Insight

Combatting payment account fraud - latest regulatory developments from the European Union

On 28 June 2023, the European Commission (the Commission) published a new set of legislative proposals to amend the Second Payment Services Directive (PSD2) which are intended to further strengthen and safeguard the European payments market. The proposals will repeal PSD2 to become the Third Payments Services Directive (PSD3), through which the Commission has sought to address the deficiencies of PSD2, along with a new Payment Services Regulation (PSR) which will have direct effect in EU member states. 

One of the objectives of the new package is to provide more expansive anti-fraud protections for consumers making payments in the EU. Under PSD2, a customer that is a victim of fraud can claim a reimbursement from their EU-licensed payment service provider (PSP) if the transaction is either unauthorised (i.e. they did not consent to the execution of that transaction) or has been executed incorrectly. However, there is no redress mechanism in the current regime where a payer authorises a payment as a result of the requesting person fraudulently impersonating a third party, which the Commission refers to as “spoofing” or “impersonation fraud”. Article 59 PSR sets out new measures aimed at the prevention of, and redress for, impersonation fraud. Cases of impersonation fraud will be subject to a compensation model which obliges PSPs and electronic communications service providers (ECSPs) to fully reimburse a consumer who is a victim of impersonation fraud for the full amount of the fraudulent transaction. 

Both PSD3 and the PSR have entered the EU ordinary legislative procedure (further explained below). Depending on the legislative process, the final agreed texts are expected to enter into force no later than 2025. 

Scope of the Impersonation Fraud Liability Regime

Under Article 59 of the PSR, a consumer who is a victim of impersonation fraud shall be entitled to a full reimbursement from their PSP of the amount paid provided that they have, without undue delay, reported the fraud to the police and notified their PSP.  

i. In-scope Firms

In contrast to the UK (which brings only PSPs within scope), the impersonation fraud liability regime under the PSR applies to both PSPs and ECSPs.

A PSP is a broad classification encompassing banks, payment institutions and e-money institutions. The PSR defines ECSPs by reference to the scope of the EU Digital Services Act1 and the EU Electronic Communications Code2. The wide ambit of the definition would entail a vast range of platforms including “online platforms”, “digital platforms”, e-commerce, telecommunication companies and social media companies and an array of different product offerings provided by these platforms.

ii. In-scope Persons - who can make a claim?

The reimbursement obligation shall only apply to a consumer payment services user who has been a victim of manipulation by impersonation fraud, which is:

  1. A third party pretending to be an employee of (i) the consumer’s PSP or (ii) a “private entity”; or (iii) a “public entity”;
  2. That third party (in either situation) used the name, email address or telephone number attributed to such entity unlawfully; and
  3. The “manipulation gave rise to subsequent fraudulent authorised payment transactions” (“APT”).

iii. In-scope Transactions

A consumer will only be able to claim reimbursement for fraudulent APTs which have resulted from impersonation fraud. For instance, in-scope transactions do not appear to include extortion.

Claiming a Reimbursement

The PSR does not set a deadline by which a consumer must notify their PSP of a fraudulent APT which has resulted from an impersonation fraud, but the PSR states that they must act “without undue delay” upon becoming aware of the fraudulent APT.

PSPs must issue a reimbursement to the consumer covering the full amount of each in-scope transaction within ten (10) business days after either (i) the consumer notifying it of the fraudulent APT or (ii) the PSP receiving a police report confirming the fraud. A PSP can only refuse to issue a reimbursement if:

  1. The PSP has reasonable grounds to suspect that the consumer has acted fraudulently or with gross negligence; and/or
  2. The consumer refuses to either provide relevant information on the circumstances of the impersonation fraud or comply with the PSP’s investigation.

The PSP must then provide its substantiated justification for refusing to issue the reimbursement to the relevant national authority. The consumer must also be directed to the relevant bodies to which the matter can be referred to further investigate the fraud and dispute the reasons provided.

When seeking to establish that a consumer is grossly negligent, the burden of proof falls on the PSP to demonstrate that the consumer’s conduct on the part of the consumer exhibiting a “significant degree of carelessness”. The PSR provides the following examples of conduct which would be considered to be grossly negligent:

  1. Making a payment to a fraudster without having any reasonable grounds for believing that the payee to whom the payment was intended is legitimate;
  2. Keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties;
  3. Persuading a bank to lift a block placed after a fraud alert;
  4. Acting on guidance from an unfamiliar third party; and
  5. Giving an unblocked smartphone to a third party

(recital 82).

ECSP liability

The PSR creates a liability chain in which the PSP has the primary responsibility for reimbursing any in-scope person the full amount of an in-scope transaction. Secondary responsibility is introduced for ECSPs, as explained in recitals to the PSR:

“Online platforms can also contribute to increasing instances of fraud. Therefore, and without prejudice to their obligations under [the EU Digital Services Act], they should be held liable where fraud has arisen as a direct result of fraudsters using their platform to defraud consumers, if they were informed about fraudulent content on their platform that and did not remove it.” (recital 81a)

Consequently, ECSPs must remove any “fraudulent” or “illegal content” after being informed by the PSP of its existence. Failure to do so results in the ECSP being liable to reimburse the full amount of the fraudulent APT to the PSP on the condition that the consumer has complied with their notification and reporting obligations.

