The European Commission (EC) announced its proposal for the 3rd Payment Services Directive (PSD3) in June 2023. Everyone in the industry has been anxiously awaiting the proposal, so it is worth taking a closer look. This blog series will explore the three biggest surprises in the announcement.
The first big surprise in the PSD3 proposal is to make banks liable for bank impersonation scams, and for bank impersonation scams only. Where PSD2 made the banks liable for unauthorised fraud, such as account takeover, this extension with an authorised fraud type is a step forward in customer protection. However, it doesn't come close to the UK, where the Payment Systems Regulator (UK PSR) announced that banks will be liable for all types of scams, including romance and investment scams.
Although surprising for a lot of people in the industry, it is perfectly understandable that the EC has decided not to follow this far‑reaching element of the UK PSR’s proposals. What is very surprising is that the proposal misses several important opportunities and is based on an inconsistent and flawed interpretation of figures, resulting in an incoherent proposal.
UK PSR Proposals
The UK PSR last year announced that banks would be responsible for reimbursing victims of any type of scam, referred to as authorised push payment (APP) fraud, and in nearly all cases. This is a radical approach based on the idea that banks can detect any malicious transaction if you give them an incentive to do so. From the customer’s perspective, this is great of course. Simply said: whatever you do that turns out to be fraud, you are covered.
The UK PSR also announced a split liability between the sending and the receiving bank. This solves a frustration with banks that invest heavily in anti-fraud measures where fraud levels drop, only to see the fraud rise again as the fraudsters start to move the money to other banks with lax fraud detection (often referred to as the “mule banks”). The problem the UK PSR identified is that the banks holding the mule accounts where the money is sent do not have any incentive to act as it is not the money of their customers that is at risk.
The EC Considered Two Options
In the Impact Assessment Report (IAR) published together with PSD3, there are two options the EC considered: Full and Conditional Liability. These two options are discussed in paragraphs 5.2.1 and 6.1.
Option 1: Full Liability for Banks
The first option considered was the same as the UK PSR proposal: the bank would be made fully liable for any type of scam. The EC notes that this option would be in line with the expectation of consumer representatives, but payers would not be incentivised to avoid taking unnecessary risks.
Fair point, but is it? If someone is lured into investing in a shadowy investment fund promising 20% annual growth: absolutely! But what about someone helping the love of his/her live? You can hardly call that risk taking; it is normal to help your loved ones. Clearly, a line must be drawn somewhere, and there is a strong case to be made for not making the banks liable for all APP fraud.
So far so good, but now it gets really strange. The EC also states that this option would bring considerable uncertainty to payment systems, and it would be too costly for the banks. In other words, the UK PSR endangers the UK payment system, and takes the risk that the UK banks will go bankrupt. Brexit saves Europe!
The EC substantiates this with an estimated cost of €323M in 2020 for all APP in the whole EU. This can by no means be too high as UK Finance reported a loss for all APP scams of €680M over 2021 and €565 over 2022. And that is only in the UK. Then there is the argument of considerable uncertainty. According to the ECB, the total credit transfer value in 2020 was €155.8 trillion, so the EC’s estimated APP fraud is just 0,00021%. If that is a considerable threat to the whole EU payment ecosystem, then we do have an issue indeed.
There are good reasons for balancing the liability between banks and customers and the fight against fraudsters has to be a joint effort of banks and customers. But, the arguments of the EC are not convincing, and the text tries to cover this by overly strong wording. I smell a well-paid lobbyist here.
Option 2: Conditional Liability for Banks
The second option makes Confirmation of Payee (CoP) mandatory and banks are to become liable for bank spoofing – and bank spoofing only, also known as bank impersonation scam. CoP was already made mandatory for instant payments in euros, and that is now extended to all other EU credit transfers, so also non-euro and non-instant. In itself a sound proposal that seems well defendable, until you read the argument.
The EC clearly states that CoP is a prerequisite for the conditional liability shift, as it is expected to have a mitigating effect on APP. Honestly, I do like CoP and it is proven effective against invoice fraud, mistakes, etc. and I fully support making CoP mandatory. There is just one but: CoP is absolutely not effective against APP fraud. Scammers will adjust their story so that it fits with the name of the credited account. I live in the Netherlands, and the CoP coverage here is above 98%. In the scam attempts I personally experienced the last few years, the scammers gave the correct name for the account to credit. It fitted perfect in their story.
The EC refers to the Dutch figures for substantiation. As mentioned, the Netherlands has a 98% CoP coverage, and the Dutch banks voluntarily reimburse bank spoofing. They forgot to state that bank spoofing scams account for 84% of all Dutch fraud losses and has increased dramatically after the introduction of CoP, proving that CoP is not effective against it.
