At this time of year, when we all get ready for the holiday festivities and take advantage of the bargains that we see in the shops, we can’t help but be aware that, as our lives become mostly digital, fraudsters also take advantage of the lack of vigilance to which we may be prone as we rush around in our attempt to find the perfect deal. We have to commend the financial services industry for their awareness campaigns to help their customers avoid being scammed, and there are too many initiatives to mention. They are all welcome. We also have to praise regulators worldwide in their attempt to not only promote innovation, but also foster better security and integrity for our financial services ecosystems. It’s a tough job, but it’s all been going in the right direction over the past few years.
One notable example is the rise of Authorised Push Payment (APP) fraud, where victims are manipulated into authorising fraudulent transactions, which has become increasingly prevalent, accounting for 57% of credit transfer fraud in the EU. Safeguards around this are not consistently tackled worldwide, but some geographies stand out for their proactiveness: The UK and Australia for their regulations on APP fraud, and the EU for their proposed amendments to the Payment Services Regulation (PSR) in article 59, which extends fraud liability beyond PSPs to technology and telecommunications companies. In my opinion, this is a welcome move because the financial services that we all use don’t just rely on financial services institutions.
For example, according to UK Finance, 72% of APP scams originated on social media platforms in the first half of 2024. This statistic highlights concerns about the role of social media companies in fighting financial fraud and supports calls for greater collaboration between banks and social platforms to protect consumers.
But it’s not just social media. AIB recently highlighted that the top two most common fraud methods observed in 2024 are Smishing (SMS Phishing) where criminals send text messages impersonating legitimate organisations to trick people into providing personal information or clicking on malicious links, accounting for 94% of all fraud cases from January to October 2024, followed by Vishing (Voice Phishing) where scammers make phone calls impersonating trusted organisations to trick their victims in similar ways. As these calls must be made using infrastructure provided by telecommunications companies, the latter are definitely in the frame. The same AIB report also highlights that the fourth most common fraud type is purchase scams, where criminals clone genuine websites to offer fake products or discounts, clearly questioning the accountability of hosting companies.
Extending fraud liability beyond financial institutions
In our increasingly digital world, financial services provision doesn’t solely rely on financial services institutions. Therefore, to enhance ecosystem safety and integrity, the accountability burden shouldn’t be placed solely on these institutions, don’t you think?
You can therefore imagine my surprise when I recently saw this headline: “MEPs’ Payment Fraud Liability Proposal is Flawed and Risky, New Study Concludes.” The study, commissioned by the Computer & Communications Industry Association (CCIA Europe), comments on the economic implications of introducing shared liability for payment fraud as proposed by the European Parliament, suggesting extending liability for APP fraud to electronic communication service providers (ECSPs) and online platforms, in addition to payment service providers (PSPs).
The CCIA is an industry trade association, and it should represent the interests of its members, but their report introduces several potential biases and misconceptions:
- Industry Perspective: The study primarily presents arguments against shared liability, which aligns with the interests of the telecommunications industry in avoiding additional regulatory burdens.
- Limited Scope: The report focuses heavily on the challenges and potential drawbacks of shared liability, without thoroughly exploring potential benefits or alternative solutions.
- Overemphasis on Existing Efforts: The study may overstate the effectiveness of current voluntary initiatives and existing incentives for fraud prevention.
- Lack of Precedent: The study notes that no other jurisdiction has assigned strict liability to PSPs, online platforms, and ECSPs for APP fraud.
- Underestimation of Provider Capabilities: The report may underestimate the technical capabilities of ECSPs and online platforms to detect and prevent fraud.
- Lack of Consumer Perspective: The study does not adequately address the potential benefits to consumers from increased protection against fraud.
- Potential Costs: The authors suggest that imposing shared liability could generate costs for consumers and the economy, including reduced competition and worse consumer experiences.
- Selective Use of Data: The report may present data in a way that supports its arguments against shared liability, potentially overlooking contradictory evidence.
- Assumption of Ineffectiveness: The study assumes that shared liability would be ineffective without presenting strong evidence to support this claim.
Contrary to the report's stance, there are valid arguments for sharing liability across the board:
- Comprehensive Approach: Shared liability could create a more holistic approach to fraud prevention, involving all relevant parties in the digital ecosystem.
- Increased Incentives: Extending liability could provide stronger incentives for all parties to invest in fraud prevention measures.
- Consumer Protection: A shared liability regime could offer better protection for consumers who fall victim to increasingly sophisticated fraud schemes.
- Technological Innovation: The pressure of liability could drive innovation in fraud detection and prevention technologies across all sectors involved.
- Fairness: Given that fraud often involves multiple services, it may be more equitable to share responsibility among all parties involved in the transaction chain.
However, the report raises valid concerns regarding the proposed shared liability regime:
- Implementation Complexity: Coordinating responsibilities across multiple sectors (Payment Service Providers, Electronic Communication Service Providers, and online platforms) may create gaps in fraud prevention.
- Innovation Impact: The liability regime could stifle innovation, particularly for smaller companies and startups, potentially reducing market competition.
- Moral Hazard: Increased consumer protection might lead to reduced vigilance, potentially increasing overall fraud incidents.
- Cross-Border Challenges: Differing national interpretations within the European Union could create inconsistencies and loopholes for fraudsters.
- Technological Limitations:
◦ Real-time fraud prevention capabilities of Electronic Communication Service Providers and online platforms may be overestimated.
◦ The rapid evolution of fraudster tactics may outpace prevention technology development. - Privacy and Data Protection: Increased monitoring and information sharing could conflict with existing privacy regulations like the General Data Protection Regulation (GDPR).