No specific timeline is given for reimbursement of the PSP by an ECSP. Nevertheless, given that a PSP would have to reimburse a defrauded consumer within ten (10) business days, the PSP would likely apply pressure on the ECSP to complete its enquiries and pay within that timeframe. However, absent a timeframe for the ECSP, it would not appear that the PSP could itself require payment by a set deadline.

Core Obligations

All providers involved in the fraud chain (including PSPs, ECSPs and online platforms encompassing digital platform service providers) must have in place fraud prevention and mitigation techniques to combat fraud in all its forms, including unauthorised and authorised push payment fraud. They must also act swiftly to ensure that appropriate organisational and technical measures are in place to safeguard the security of customers when making transactions. These are taken to include, at a minimum, secure authentication channels, robust encryption standards and an incident response plan outlining the steps to be taken to address cases of fraud.

The PSR also sets out specific obligations that ECSPs must comply with, as summarised below.

  1. Incident management: cooperate closely with PSPs and act swiftly to ensure that communications are safeguarded in accordance with the EU ePrivacy Directive (Directive 2002/58/EC), including with regard to calling lines and email addresses.
  2. Fraud mitigation measures: take various steps relevant to the mitigation of impersonation (and other types of) fraud, in particular:
    • Make available educational measures, including customer alerts when new forms of online scams emerge, taking into account the needs of vulnerable customers;
    • Provide consumers with guidelines as to how to identify fraud and what steps/precautions they can take to avoid being a victim of fraud;
    • Provide users with a means to report fraud and how to rapidly obtain fraud-related information; and
    • Ensure it has in place fraud prevention and mitigations techniques to fight all types of fraud.

Areas of Uncertainty

There are a number of aspects of Article 59 PSR which are vague and create uncertainty for PSPs and ECSPs. Whilst it seems reasonably clear from recital (81a) that an ECSP’s liability should arise if it is told about fraudulent or illegal content on its platform, fails to remove it and a fraud occurs through the platform as a result of that illegal or unlawful content, Article 59 does not require a causal connection between illegal or unlawful content and the occurrence of a fraud. It therefore isn’t clear whether the ECSP is liable only if the content was in fact a cause of the fraudulent APT, or whether the reimbursement requirement applies as a ‘punishment’ for the ECSP’s failure to remove content that might result in harm in future.

Secondly, for liability to arise on the ECSP, it is not clear whether the consumer claim must have been determined by the PSP. It therefore remains possible that the ECSP is asked to take down content or compensate such PSP before that PSP has decided whether the customer’s claim is valid. The discretion that is afforded to PSPs could potentially lead to a pre-emptive and possibly arbitrary approach in requesting ECSPs to act without a definitive determination on the validity of a customer’s claim, leading to uncertainty on when to take down content or provide compensation.

Thirdly, the PSR allows a PSP to pass liability onto ECSPs who may have been concerned with the impersonation fraud. However, it is not clear if this constitutes a ‘sharing’ of liability between the parties. In principle, it appears that the ECSP could therefore be liable for the full amount of the fraudulent APT even if the claiming PSP had already been fully compensated by another connected ECSPs (or indeed if the funds have otherwise been recovered).

The current draft of Article 59 is silent on a number of matters:

  1. How and to what extent can an ECSP investigate, query and / or challenge a claim, including where (contrary to the PSP’s position) it considers there to be fraud or gross negligence on the part of the customer?
  2. Are PSPs required to notify ECSPs using a particular means of communication?
  3. Are ECSPs expected to work to a particular deadline in assessing whether to remove fraudulent content from their platforms, once they have been informed by the relevant payment services providers.

It is hoped that the text of Article 59 (or subsequently issued Level 2 / 3 measures) shall provide some further guardrails on what “the fraudulent or illegal content” the ECSP should remove. For example:

  1. Would the ECSP only be required to take down the content specified by the PSP or would this be entirely at the discretion of the ECSP, PSP or a competent authority?
  2. Will take-down requirements apply across all of an ECSP’s products, including private communication channels like messaging, or only to public channels like ecommerce or social media feeds?

Ideally, these matters would be clarified in the final agreed text of the PSR itself or through technical standards or guidelines to be subsequently issued by the relevant authorities.

Timeline

Both PSD3 and the PSR have entered the EU “ordinary legislative procedure” which means that the European Parliament and the Council of the EU (the “Council”) are currently considering the proposals.

  1. On 14 February 2024, the European Parliament's Economic and Monetary Affairs Committee (“ECON”) announced it had adopted draft legislative proposals.
  2. On 23 April 2024, the European Parliament announced that it has adopted its position at first reading of the draft PSD3 and PSR. The texts will be negotiated between Parliament and Council after the Parliamentary elections in June 2024.
  3. Depending on legislative progress, the final agreed texts of PSD3 / PSR are expected to enter into force at the end of 2024 / early 2025.
  4. Both PSD3 and the PSR shall apply in all EEA countries 18 months after they enter into force, i.e. mid-2026 / early 2027, subject to domestic transposition in each EEA country. 

1Regulation (EU) 2022/2065
2Directive (EU) 2018/1972

Resources 

https://finance.ec.europa.eu/consumer-finance-and-payments/payment-services/payment-services_en
https://www.lexology.com/library/detail.aspx?g=05f1af4b-a75a-41ac-8f07-d91991a46cbe
https://www.europarl.europa.eu/committees/en/econ/documents/latest-documents

 

Related capabilities