Fraud reporting requirements under PSD2

Friday 26 January 2018 11:11 CET | Editor: Melisande Mual | Voice of the industry

Markus Bergthaler from Merchant Risk Council shares valuable insights into fraud reporting requirements under the revised Payment Services Directive (PSD2)

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

Fraud Reporting Requirements under PSD2

The European Banking Authority (EBA) has released two sets of draft guidelines on fraud reporting requirements under Article 96(6) of the revised Payment Services Directive (PSD2) that will take effect on the 13th of January 2018.

What are these guidelines?

These guidelines should assist in regulating the challenges facing the financial industry as cyberattacks and loss of data become more prevalent. The legal ramifications and economic effects have significant impacts on the reputation and infrastructure of banks and financial institutions.

Regulations become increasingly important in supporting the PSPs’ efforts for detecting and classifying operational and security incidents, while implementing management procedures. Because of this, a closer look into notifiable incidents was necessary. Both sets of guidelines are distinctly different.

These guidelines list the criteria needed to assess if an operational or security incident is of sufficient magnitude to warrant external notification. These include the total value and number of transactions and payment users affected, downtimes, economic and reputation impacts, and whether additional infrastructures or other payment services were affected. The EBA has decided not to treat distinctly the issues experienced by different types of PSP.

The first set includes the following:

Requirements that apply to all PSPs, except for account information service providers;
The definition of “fraudulent payment transactions” as it relates to data reporting;
The methodology for collating and reporting data, which includes reporting periods, data breakdown, reporting deadlines and frequency.

The PSPs are all expected to disseminate high-level data on a quarterly basis, with more comprehensive information annually.

The second set of guidelines outline the requirements for the regulatory authorities on data aggregation, data reporting frequency and deadlines that apply to the ECB and EBA.

Why were these guidelines developed?

Data on payment fraud in the EU has been difficult to obtain, not reliable, and has inconsistencies among the Member States. According to Article 96(6) of PSD2, payment service providers (PSPs) must provide “statistical data on fraud relating to different means of payment to their competent authorities.” The overall goal is to obtain reliable, comparable data for all EU countries as it relates to payment fraud.

Who do these guidelines affect?

These guidelines address specific PSPs and other banks, and aim to regulate the reporting requirements for payment fraud. Small PSPs only face an annual reporting duty.

What should be reported?

There are three types of fraud cases that should be reported:

Unauthorized payment transactions, including those resulting from the loss, theft, or misappropriation of a payment instrument or other sensitive payment data, regardless of detectability or root cause;
Payment transactions made and authorized by a payer that acted dishonestly or by misrepresentation, regardless of intent;
Payment transactions made as a result of the payer being manipulated.

There are certain rules that accompany these cases. Only fraud payments that have been initiated and successfully executed need to be accounted for in the PSP disclosures. Any cases of attempted fraud that have failed do not require reporting. Additionally, both net fraud and gross amounts must be reported under both plans. Gross figures relate to the value of funds defrauded, and net fraud relates to cases where some of the losses have been recovered by the PSPs, including insurance fraud.

Are there any exemptions to these guidelines?

Account information service providers are exempt from reporting requirements to avoid any double counting of fraud cases. It is assumed that PSPs will record these instances.

How should the data be broken down?

The data should be reported separately for each payment service or instrument operated by the PSPs. These include money remittance, e-money, payment initiation services, direct debit services, payment cards issuance, payment cards acquisition and credit transfers.

There are certain categories that should be followed:
The method of authentication used;
The reason why the authentication method was chosen;
The type of fraud.

Data must include the volume and value of fraud related transactions recorded per country within the European Economic Area (EEA), and an aggregate form for non-EEA transactions where at least one part of the transaction is performed in the EEA.

An additional component of the guidelines are templates for the reports that must be submitted by the PSPs during reportable incidents. When an incident originates within a company, it may employ consolidated reporting with other businesses who have affected payments through a service provider. With these guidelines, the EBA has clarified that “near misses” do not have to be reported.

These guidelines should help achieve an accurate snapshot of payment fraud occurring in the EU, including the size, components and development over time. They should also help increase the security of retail payments in the EU going forward.

About Markus Bergthaler

Markus oversees the development of all Association programme content, conference education, committee and community subject matter, website content, benchmarking, and online forum topics. Markus joined the MRC from Wizards of the Coast where he led the companys fraud department.

About the MRC

The Merchant Risk Council is the leading global trade association for fraud and payments professionals. The MRC provides support and education to members with proprietary benchmarking reports, whitepapers, presentations and webinars. The MRC hosts four annual conferences in the US and Europe, as well as regional networking meetings for professionals to connect, exchange best practices and share emerging trends. #ProudlyACommunity

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords:	Markus Bergthaler, Merchant Risk Council, PSD2, European Banking Authority, PSP, direct debit, card, web fraud prevention, online authentication
Categories:
Companies:
Countries:	World

Free Headlines	::: subscribe now
RSS	::: follow ThePaypers via RSS ::: connect
LinkedIn	::: connect with ThePaypers on LinkedIn ::: connect
Twitter	::: follow ThePaypers on Twitter ::: follow
Facebook	::: like ThePaypers on Facebook ::: like

Fraud reporting requirements under PSD2

Free Headlines in your E-mail

Voice of the Industry

The threats and opportunities of the AI revolution in compliance

Frictionless payments: adopting technological advancements to tackle security concerns

Shaping the future of the payments industry: key insights from MPE 2024

A bumpy road to becoming an open identity infrastructure: MOSIP Connect 2024 in retrospect

Innovation in payments: what role do policy and regulation play?

Interviews

Presenting crypto payments trends – a CoinsPaid perspective

Key ecommerce and payments trends in 2024

AML/sanctions compliance: A vital lifeline for Banking-as-a-Service partnerships' survival

The agility of the Electronic Money Institution: paving the way for instant, low-cost payments around the globe

Countdown to IFGS 2024: Unveiling trends shaping fintech's next decade

Industry Events

The Paypers

This Site

Contact Information

Legal Information