To help PSPs enhance their security and reduce the risk of fraudulent transactions, the Office of Competition and Consumer Protection (UOKiK), The Polish Financial Supervision Authority (KNF), and payments market players created a working group that developed a set of guidelines entitled: "Actions Aimed at Mitigating the Risk of Fraudulent Transactions. Recommendations of the President of UOKiK for Payment Service Suppliers" that was published in October 2024.
The guidelines are not legally binding, but they reflect the expectations of the regulator and the best practices of the industry. They cover various risk factors associated with online payment services and suggest measures such as transaction monitoring, cooling periods, voice messages, transaction limits, and strong customer authentication to protect consumers. These recommendations aim to provide a high level of protection for consumers, but they also require significant effort and resources from PSPs to implement effectively. This set of guidelines is particularly noteworthy due to the recent activity of the UOKiK on PSPs' approaches to unauthorised transactions and its investigations in this matter against 15 banks in Poland. Below we present a summary of these guidelines for PSPs operating on the Polish market.
1. Monitoring customer transactions
PSPs should monitor customer transactions and use appropriate technical measures to detect and prevent unusual or risky transactions, such as those that deviate from the customer's typical behaviour, involve high amounts, or are made shortly after changes in the customer's account or communication data. PSPs should also define typical and atypical transactions for each customer based on their average income, expenses, account balance, and other circumstances that may indicate fraud.
2. Implementing cooling periods
PSPs should use cooling periods to delay the execution of certain transactions or actions that may indicate fraud, such as significant or repeated increases in transaction limits, activation of additional functions, or requests for consumer credit. Cooling periods are intended to give customers time to verify and cancel transactions or actions that they did not authorise or initiate. During the cooling period, PSPs should inform the customer about the transaction or action and the reason for the delay, and use a communication channel other than the one used to initiate the transaction or action. PSPs should also allow the customer to confirm or cancel the transaction or action, before the end of the cooling period and using a different verification method to the one used to initiate the transaction or action.
3. Verifying identity with voice messages
PSPs should use voice messages or phone calls to verify the customer's identity and consent for certain transactions or actions that may be considered atypical or high-risk, such as transactions involving high amounts, foreign transfers, or changes in account or communication data.
4. Setting transaction limits
PSPs should set transaction limits based on objective data and customer preferences and inform customers about the risks of maintaining high transaction limits. PSPs should require additional verification or confirmation for significant or repeated increases in transaction limits and use a communication channel other than the one used to request the increase. PSPs should also use temporary limits that revert to the previous level after a certain time, unless the customer explicitly requests a permanent change. PSPs should inform customers about the optimal transaction limits and the possibility of lowering them at any time, and review and adjust the recommended limits periodically.
5. Limiting certain functions
PSPs should limit certain functions and products that are frequently used to carry out unauthorised or fraudulent transactions, especially those available in the mobile app or the online account of the customer. PSPs should not activate these functions or products by default for new customers, but instead require a separate and clear request from the customer to enable them. PSPs should also inform the customer about the risks associated with unauthorised access to the account and the use of certain functions or products in known fraud schemes. PSPs should also allow the customer to disable or restrict these functions or products at any time, and require additional verification or confirmation for activating them again. Some examples of these functions or products are:
- Instant transfers.
- Foreign transfers.
- Transaction limit for card-not-present transactions above zero; and
- Consumer credit available in the mobile app or the online account.
6. Remote session detection
PSPs should use remote session detection to block suspicious logins from unknown devices. Providers should inform the customer and ask for their consent to log in with extra security.
7. Employee authentication
PSPs should authenticate employees at every customer contact, using different methods (e.g. with use of the PSPs app) for different functions. They should not ask the customer to authenticate; it should be done automatically.
8. Clear and simple communication
PSPs should use clear and simple language in authentication messages. PSPs should allow customers to access and download these messages at any time or provide them on request.
9. Fraud reporting
PSPs should offer a toll-free hotline and a chat service for fraud reporting. PSPs should also inform the customer if they are talking to AI or a chatbot and allow them to switch to a human.
10. Panic button
PSPs should use a panic button or an emergency button to let customers block transactions in case of fraud. They should keep them blocked until the customer unlocks them at a branch or after a certain time.
11. Using strong customer authentication for card-not-present transactions
PSPs should strive to use strong customer authentication (SCA) for all transactions involving card payments without physical use of the card (CNP transactions).
12. Hiding authentication data on the card
PSPs should strive to hide the authentication data that enables card payments, such as the card verification code (CVC/CVV), on the card itself. This way, even if the card is lost or stolen, the fraudster cannot use the card data to make online payments without the customer's consent. This is especially important if the PSP does not require SCA for all CNP transactions.
13. Using one-time virtual cards
PSPs should offer customers the option of using one-time virtual cards, generated for a specific transaction. This solution allows customers to minimise the risk of data leakage on the recipient's side, as the card data cannot be reused for another transaction.
14. Using hardware keys or biometric data
PSPs should offer customers the opportunity to make use of strong authentication methods that are resistant to the interception of sensitive information by unauthorized parties, such as hardware keys (U2F) or biometric data. PSPs should inform customers about the benefits of using these methods, such as the impossibility of using them by third parties without physical access to the key or the biometric data.
15. Using artificial intelligence or behavioural biometrics
PSPs should implement systems that identify unusual activities on the customer's account in the online service or the mobile app at the authentication stage, using artificial intelligence or behavioural biometrics. PSPs should use these systems only with the customer's consent and for the specific purpose of verifying the authenticity of the authentication, and inform the customer about the type of data collected and the third parties involved in processing them. If the customer agrees to use such a system, the PSP may choose to facilitate the use of some functions that normally require additional or special authentication or security measures, such as cooling periods.
The recommendations do not limit or exclude the PSPs’ obligations under other regulations, especially the Polish Payment Services Act, when consumers report unauthorised payment transactions. The recommendations also do not exclude the use of other remedies and security mechanisms for different risk factors, or solutions that provide equivalent or higher security levels. According to UOKiK, PSPs should implement any other necessary remedies and respond promptly to emerging threats.
If you have any questions on this topic, or wish to audit your procedures, please contact us.
