(Technical note: In June 2023, The European Commission (EC) introduced two new proposals: a Payment Services Directive-PSD and a Payment Services Regulation-PSR. The Payment Services Directive will be called PSD3, fully replacing PSD2. PSD3 will also introduce rules for data sharing for open banking. For simplicity, the EC discusses the proposed PSD and PSR as “PSD3.” This blog focuses on PSD3 for the proposed online security changes and customer reimbursement for bank impersonation scams.)
On June 28, 2023, the European Union published the new proposals for a Payment Services Directive 3 (PSD3). This will totally replace PSD2, which was issued in 2016. According to Mairead McGuinness, Commissioner for Financial Services, Financial Stability and Capital Markets Union at the European Commission, “Today the European Commission has unveiled proposals supporting payments and data-driven innovation with the consumer at the heart.”
Recent Commission research showed that European consumers, even after the deployment of PDS2, are still at risk of fraud and lack confidence in payments. As a result, there are a few proposals in PSD3 directly related to the risks of fraud. There are actually many proposals for PSD3, but this blog will focus exclusively on the measures that combat payment fraud. Here are the key proposals related to fraud:
- Requiring limited reimbursement for authorized payment scam transactions
- Adding Confirmation of Payee (IBAN/name match)
- Enabling payment service providers to share fraud-related information between Payment Systems Providers (PSPs)
- Increasing the strength of transaction monitoring
- Improving Strong Customer Authentication (SCA)
- Requiring PSPs to carry out education actions to increase awareness of payments fraud among their customers and staff
Key Point #1: Customer Reimbursement for Authorized Payment Scams
In the PSD3 proposal, the European Commission spent time assessing authorized payment scams. Based on data across the EU and the UK, scams continue to increase in both volume and fraud value. Here are some of the findings found in the Impact Assessment Report:
According to the European Payments Council, social engineering attacks and phishing attempts are still increasing, often in combination with malware, with a shift from consumers, retailers, SMEs to company executives, employees (through “CEO fraud” or “impersonation fraud”), payment service providers (PSPs) and payment infrastructures and more frequently leading to APP fraud. These techniques have greatly evolved over the last years as the targets are users rather than technology. In Ireland for example APP fraud rose by 15.9% in volume terms year on year in 2021 with an average APP fraud transaction amounting to €4,237 in 2021. According to Banque de France, APP fraud in France corresponds to 59% of total fraud in value terms. In the UK in 2021, scams involving the impersonation of police or bank staff were the second highest category in terms of value, with £137.3mn lost to these forms of fraud. This represented an increase of more than 50 per cent on 2020 levels. In the Netherlands in 2022, reported cases of impersonation fraud amounted to € 51mn.
In the PDS3 Impact Assessment Report, the Commission identified two options for reimbursement for authorized payment scams:
- Full reversal of liability between users and PSPs for fraudulent authorized transactions
- Conditional reversal of liability between users and PSPs for fraudulent authorized transactions
Currently, under PSD2 (articles 73/74), there is a refund right for reimbursement only for unauthorized payment transactions. Option 1 above would have been a major change including reimbursement for all authorized payment scam transactions, akin to the recently approved regulation for APP reimbursements in the UK. The Commission instead chose option 2. Option 2 is a very limited refund option, covering bank impersonation scams only. The specific proposal is detailed below:
“For consumers falling victim of a “spoofing” fraud where the fraudster contacts the consumer pretending to be an employee of the consumer's bank, tricking the consumer into carrying out some actions causing financial damages to the consumer. Victims of “spoofing” fraud can be entitled to claim damages from their PSP for the full amount of the fraudulent transaction, subject to conditions including filing a police report and notification to their PSP without undue delay. Refund would not be allowed in cases of “gross negligence” by the victim, including falling victim more than once to the same kind of fraud, and the “spoofing” would have to be convincing, for example replicating the bank's exact email address or phone number.”
The proposed regulation states in the case above that the payer “should therefore be entitled to refund of the full amount of the fraudulent payment transaction from the payment services provider, unless the payer has acted fraudulently or with ‘gross negligence’.” What is unclear is which payment services provider is being addressed—is it the sending or receiving PSP or possibly both? But the use case above does explicitly refer to the spoofing of the customer’s PSP employee. In the UK, the Payment Systems Regulator (PSR) is proposing a 50-50 split in liability between the sending and the receiving PSP. This should get cleared up in a subsequent revision to the PSD3 language.
It is clear the Commission focused on this scam use case because of risk to the PSP’s reputation. Other consumer financial scams are excluded from reimbursement, such as romance scams, investment scams and purchase scams. The reasoning is that “it would be financially very costly to payment services providers” and “it might cause moral hazard and a reduction in the customer’s vigilance.”
In addition, a consumer can claim reimbursement “for consumers who suffered damages caused by the failure of the IBAN/name verification service to detect a mismatch between the name and IBAN of the payee.” This is covered in more detail in the next section.
So, what the Commission is proposing is more like what occurs for scam reimbursement in the Netherlands today. Given the experience in the Netherlands, according to the Commission document, “In 2022 the Netherlands reported that cases of impersonation fraud amounted to €51mn of which 89% was reimbursed to consumers on a voluntary basis via a leniency scheme that four major Dutch banks have signed up to.”
Option 2 may actually be reasonable in the near term for the EU, especially since English (which is the primary scam attack language) is not the first language for most European consumers.
