European authorities are very busy trying to cope with the scale and pace of change in the payments sector, including shifting fraud patterns and threats. We've included a bullet-point summary of what's going on. Let us know if any we can help on any aspects.

EU Retail Payments Strategy

This strategy complements the EU's wider Digital Finance Strategy. The European Commission's main payments objectives are to remove market fragmentation, promote market-driven innovation in finance, and address new challenges and risks in a way that ensures technological neutrality (same risks, same treatment). Specifically, the Commission wants to see increasingly digital, instant pan-EU/EEA payment solutions; innovative and competitive retail payments markets; efficient, interoperable retail payment systems; and efficient international payments/remittances.

The strategy to meet those objectives involves:

  • Encouraging more payment service providers to offer more accounts that can send and receive Single Euro Payments Area (SEPA) instant credit transfers (ICTs).
  • Consumers being able to make instant payments with the same level of protection offered by other payment instruments and normal credit/bank transfers.
  • Mitigating the liquidity risk for financial institutions from the potentially rapid outflow of funds through instant payments (bank runs); and whether further measures are needed to address money laundering and terrorist financing.
  • Monitoring and enforcing non-compliance with the SEPA Regulation.
  • Promoting the use of electronic identity and trust services under the Electronic Identification Regulation (eIDAS) and support Strong Customer Authentication (SCA) requirements under PSD2 for account login and payment initiation.
  • Monitoring the level of acceptance of digital payments in the EU and propose any legislative support required.
  • Realising the full potential of ‘open banking’ (account information and payment initiation services) under PSD2 and proposing a wider Open Finance Framework by mid-2022.
  • Re-assessing the legal limits on contactless payments under PSD2 to better balance convenience and fraud risk.
  • Assessing the risks posed by unregulated ‘technical services’ currently excluded from PSD2 and the adequacy of other exclusions; and whether to require a right of access under fair, reasonable and non-discriminatory conditions to any technical infrastructure necessary to support the provision of payment services.
  • Formally including the issuance of e-money under the Electronic Money Directive (EMD2) as a payment service in PSD2.
  • Amending the proposal for the Regulation on markets in cryptoassets (MiCA) to include issuers of e-money tokens and additional provisions reflecting EMD2.
  • Improving the link between supervision of payment services, payment systems, schemes and instruments.
  • Extending the scope of the Settlement Finality Directive (SFD) review to include e-money and payment institutions.
  • Working with the European Banking Authority (EBA) to assess whether SCA, security and fraud related requirements in PSD2 and related EBA instruments have actually enhanced security and reduced payment fraud.

Payments Fraud

The EBA is seeking feedback on emerging patterns of fraud it has identified in respect of credit transfers, card-based payments and cash withdrawals:

  • The proportion of fraudulent payments to the total payment volume and value is significantly lower for transactions that are authenticated with SCA than those that are not (but there is a higher fraud rate for remote credit transfers authenticated with SCA).
  • Fraud is substantially higher for cross-border transactions with counterparts located outside the EEA than those conducted within the area, which is a known pattern of payment fraud.
  • Credit transfers have the lowest fraud rate but the average amount per fraudulent transaction is the highest for all payment methods (over €4,000).
  • Card payments are the most frequently used of all payment methods, and have the highest fraud rate (as reported by acquirers rather than card issuers) but the lowest average fraud amount.
  • Payment service users bear most of the losses due to fraud relating to credit transfers and cash withdrawals (68% of the losses due to fraudulent credit transfers), yet PSD2 provides that liability for unauthorised transactions should lie primarily with the payment service provider, unless the user has acted fraudulently or fails to notify the provider of the loss, theft, misappropriation or unauthorised use with intent or gross negligence. So the EBA speculates that the notion of gross negligence might be differently understood and applied.
  • The EBA suggests that fraud losses may be being wrongly or unfairly passed on, e.g. by issuers to acquirers and by acquirers to merchants.

The European Payments Council also has reported on payment threats and fraud trends:

  • The key threats are social engineering and phishing, malware, advanced persistent threats, distributed denial of service attacks, botnets and monetisation channels (cash withdrawal, purchase that leaves no trace, money transfer or credit transfer from which a withdrawal, purchase or transfer is made). The EPC report describes each threat, the impact and context; and provides guidance on controls and mitigants.
  • Executives and employees of financial institutions and payment infrastructure are increasingly targets of social engineering, rather than merchants or business customers.
  • Malware remains a major threat, but ransomware has become the top cyber-threat.
  • Advanced persistent threats (sophisticated, customised, malicious attack on a specific individual, company, system or software, based on specific knowledge of the target) are one of the most lucrative types of payment fraud, so potentially high risk.

Non-EU payments

The Commission recognises that payments across the EU’s external borders involving non-EU countries must also become faster, more affordable, more accessible, more transparent and more convenient. Current friction creates barriers to cross-border services, increase prices for end-users, deters investment in efficiency and reduces the pace and volume of remittances. 

The Commission is therefore considering:

  • Whether to impose the maximum execution time in “two-leg” transactions to “one-leg” transactions and further harmonise the business rules and messaging standards for one-leg transactions.
  • SEPA-like initiatives in regional groupings of low- and middle-income countries;
  • The possibility for third countries to join SEPA;
  • Promoting access to payment accounts in low- and middle-income countries.

Conclusion

All this activity promises a lot of regulatory change if the authorities are to match the scale and pace of technological change and shifting fraud risks in the payments sector. Let us know if any we can help on any aspects.