Recent research has revealed that over a third of fraud cases in the U.K. have gone unreported to banks.
This is indicative of a wider problem in the fraud industry; no one knows the exact size and nature of fraud activity. The European Banking Authority (EBA) is attempting to tackle this with new requirements for fraud reporting as a part of PSD2.
However, the final requirements are yet to be released, after a majority of PSD2 mandates have already gone live. This makes reporting the final piece of the puzzle for the directive.
The EBA is hoping to improve upon the limited reliable and comparable data currently available on payment fraud at EU level with new PSD2 reporting requirements. Limited data is a widely recognized issue and it was decided that incorporation into PSD2 was the most appropriate way to enforce a requirement. The requirement is for payment service providers (PSPs) to “provide at least on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities." Authorities, such as the FCA, will then provide this data to the EBA and the European Central Bank in an aggregated form.
The efforts by the EBA are most definitely a step in the right direction and they strive to capture a balance between the need for detailed and timely need for information, against the effort required by PSPs to meet these new requirements. If even moderately successful in quantifying the impact of fraud, the guidelines have a potential to create aggregated headline figures that could foster government support for law enforcement agencies that find themselves woefully under-resourced to tackle the fraud problem.
However, there are still numerous issues that are outstanding following the release of the most recent guidelines. Some of the highest-impact issues are outlined below:
Classification of fraud. The EBA has identified that there is no industry common definition of “fraud” and “fraudulent payments transactions” for reporting and therefore defined the types of fraudulent activity that it would like to report on. However, this definition still leaves scope for misinterpretation and confusion. Most important, as with many industry collaboration efforts, the actual classification of fraud can vary between institutions. Without some form of quality control on the underlying data, the final collated figures will be subject to a high degree of inconsistency.
Multicurrency. The EBA has provided guidelines for PSPs to help with converting figures into a single reporting denomination. But, again, the guidelines leave scope for misinterpretation. Several different ratios of conversion can be used, and some are calculated from rolling averages. Further, more rigid, definition is required to reduce variance in calculating methods and ensure more consistency in reporting.
Double counting. The EBA has focussed solely on PSPs in the payment chain to avoid double counting on reporting and has defined in many cases whether the payer or the payee PSP should bear responsibility for reporting on a fraud event. However, for card payments both payer and payee PSP must report.
Card payments make up 75% of card losses in the U.K. alone, so the potential impact of double counting if not properly identified would be significant. Double counting on cards was requested to identify the source and destination of payment transactions, but this feels like an inconsistent approach. A significant amount of cross-border fraud activity would be attributed to noncard payments and will therefore be missed. Also, does the requirement for detailed source and destination data add unnecessary complexity in the drive toward reliable and comparable data?
The above issues are topics that have plagued the fraud industry for years and more specific guidance is needed to ensure consistency, so that all PSPs are reporting on a truly level playing field.
The guidelines for reporting are still in final-draft stage and the EBA has in previous draft updates shown a willingness to add more structure and focus to the requirements. It remains to be seen whether the final guidelines will solve some of the above issues. However, with most PSD2 mandates now live, the clock is ticking on enforcing these standards with PSPs.
As with all PSD2 mandates there is a risk of penalties associated with noncompliance. Although the first report submission periods are not due until H2 2018 at the earliest, the EBA does require reporting to be in place from Q2 2018 onward. All payment service providers need to think about their capability to efficiently and reliably collate the information required for regular submission in the imminent future.
The focus of the EBA reporting guidelines is on actual fraud, not attempted but ultimately unsuccessful fraud. The EBA assumes that financial institutions will have suitable fraud systems in place to mitigate most fraudulent activity, and this brings out a final, and potentially critical, aspect on fraud reporting, measuring compliance with PSD2 mandates, and any exemptions, for secure customer authentication (SCA).
There was widespread relief at the introduction of an exemption from SCA based on transaction risk analysis, when the EBA released its final standards for SCA in PSD2. This exemption means PSPs no longer have to enforce SCA on customers on certain transactions, if they can beat specified reference fraud rate thresholds. This is great news for both the banks, faced with the unedifying prospect of adding more friction at a time when they are striving for frictionless payments, and for customers faced with more steps that only elongate the transaction payment process.