In my last blog in the series, I examined the fraud liability policies put forth in the latest PSD3 proposal and some of the missed opportunities. In the second blog, I will take a closer look at what the European Commission (EC) is proposing related to the exchange of fraud-related data between banks.
While it is great to see that the PSD3 announcement already recognizes the importance of enabling banks to share fraud-related data, further substantiated in the considerations in the Payment Services Regulation (PSR), the real article is surprisingly disappointing, to say the least. What could and should be a huge and effective step forward in the fight against fraud, in the end entails very little.
The PSR considerations start out promising. For example, PSR (103): Sharing of all relevant information between payment service providers should be possible, which should be done on a multilateral basis, for instance using a dedicated IT platform. The information should be as comprehensive and up to date as possible, namely by collectively using information concerning unique identifiers, manipulation techniques and other circumstances associated with fraudulent credit transfers.
This is all a fraud fighter could wish for.
It even gets better in PSR (105): It is allowed to exchange personal data, including unique identifiers of payees potentially involved in fraud.
Of course, this information must be treated with care, further investigated and is only to be used for fraud detection purposes. There is no fraud fighter I know that would act differently.
Surprise One: Only data based on the IBAN can be exchanged.
The text and intention of the above seems crystal clear, but the first surprise ruins this. In PSR (104), it is stated that ‘unique identifier’ should be understood as referring to ‘IBAN’. The above mentions identifiers in plural and talks about personal data including unique identifiers of payees. This makes clear there are multiple identifiers worth exchanging, yet suddenly this is reduced to just one – the IBAN and only the IBAN!
Obviously, the EC thinks about mule detection, which is an excellent and effective strategy. Yet, limiting it to the IBAN excludes a whole universe of payment methods not using IBANs such as PayPal, Apple Cash, direct payments to wallets, and credit cards. It also excludes a huge part of the world as a lot of countries do not have an IBAN including the US, Australia, Canada, India, and China. It is not that these countries are profoundly fraud-free.
Multiple identifiers are important to fight fraud. Besides the account identifier, you have the IP address and Device ID. These are important to add to the picture to unmistakably unveil a fraud attempt. They are also essential to identify the preparational actions for an attack, allowing fraud to be prevented rather than detected. This saves banks and customers millions in damages and operational costs, but at this stage, there often is no IBAN for a mule account yet. Every fraud fighter knows there are more attempts than successful fraud cases, so to effectively fight fraud, the exchange of data based on multiple and potentially fraudulent identifiers is essential. Just like PSR (103) and (105) state.
Surprise Two: In the end, there will not be any useful exchange of information.
Where the considerations in PSR (103) and (105) are sound, yet diminished by (104), the final article is surprisingly different. PSR Article 83(3) tells us that the unique identifier may be exchanged, yet only if at least two customers confirmed a fraudulent transfer was made to it. Here only the mule is mentioned as to be exchanged; all other identifiers and personal data stated in the considerations have vanished. Can we just include them in the exchange as they are mentioned in the considerations? I don’t think so.
Waiting for two confirmed fraud cases to the same mule is completely reactive and way too slow. This is neither effective for the newer types of fraud, nor for a lot of the older ones. The payee’s bank will effectively never be allowed to warn other banks, regardless of the number of obviously fraudulent transactions, as mules will simply deny any fraudulent activity. Of course, the bank can and will block the account, but then will have to watch patiently at the additional incoming fraudulent payments, without being allowed to inform other banks.
How can you exchange information on potential fraud if you first must wait for two confirmed fraudulent transactions to be made?
The content of the article is incomprehensible after the sound considerations. How can a legal proposal of the EC that should have been drawn up with great care and thorough scrutiny be so unbalanced and inconsistent?
PSD3 Fraud Information Exchange Lags Behind the Industry
Overall, the EC’s proposed fraud information exchange is running about ten years behind the industry. Over a decade ago, the industry learned by damage and shame that payment fraud detection has to be real-time. The last few years, the realisation came that even real-time detection is still reactive. Fraud prevention is the best way, and newer technologies allow for that. To prevent is better than to cure.
There are better ways to identify mules than the limited and slow after-the-fact PSD3 proposal allows. For example, behavioural biometric intelligence can detect mule accounts with high precision before a payment or transaction and is finding them about 90% of the time before existing fraud and AML controls.
To improve fraud detection and create a real fraud detection ecosystem, real-time exchange of information helps, but information on potential fraud is essential (as described in PSR considerations (103) and (105)). This would improve the best-of-breed holistic fraud detection; take all data around the transaction into consideration, both the payer’s and the payee’s side, and compare the current behaviour with the historical normal behaviour. Once again, something the industry has known for more than a decade and that benefits from the exchange of more information that just the mule.
It should not surprise anyone if banks massively forego this PSD3 opportunity and continue to proactively identify mules by looking at their behaviour. In several countries, there are already more extensive exchanges.
The EC’s considerations regarding the exchange of information are sound, allowing for the exchange of all relevant data around fraud and even potential fraud. But this is totally perplexing when combined with a restriction of the exchange only to be based on the IBAN. It looks like the EC missed all developments in the payment world and thinks it is only possible to transfer money to an IBAN.
The final article could hardly divert more from the considerations, forgetting all about potential fraud and requiring two confirmed committed fraudulent transactions before any exchange is allowed. It looks like both are written by different people with completely different ideas. The PSD3 proposal gives the impression that no expert from the business side was consulted. Neither from a bank, nor a consultancy firm, nor independent. It is completely reactive, where real-time would be the minimum and prevention expected. What could and should have been a huge step forward in customer protection entails disappointingly little.
The EC does not seem to understand the importance of involving and incentivising the payee’s bank in fraud reduction, like the UK Payment Systems Regulator (UK PSR) does. This was covered in my previous blog on the surprises in fraud prevention and liability.
Will the proposed exchange of information be effective? It could be slightly effective. But for most banks, the implementation will not be worth the effort, especially as proven solutions exist that are way more effective. Even in countries where the exchange of information is currently not allowed due to secrecy acts, the added value is very limited.
My summary: Inconsistent and too little, too late.