There is one more item of interest. PDS3 says electronic communication services providers (ECSPs) should help in the fight against ‘spoofing’ fraud and that “electronic communication services providers should co-operate with PSPs with a view to preventing further occurrences of that type of fraud…to ensure…technical measures are in place.” PSPs can make a claim against ECSPs for financial damage caused to the PSP by this type of ‘spoofing’ fraud “in accordance with national law.”
Key Point #2: Use of Confirmation of Payee
The second proposal to fight fraud and scams is to expand the use of Confirmation of Payee for regular and instant payments (instant payments itself is a separate proposal currently being discussed and finalized). This will be an IBAN (International Bank Account Number)/name matching verification service. The PSP will be required to show the customer any non-match results before they proceed to complete the transaction. Below are the key points:
- This verification service is free
- The payer can choose to use this verification service or not
- Notification to the payer must occur within a few seconds
- The PSP must show the degree of discrepancy, by showing match, no match or close match
- The PSP should inform the payer about the risks of proceeding, if there is a discrepancy.
- If the verification was requested by the payer, and it was not properly performed, and there is a fraud/scam loss, then the PSP (sending or receiving) responsible for the failure must reimburse the payer for their loss.
Confirmation of Payee is also growing in the UK as part of the new PSR Policy Statement and has also been used more often in Europe in the past two years.
Key Point #3: Fraud Related Data Sharing
The Commission noted in the Impact Assessment Report that there are a number of reasons why data is not shared by PSPs.
- Data sharing is being limited by rules and regulations related to data protection, even more so in the case of cross border sharing.
- In France, as noted by the French Banking Federation in its reply to the targeted consultation, the rules on banking secrecy prevent banks from sharing information.
Since the Commission recognizes “An important aspect to mitigate the risks and reduce the fraud related to payments is the sharing of fraud intelligence and information on incidents amongst PSPs,” they have added a proposal that creates “a legal basis for PSPs to share fraud-related information between themselves in full respect of GDPR (via dedicated IT platforms).”
The sharing of data for fraud protection is so essential. In fact, in the UK, PAY.UK just announced a new pilot initiative with high street banks and PSPs to share data with the goal to stop the fraud before the transaction is executed.
Key Point #4: The Strengthening of Transaction Monitoring
Transaction monitoring would be expanded to open banking services transactions. Also there should be richer data points and data sharing between PSPs to facilitate better transaction monitoring. Transaction monitoring should also be linked with the new liability requirements for authorized transactions because “PSPs have little incentives to invest in effective transaction monitoring mechanisms that could mitigate the social engineering risks, because in most cases the losses are passed on to the users”.
Here are some of the key points on transaction monitoring:
- Transaction monitoring should focus on the most vulnerable PSP users.
- The European Banking Authority (EBA) will develop the technical standards for the requirements related to transaction monitoring.
- Because fraud and scams are constantly changing, transaction monitoring should constantly improve, including the use of technologies such as artificial intelligence.
- PSPs should share information relevant to fraud/scams to improve transaction monitoring.
The UK, along with fraud control vendors, have deployed a number of transaction monitoring and behavioral biometric solutions to help identify authorized payment transaction scams, bogus online account opening activity, and money mule accounts (inbound behavioral and transaction analysis at receiving PSPs). All of these transaction monitoring solutions should be applicable to EU PSPs.
Key Point #5: Improving Strong Customer Authentication (SCA)
The Commission recognizes the importance of SCA and wants to add several new features noting it should not depend “on one single technology, device or mechanism, for instance on the possession of a smartphone.” These include:
- The specific amount and the payee must be linked to the transaction when the SCA is performed.
- SCA must be performed at the time of enrolling a digital wallet.
- SCA is only required at first access by an open banking vendor unless there is concern for fraud.
- Make SCA more usable for disabled customers, older customers, and those challenged with using SCA.
Key Point #6: Education Awareness
The Commission has placed an obligation on PSPs to carry out education to increase awareness of payments fraud among their customers and staff.
Summary
The proposed fraud controls for PSD3 are a recognition of the changes in the fraud landscape since PSD2 was introduced in 2016. Obviously, the three biggest changes are 1) the increase in scam activity (authorized payment transaction scams); 2) more sophisticated fraud and scam attacks; and 3) the soon to be introduced Euro Instant Payments (although some European countries have already introduced their own versions of faster payments). The UK has shown that with faster payments came faster fraud, especially authorized payment transaction scams.
Allowing fintechs to become payment systems providers is also an important change in PSD3. While it is not a fraud control, the Commission wants to increase access to payment systems. This will be allowed as long as there are sufficient safeguards in place.
One area left mostly untouched in the proposed regulations is the responsibility of receiving PSPs when there is a fraud or scam. Receiving PSPs do have the responsibility and associated liability for performing the IBAN/name verification service. It is unclear if they might also be obligated to share in ‘spoofed’ authorized payment reimbursements because of weak security around money mule controls. Several national regulators are recognizing that receiving banks can be part of the problem (weak account opening controls and weak money mule detection). Perhaps before PSD3 is finalized, we will see some focus on additional receiving PSP responsibilities and associated liability shifts.
Additional Resources
Here are some additional resources and recent articles related to the topic:
Recent Court Decision Gives Receiving Banks a Wake Up Call on Scam Reimbursement
Improve Fraud and Anti-Money Laundering Operations with a Proactive and Unified Approach (Forrester Report)