The EC extrapolates the Dutch fraud figures to the whole of the EU as €1B and considers this a good compromise between consumer organisations and banks. With this the EC enthusiastically undermines its own estimate with option 1, and this is just a few lines further. (Paragraphs 6.1.d and 6.1.e of the IAR). For option 1 the €323M was considered a danger to the payments systems and too costly for the banks, and here €1B is considered a good compromise!? That €323M was an estimate for all APP fraud, where the €1B is an estimate for bank spoofing, which is just a part of all APP fraud. How inconsistent can you be? Did anyone proofread the impact assessment?
The argument for making the banks liable for bank spoofing is also a bit awkward: “The relationship of trust between customers and their bank and the bank’s name are abused by a fraudster.” Maybe it’s the age, but personally, I trust a law enforcement agent more than a bank employee. Law enforcement impersonation scams tends to have an emotionally higher impact on its victims than bank spoofing, yet they are not to be reimbursed. I do understand you have to draw a line somewhere, but this is a remarkable one. The EC holds a surprising view on the perceived reliability of law enforcement.
Missed Opportunities in PSD3
After reading through the PSD3 proposal, I see two missed opportunities as it pertains to fraud prevention and liability.
Missed Opportunity One: Liability for Mule Banks Combined with Fraud Reduction
The EC hardly changes the quite limited liability of the payee’s bank, which is already liable for fraud losses if it is responsible for SCA not being used or available. The same now will apply to CoP, a minimal step. The UK PSR takes a giant leap with the proposed 50/50 liability split between the payer’s and the payee’s bank. It is positive that the UK PSR addresses the frustration with the mule banks while strengthening the payments ecosystem by reducing the fraud as it is well known that getting rid of mules stops the fraud. It is equally strange that the EC is not even considering it. A missed opportunity.
Missed Opportunity Two: Ascertain Europe-wide Equality in Fraud Refunding
The current interpretation of PSD2 differs substantially by country. In the Nordics, most countries refund classic unauthorised fraud like account takeover with the OTP obtained using social engineering with a customer liability of €1000. Italy decided differently: there it is excusable that you click on a phishing link, but it is inexcusable if you then also provide the fraudster with the OTP; this makes you indirectly authorise the transaction, thus it will not be reimbursed by the banks. Both are confirmed by Supreme Court rulings. In the Netherlands, this type of fraud typically is refunded with a customer liability of just €50. (In the Netherlands, even bank spoofing scams are refunded voluntarily as a result pressure from public opinion as well as banks taking their duty of care seriously).
This difference is primarily caused by the interpretation of Gross Negligence. According to PSD2, unauthorised fraud must be refunded, unless the customer participated in the fraud or demonstrated gross negligence. What “Gross Negligence” means exactly is interpreted differently in the individual countries. For PSD3, the EC leaves the definition of Gross Negligence vague and again refers to national law. Again, a missed opportunity to equalise the banks’ liability / customer protection. The differences between the countries will remain, maybe even worsen, and there will again be a whole lot of lawsuits that no one wants.
Are Dutch Banks Leading the Way?
The EC announced a liability that is identical to the voluntary code of the five Dutch largest banks: reimbursement of bank impersonations scams. For PSD2, the EU also adopted the Dutch reimbursement policy as it was then. So, it is worth observing the Dutch banks to know what PSD4 will entail with respect to bank liability.
At first glance, the EC proposal for improved fraud prevention and a changed liability looks sound and logical. However, when examined in more detail, it contains several negative surprises and missed opportunities:
- A surprisingly conservative step in the liability of banks for fraud, which is even more surprisingly poorly substantiated.
- (Almost) no liability for the payee’s bank. A missed opportunity to strengthen the payment ecosystem.
- No attempt to rectify the existing country differences in bank liability. Another missed opportunity leading to frustrated consumers and loads of avoidable lawsuits.
- The EC seems to think that CoP will dramatically reduce APP fraud, yet the Dutch figures referenced to substantiate this show the opposite: it won’t.
I am very sorry that I have to say that the entire proposal suffers from a shaky substantiation with a faulty and inconsistent use of figures. This is not at all what I had expected.
I would not be surprised if the liability balance for scams is shifted slightly more towards the banks. Maybe already in the final version of PSD3, and otherwise in PSD4. Next to CoP and increased bank liability, the PSD3 proposals aim to strengthen fraud prevention by the exchange of fraud-related information between banks. Stay tuned for my next blog for the surprises about this.