The EBA Discussion Paper: What Can We Learn About the Review of the PSD2 Content?

Preliminary Observations on Selected Payment Fraud Data Under PSD2

On January 17, 2022, the European Banking Authority (EBA) published a Discussion Paper on its preliminary observations on selected payment fraud data under the PSD2.

The EBA has analyzed payment fraud data reported by the industry and aggregated by national authorities covering the years 2019 and 2020. The paper consequently presents the main findings related to three payment instruments: credit transfers, card-based payments and cash withdrawals, and also outlines patterns that appear to be inconclusive and that would benefit from comments and views from market stakeholders. As such, the EBA invites stakeholders to respond to the questions asked in the paper to support the EBA, the European Central Bank (ECB) and national authorities in interpreting the fraud data that will be reported in future years. The deadline for submitting comments is the April 19, 2022.

The paper suggests the following trends:

• The regulatory requirements developed in relation to payment security are having the desired effect;
• The share of fraudulent payments in the total payment volume and value is significantly lower for transactions that are authenticated with strong customer authentication (SCA) than those that are not;
• Fraud is substantially higher for cross-border transactions with counterparts located outside of the European Economic Area (EEA) than those conducted inside this area;
• Card payments are the most frequently used payment instrument and these transactions, compared with other payment instruments, experience higher fraud rates but lower average fraud amounts.

The paper mentions that cross-border payments with stakeholders located outside of the European Economic Area (EEA) are more frequently subject to fraud compared to the payments executed inside the EEA, no matter the payment instruments considered. When reading the paper in consideration of a PSD2 review, this hints at the fact that further attention should be given in the review of the PSD2 to the security of so called “one-leg-out” transactions.

In terms of share of fraud per payment instrument, the paper highlights that the share of fraud in the total volume of card payments outside the EEA is three times higher than the fraud share inside the EEA. With regard to non-remote card payments, the paper shows that there is a correlation between a lower fraud rate and the authentication with SCA. Such correlation between a lower fraud rate and the authentication with SCA is stronger when it comes to cross-border transactions with counterparts located outside the EEA.

For remote credit transfers, the fraud rate is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA, perhaps because payments for which an exemption was applied – such as the low-value payment exemption in Article 16 of the EBA Regulatory Technical Standards (RTS) on SCA- are lower-risk transactions. Conversely, SCA payments are also said to be exposed to a higher risk of fraud, as those payments inherently represent a higher risk than the SCA exempted lower-risk transactions. In addition, the fraudulent credit transfers where SCA was applied might be due to spoofing, authorized push payments and transactions initiated by the account holders after social engineering from the fraudsters, such as phishing. In such cases, the paper highlights that the implementation of SCA is not sufficient to prevent fraud, hinting at the fact that further measures, or a review of how the SCA is currently performed under PSD2, may be necessary. 

Finally, regarding losses due to fraud borne by the payment services users (PSUs), the paper highlights that PSUs bear 68 percent of fraud losses from fraudulent credit transfers in the second half of 2020. It concludes that such a pattern is at odds with Article 73 of the PSD2, which details that the liability for unauthorized transactions should lie primarily with the payment service provides (PSPs), unless the user has acted fraudulently. Moreover, the share of the losses borne by the PSUs differs across EEA countries. The paper concludes that such differences may be explained by the fact that the PSD2 has been transposed differently across EU Member States. Does this mean that the review of the PSD2 Directive could result in a Regulation, which would result in the European legislative initiative becoming directly applicable at national level, without any transposition? We could indeed foresee that a Payment Services Directive 3 (PSD3) may instead take the form of a Payment Services Regulation (PSR1).

Monica is founder and managing director of Trust EU Affairs and can be reached at [email protected]