- Liability Proportionality: The regime may not adequately account for varying degrees of influence and control different parties have over the fraud process.
- Impact on Smaller Providers: Implementing sophisticated fraud prevention measures may disproportionately challenge smaller Electronic Communication Service Providers and online platforms.
- Cross-Border Enforcement: Concerns exist about enforcing the liability regime across different jurisdictions, especially with non-European Union based platforms or services.
- Definitional Challenges: Precisely defining "impersonation fraud" in a rapidly evolving digital landscape may lead to inconsistent application of the liability regime.
- Potential Overreach: Extending liability to Electronic Communication Service Providers and online platforms for hosted or transmitted content raises concerns about balancing with principles like freedom of expression and privacy.
- Cost Pass-Through: Increased liability and fraud prevention costs might ultimately be passed on to consumers through higher fees or reduced services.
These concerns underscore the complexity of the issue and the need for careful consideration and further research before implementing such a wide-reaching liability regime.
Drawing on precedence
One particular point of note in the CCIA report is the stated “lack of precedent.” This is clearly a misconception as there have been recent developments in the UK, Australia, and Singapore that extend some liability or responsibility to technology companies and other entities beyond traditional financial institutions. Here are some key points:
UNITED KINGDOM
The UK government has recently introduced legislation that places new responsibilities on tech companies regarding online fraud:
• The Online Safety Act 2023 received Royal Assent on October 26, 2023.
• It requires social media platforms, search engines and other tech companies to take proactive measures to prevent fraudulent user-generated content and fraudulent advertisements on their services.
• Companies that fail to comply could face fines of up to £18 million or 10% of their annual global turnover, whichever is higher.
In November 2023, the UK government introduced a voluntary Online Fraud Charter for tech companies:
• Major tech firms including Amazon, eBay, Facebook, Google, Instagram, LinkedIn, Match Group, Microsoft, TikTok, and YouTube have signed up.
• Signatories commit to verifying new advertisers, promptly removing fraudulent content, and sharing intelligence on emerging fraud threats.
•While voluntary, this charter demonstrates increased expectations for tech companies to play an active role in fraud prevention.
Telecommunications Fraud Sector Charter
The Telecommunications Fraud Sector Charter is a voluntary agreement signed between eight of the top UK telecommunications providers and the government in October 2021 that outlines a nine-point action plan the industry will take to combat fraud and scams. The charter includes actions such as blocking scam calls, preventing smishing attempts, and improving support and education efforts for victims. In October 2024, the Telecommunication 2.0 Charter proposal was introduced to build upon the initial charter's successes in key areas including data sharing, scam calls, scam texts and victim support.
AUSTRALIA
The Australian government has proposed more comprehensive legislation to combat scams:
• In October 2023, the government released a draft Scams Code Framework for consultation.
• This framework would impose mandatory obligations on banks, telecommunications providers, and digital platforms to prevent, detect, disrupt, and respond to scams.
• Notably, it includes digital platforms as "designated entities" alongside banks and telcos, recognising their role in the scam ecosystem.
The key provisions of this draft framework are:
• Prevention: Designated entities must take reasonable steps to prevent scams, such as implementing robust identity verification processes.
• Detection: Entities are required to have systems in place to detect potential scam activity.
• Disruption: Once a scam is identified, entities must take swift action to disrupt it and prevent further harm.
• Reporting: Mandatory reporting of scam activity to sector regulators.
• Penalties: Significant fines for non-compliance, up to AU$50 million or 30% of turnover during the breach period.
SINGAPORE
Shared Responsibility Framework
Singapore will be the first country to set a precedent in extending fraud liability beyond financial institutions. The Shared Responsibility Framework (SRF) for phishing scams is expected to go into effect on 16 December 2024. The SRF adopts a structured liability framework using a “waterfall” approach to determine responsibility for losses.
• Financial institutions are primarily responsible if they fail to meet their obligations.
• Telcos bear secondary responsibility if their breaches contribute to the fraud.
• Consumers may suffer the loss if both financial institutions and telcos can demonstrate they met their duties.
A recent joint announcement by the Monetary Authority of Singapore (MAS) and Infocomm Media Development Authority of Singapore (IMDA) stated, “The SRF will operate as part of the broader suite of upstream and downstream measures that Government, FIs, Telcos, and other ecosystem players have progressively implemented to tackle scams in Singapore.”
These developments in the UK, Australia, and Singapore represent a significant shift towards shared responsibility for combating financial crimes across the digital ecosystem. While banks and PSPs remain at the forefront of fraud prevention and victim compensation, tech companies and other digital service providers are increasingly being held accountable for their role in enabling or facilitating scams.
The trend appears to be moving towards a more collaborative approach, with regulators recognising that effective fraud prevention requires cooperation between financial institutions, telecommunications providers, and tech platforms. This holistic strategy aims to address vulnerabilities across the entire digital landscape rather than placing the burden solely on banks. It's important to note that these regulatory frameworks are still evolving, with some measures already in force and others in the proposal or consultation stage. Organisations operating in these markets should closely monitor developments and prepare to adapt their compliance and risk management strategies accordingly.
Conclusion
In conclusion, and in my opinion, the CCIA report appears to present a one-sided view of the shared liability proposal, focusing primarily on potential drawbacks without adequately exploring possible benefits. While it raises valid concerns about implementation challenges and potential unintended consequences, the report seems to underestimate the capabilities of technology companies in fraud prevention and overlooks the consumer protection aspect. The issue of APP fraud liability is complex and requires a more balanced and collaborative perspective to fully represent the interests of all parties in the digital ecosystem.