How the EU plans to tackle payment fraud!

how to fight payment fraud

How the EU plans to tackle payment fraud!

The payments landscape has undergone significant changes over the past decade. The changes have been mainly driven by fast-paced technological advancements. Digital payments in the EU have steadily increased, reaching a value of EUR 240 trillion in 2021 (compared to EUR 184.2 trillion in 2017). This trend has been accelerated by the COVID-19 pandemic.

This shift to digital payments was accompanied by a rise in increasingly complex types of fraud, putting consumers at risk and undermining trust in authorities and the financial system.

An investigation done by the European Parliament in early 2022 found that

  • persistent fraud risks undermine payment users’ confidence in the payment industry, especially among consumers;
  • the Open Banking framework faces obstacles, hindering data access for Open Banking service providers and stifling innovation;
  • inconsistent powers and obligations among EU supervisors lead to a fragmented payment market due to varying regulations and costs across Member States. EU regulators lack the authority to establish a functioning level playing field;
  • an uneven playing field exists between bank and non-bank PSPs due to uncertainties and regulatory disparities from PSD2 and national laws for non-bank PSPs

PSD3 and PSR

In response to the dynamic evolution and the issues identified, the European Commission proposed to revamp the Payment Services Directive (PSD2) regime with a new regulatory framework proposed in June 2023 (Payment Services Regulation (PSR) and Payment Services Directive (PSD3).

The drafted Payment Services Directive 3 (PSD3) is a new directive for payment services and electronic money services in the Internal Market. It amends Directive 98/26/EC and repeals Directives 2015/2366/EU and 2009/110/EC, serving as an updated version of the Payment Services Directive 2 (PSD2). PSD3 remains a directive, primarily focusing on the licensing and operation of payment service providers

The proposed Payment Services Regulation (PSR), which regulates payment services within the internal market and amends Regulation (EU) No 1093/2010, will be directly applicable in EU member states.

PSD 3 reinforces the authorization and licensing process

PSD3 covers authorization and supervision of payment institutions. One of the novelties in the PSD2 revision is that payment institutions now encompass the provision of electronic money services, as PSD3 merges with the Electronic Money Directive. According to the proposed legislation, only payment institutions will exist, and can be authorized to offer e-money services

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Authorization and supervision will still remain within the competence of the National Competent Authorities, but more coordination and alignment between member states is requested.

Consumer protection rules foreseen in PSR

The PSR establishes uniform requirements for the provision of payment services and electronic money services across the EU, including transparency of conditions, information requirements, and the rights and obligations of payment service providers and users.

 The PSR will apply to payment services provided within the EU by various categories of payment service providers, including credit institutions, payment institutions, and electronic money institutions.

It includes rules to improve access to payment systems and accounts for payment service providers, preventing “regulatory arbitrage” where providers choose more favorable jurisdictions.

It aims to further harmonize the rules on payment services, minimizing margins of interpretation, to improve competition between providers and prevent distortionsIt introduces measures to improve fraud detection and prevention in credit transfers, allowing payment service providers to collectively share information on fraudulent activity and techniques.

It proposes allowing merchants to offer cash provision services without needing a full payment service provider authorization.

The rules on fraud prevention (authorized push payment fraud; unauthorized payments)

The drafted consumer-friendly rules on authorized push payment fraud and unauthorized payments reflect the EU Commission’s confirmation, specifically that of the Economic and Monetary Affairs Committee (ECON) for more consumer protection as well as for the fight against payment fraud. The new rules assert that payment service providers are definitively responsible for implementing appropriate internal fraud prevention and detection procedures.

Strict notification requirement is set

Proposed Article 54 (1) of the PSR sets a strict notification requirement for the payment service user to inform the Payment SErvice provider about any unauthorized, incorrectly executed payment transaction or authorised transaction re. Impersonation fraud without undue delay after becoming aware of any such transaction and no later than 18 months after that transaction. 

Evidence on authorization lies with the PSP

Article 55 (1) of the PSR, requires PSPs to prove that the payment transactions were authorized in case payment service users claim they have not approved a transaction or were incorrectly executed. This is a significant change from the equivalent Article 72 of the PSD2, which obliged PSPs to prove authentication.

Liability for unauthorized transactions

The drafted rules within Article 56 of the PSR mandate that PSPs refund unauthorized payment transactions (unauthorized transactions may occur when the debit or credit card is lost or stole) immediately or by the end of the next business day or within 10 days where payer fraud is suspected. ECON suggested to extend the timeframe to five business days and the time to investigate suspected payer fraud to 20 days.

Liability for authorized payment transactions

New rules on liability in case of fraud are introduced in Art. 57 PSR in relation to any discrepancies between die unique identifier and the name of the payee.

  1. The payer shall not bear any financial losses for any authorized credit transfer where the [PSP] of the payer failed to notify the payer of a detected discrepancy between the unique identifier and the name of the payee provided by the payer.
  2. Where the [PSP] of the payee is responsible for the breach of Article 50(1) PSR committed by the [PSP] of the payer, the [PSP] of the payee shall refund the financial damage incurred by the [PSP] of the payer. …”

Similar to the rules in  Instant Payment Regulation (IPR) amending the SEPA Regulation and CBPR2, a requirement for a “confirmation of payee” system, referred to as “matching services”, is introduced in Article 50 PSR about regular (i.e. “non-instant”) credit transfers where the payer inputs himself the unique identifier and the name of the payee. 

Liability of Technical Service Providers and operators of payment schemes

According to drafted Article 58  PSR technical service providers (payment gateway providers) and operators of payment schemes that either provide services to the payee or to the payment service provider of the payee or the payer shall be liable for direct financial damage caused to the payee, to the payment service provider of the payee or the payer.

New liability rules for authorized push payment fraud

A new liability regime for authorized push payments in case of impersonation fraud  is introduced in drafted Art. 59 PSR:

“1. Where a [PSU] who is a consumer was manipulated by a third party pretending to be an employee of the consumer’s [PSP] or any other relevant party entity of a public or private nature using the name or e-mail address or telephone number of that entity unlawfully and that manipulation gave rise to subsequent fraudulent authorised payment transactions, the [PSP] shall refund the consumer the full amount of the fraudulent authorised payment transaction under the condition that the consumer has, without any delay, reported the fraud to the police and notified its payment service provider [..]

Accountability of social media will be introduced:

Article 59 (5) PSR proposes an accountability rule for the electronic communication providers regarding the impersonation fraud.

Article 59 SEction 5 PSR

Furthermore the PSR proposal places the burden on the PSP to prove that the consumer acted fraudulently or with gross negligence. 

On 23 April 2024 the European Parliament gave the green light of its plenary to the Economic and Monetary Affairs Committee (ECON) position of the drafted PSR.

Interestingly the Parliament extends fraud reimbursement rights to a broader scope of electronic communications service providers, which the Parliament defines as any providers covered by the Digital Services Act or the European electronic communications code. If such providers fail to remove fraudulent or illegal content after being informed thereof, in cases of impersonation fraud they must refund consumers for the relevant fraudulently authorized transactions, provided that the consumer reported the fraud to the police and their PSP promptly. Additionally, the Parliament position would oblige electronic communications and digital platform service providers to employ fraud prevention techniques to combat different types of fraud.

Next Steps for the PSD3 and the PSR to get enacted

The “trilogue process” requires that the Council of the EU, the European Commission, and the European Parliament reach an agreement on the new set of rules and obligations.

Great approach by the European authorities, let us see what the banking lobby thinks about the new rules and how this develops.