Fraud Reporting Requirements under PSD2


January 19, 2018

A Contribution in The Paypers' Web Fraud Guide

by Markus Bergthaler, MRC Director of Programs

The European Banking Authority (EBA) has released two sets of draft guidelines on fraud reporting requirements under Article 96(6) of the revised Payment Services Directive (PSD2) that will take effect on 13 January 2018.

What are these guidelines?
These guidelines should assist in regulating the challenges facing the financial industry as cyberattacks and loss of data become more prevalent. The legal ramifications and economic effects have significant impacts on the reputation and infrastructure of banks and financial institutions.

Regulations become increasingly important in supporting the PSPs' efforts for detecting and classifying operational and security incidents, while implementing management procedures. Because of this, a closer look into notifiable incidents was necessary. Both sets of guidelines are distinctly different.

These guidelines list the criteria needed to assess if an operational or security incident is of sufficient magnitude to warrant external notification. These include the total value and number of transactions and payment users affected, downtimes, economic and reputation impacts, and whether additional infrastructures or other payment services were affected. The EBA has decided not to treat distinctly the issues experienced by different types of PSP.

The first set includes the following:

  • Requirements that apply to all PSPs, except for account information service providers;
  • The definition of "fraudulent payment transactions" as it relates to data reporting;
  • The methodology for collating and reporting data, which includes reporting periods, data breakdown, reporting deadlines and frequency.
The PSPs are all expected to disseminate high-level data on a quarterly basis, with more comprehensive information annually.

The second set of guidelines outline the requirements for the regulatory authorities on data aggregation, data reporting frequency and deadlines that apply to the ECB and EBA.

Why were these guidelines developed?
Data on payment fraud in the EU has been difficult to obtain, not reliable, and has inconsistencies among the Member States. According to Article 96(6) of PSD2, payment service providers (PSPs) must provide "statistical data on fraud relating to different means of payment to their competent authorities." The overall goal is to obtain reliable, comparable data for all EU countries as it relates to payment fraud.

Who do these guidelines affect?
These guidelines address specific PSPs and other banks, and aim to regulate the reporting requirements for payment fraud. Small PSPs only face an annual reporting duty.

What should be reported?
There are three types of fraud cases that should be reported:

  • Unauthorized payment transactions, including those resulting from the loss, theft, or misappropriation of a payment instrument or other sensitive payment data, regardless of detectability or root cause;
  • Payment transactions made and authorized by a payer that acted dishonestly or by misrepresentation, regardless of intent;
  • Payment transactions made as a result of the payer being manipulated.
There are certain rules that accompany these cases. Only fraud payments that have been initiated and successfully executed need to be accounted for in the PSP disclosures. Any cases of attempted fraud that have failed do not require reporting. Additionally, both net fraud and gross amounts must be reported under both plans. Gross figures relate to the value of funds defrauded, and net fraud relates to cases where some of the losses have been recovered by the PSPs, including insurance fraud.

Are there any exemptions to these guidelines?
Account information service providers are exempt from reporting requirements to avoid any double counting of fraud cases. It is assumed that PSPs will record these instances.

How should the data be broken down?
The data should be reported separately for each payment service or instrument operated by the PSPs. These include money remittance, e-money, payment initiation services, direct debit services, payment cards issuance, payment cards acquisition and credit transfers.

There are certain categories that should be followed:

  • The method of authentication used;
  • The reason why the authentication method was chosen;
  • The type of fraud.
Data must include the volume and value of fraud related transactions recorded per country within the European Economic Area (EEA), and an aggregate form for non-EEA transactions where at least one part of the transaction is performed in the EEA.

An additional component of the guidelines are templates for the reports that must be submitted by the PSPs during reportable incidents. When an incident originates within a company, it may employ consolidated reporting with other businesses who have affected payments through a service provider. With these guidelines, the EBA has clarified that "near misses" do not have to be reported.

These guidelines should help achieve an accurate snapshot of payment fraud occurring in the EU, including the size, components and development over time. They should also help increase the security of retail payments in the EU going forward.

Download The Paypers' Web Fraud Guide