil´s instant payment scheme PIX has a high adoption rate, and India introduced its Instant Payment scheme UPI in 2016; all these countries are plagued with high APP fraud rates.
APP scam losses in the U.S. are projected to increase by 9% from 2022 to 2027 by the ScamScope Fraud Report. However, real-time payments adoption fueled by the FedNow Service (US Real-Time Payment Scheme is projected to surpass this growth, with a remarkable 41% CAGR.
In Europe, we lack reliable data on Authorized Push Payment (APP) fraud cases. We have encountered figures such as €380 million and €1.6 million, but none appear trustworthy. Considering that the European Union’s population exceeds 440 million, the research conducted by our organization, which focused on data from only 1,300 European victims, revealed that APP fraud had exceeded €50 million in 2018 alone across approximately 15 fraudulent websites. Consequently, the numbers reported at €380 million and €1.6 million are significantly inaccurate.
Eliminating the de-risking issues for Payment Institutions and e-money Institutions
Although no or only few statistical material is available about the extent of the App fraud going on in Europe, the European authorities keep pushing the new Instant Payment scheme.
The new regulation will broaden access to Instant Payment transactions for non-bank Payment Institutions. This means that Payment Institutions and e-money institutions, as well as future regulated issuers of stablecoins—referred to as e-money token issuers—will gain direct access to central bank payment systems (e.g., SEPA) under the new legislation.
Consequently, European authorities will also tackle the issue of de-risking that non-bank payment institutions have recently faced. Banks frequently refuse to onboard Payment Institutions and e-money Institutions as customers due to the higher risks associated with them.
On 16 June 2023, the European Banking Authority (EBA) published a report on money laundering/terrorist financing (ML/TF) risks associated with Payment Institutions (EBA/REP/2023/18), confirming the increased risk linked to these institutions.
Furthermore, the surge in Payment Institutions in Europe following Brexit has exacerbated the situation.
Considering that in Europe, supervision of Payment Institutions and enforcing Anti-Money Laundering (AML) regulations by National Competent Authorities is more or less nonexistent, the decision of granting access to the central bank payment systems to questionable Payment Institutions and e-money Institutions (like Wirecard and Payvision BV) aggravates the situation.
Thus, Europe risks reinforcing its reputation as a “Wonderland” for scammers.
Up next in this ongoing story: The EU’s ineffective strategy in addressing Authorized Push Payment (APP) fraud.