A brief summary of EBA guidelines on fraud reporting under the PSD2

Article 96 (6) of the revised Payment Services Directive EU 2015/2366 (PSD2) requires Member States of the European Union to ensure that payment service providers (PSPs) provide, at least on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities. Those competent authorities are also required to provide the European Banking Authority (EBA) and the European Central Bank (ECB) with such data in an aggregated form. Based on this, the EBA had previously drafted Guidelines on Fraud Reporting under the PSD2 and had consulted on it earlier in 2017. On 18 July 2018, EBA issued a report with the final Guidelines on Fraud Reporting under the PSD2 (the Fraud Guidelines).

When will the Fraud Guidelines come into force?

Data collection was set to begin on 1 January 2019, except for required data breakdowns on the usage of exemptions from the secure customer authentication (SCA) requirement, for which data collection will begin once the Regulatory Technical Standards on SCA and CSC (the RTS) come into force on 14 September 2019.

Who do the Fraud Guidelines apply to?

The EBA actually developed two sets of guidelines: the first set is addressed to the PSPs and the second set applies to the Member States’ competent authorities (CAs) tasked with providing the fraud reporting data to the EBA and the ECB. Article 96 (6) stipulates that PSPs must provide statistical data on fraud relating to different means of payment, without explicitly excluding any particular type of PSPs. However, the EBA has clarified that Account Information Service Providers (AISPs) are out of the scope of the fraud reporting requirements. AISPs are PSPs that simply offer consolidated information on a user’s different payment accounts, and as such cannot report any fraudulent payment transactions data, thus the EBA concluded that including them would require changing the scope of the Fraud Guidelines.

What must be reported?

In the original draft Guidelines, the EBA proposed to require reporting under three broad categories: “unauthorised transactions”, “manipulation of the payer”, and “payer acting fraudulently”. In the final Fraud Guidelines, the EBA narrowed it down to two, and eliminated the “payer acting fraudulently” category, following a number of complaints from respondents to the draft Guidelines. The reasoning of the respondents, subsequently adopted by the EBA, is that fraudulent payers are completely outside the control of the PSPs, and data on such fraud is of limited value to supervisors, because PSPs cannot identify when the payer itself is acting fraudulently through their transaction risk monitoring systems. On the other hand, respondents also wanted the EBA to eliminate the “manipulation of the payer” category, but the EBA decided against this. EBA reasoned that the category is important because PSPs have the responsibility to adopt measures to detect where payers are potentially being scammed.

How must the data be reported?

The aforementioned categories are further divided into data breakdowns, depending on the type of payment service (e.g., direct debit, money remittance or credit transfer), payment instrument (e.g., e-money or card), and relevant reporting PSP (whether card-payment transactions are reported by the issuer or acquirer). Furthermore, although the draft Guidelines posited the possibility that PSPs would have to provide a breakdown on a country by country basis, a number of respondents considered this requirement too onerous, and the EBA concluded that there was no strong need for country-by-country data. Consequently, the final Fraud Guidelines only require PSPs to report transaction data according to whether they are domestic, cross-border transactions within the EEA, or cross-border transactions outside the EEA.

How often must data be reported?

Article 96 (6) requires PSPs to provide the statistical data on fraud at least annually. In the draft Guidelines, the EBA first proposed reporting the data sets on a quarterly basis. However, the EBA’s proposal was subject to criticism by many respondents due to the administrative burden of quarterly reporting. Taking that into consideration, the EBA concluded in the final Fraud Guidelines that the data should be provided on a semi-annual basis instead. Additionally, the EBA established an exception to the rule for small payment institutions and e-money institutions, who would only have to provide the data on an annual basis with a semi-annual breakdown.

The overlap with the fraud monitoring requirement under the RTS on SCA and CSC

In order to make use of the exemptions from conducting secure customer authentication in the RTS, Article 21 of the RTS requires PSPs to conduct quarterly fraud monitoring, which must be made available to competent authorities and the EBA at their request. Many PSPs questioned what the overlap was between this requirement in the RTS and the fraud reporting requirement under Article 96 (6). Subsequently, in its June 2018 Opinion on the Implementation of the RTS, the EBA stated that the fraud rate calculated under Article 21 would have to include the same categories of fraud as the Fraud Guidelines (“unauthorised transactions” and “manipulation of the payer”). Of course, this does not mean there is total overlap between the two.

While companies must conduct quarterly monitoring under Article 21, their reporting duty under the Fraud Guidelines is semi-annual. Furthermore, while Article 21’s data breakdowns are concentrated on whether the transactions were SCA-exempted or not, and what exemption was used, the final Fraud Guidelines require much more, as we have detailed above. However, undoubtedly, PSPs will see some overlap in the data categories collected and will be able to leverage this for their compliance needs.

This editorial was first published in the Web Fraud Prevention, Identity Verification & Authentication Guide 2018-2019. The Guide covers some of the security challenges encountered in the ecommerce and banking, and financial services ecosystems. Moreover, it provides payment and fraud and risk management professionals with a series of insightful perspectives on key aspects, such as fraud management, identity verification, online authentication, and regulation.

Disclaimer: This article does not necessarily deal with every important aspect nor cover every detail of the topic it discusses. It is not designed to provide legal or other advice.

About Irena Dajkovic

Dr Irena Dajkovic, a Partner of DALIR Law Firm, is a lawyer with a combination of about twenty years of private practice and in-house experience in commercial, corporate and regulatory laws. Over the years, her clients ranged from financial institutions, private equity firms, retail companies to private individuals. She focuses on clients’ goals and has often been praised by them for her excellent technical skills, strategic advice and high ethical standards. She has helped numerous clients to expand globally and optimise their intra-group operation.

About DALIR

DALIR is a boutique law firm whose lawyers have a combination of more than 20 years of experience in commercial, regulatory or corporate laws gained in UK ‘magic circle’ law firms and/or leading UK banks and fintech companies. The firm has a special interest in the fintech industry, and particularly payments, developed over many years of client advisory, research and active participation in the legal developments in this area.