EBA guidelines on fraud reporting under PSD2

On 18 July 2018, the European Banking Authority (EBA) published its final guidelines on fraud reporting under PSD2. This article explains the new guidelines, who is affected, when these guidelines for credit, payment and e-money institutions take effect and what important changes have been made compared to the consultation draft.

What is regulated?

These guidelines, developed by the EBA in close cooperation with the European Central Bank (ECB), were designed to support the PSD2’s goal for improving security of retail payments within the EU.

The guidelines for reporting fraud cases require European payment service providers to collect certain data associated with payment transactions and to report to their competent supervisory authorities semi-annually, based on uniform methods, definitions and data breakdowns or itemisations. The competent supervisory authorities must report aggregated data to the EBA.

Background of the guidelines

The guidelines were drafted by EBA based on Article 96 (6) PSD2, which requires Member States to ensure that payment service providers report statistical data to their competent supervisory authorities regarding any fraud involving various methods of payment, at least annually. The national authorities must provide this data to the EBA and the ECB, in aggregated form.

The guidelines originated in an EBA consultation paper published in August of 2017. Fortunately, in response to various reactions regarding the draft - a total of about 200 - the EBA has significantly revised the guidelines and annexes.

Who do the guidelines affect?

The guidelines apply to credit institutions that provide payment services as well as to all payment and electronic money institutions. Account information service providers are excluded, however, payment initiation service providers are not. The guidelines also apply to all competent supervisory authorities responsible for reporting the data in aggregated form to the EBA and the ECB.

When do the guidelines go into effect?

Payment service providers must begin collecting financial data as specified by the guidelines by January 1, 2019. The collection of data associated with the applicability of threshold exemptions for strong customer authentication due to appropriate transaction risk analysis must be initiated on the date of applicability of the delegated regulation (EU) 2018/389 for strong customer authentication and for secure open standards for communications (delVO). This date is September 14, 2019.

Based on the semi-annual reporting frequency, the first notification must be made per June 30, 2019. The supervisory authority – in Austria the Financial Market Authority – has yet to determine the date on which the data for the first half of 2019 must be reported.

Summary of the guideline's regulatory content

The guidelines are divided into those for payment service providers as well as those for competent supervisory authorities, however, only the requirements for payment service providers are covered here.

The guidelines specify which transactions must be reported (unauthorized payment transactions and manipulations of the payer by third parties). However, any operations not resulting in actual transactions must not be reported.

Various general statistical data must be reported (all payment transactions and determination of how many of them are fraudulent, based on total numbers as well as volume).

The data must be subdivided into national and cross-border payment transactions carried out both inside and outside the EEA.

Summary of most important changes

In comparison to the consultation draft, the EBA has made the following important changes in the final guidelines:

• Neither quarterly nor annual reporting of data is required now, merely a semi-annual reporting of uniform data.
• Since no country-specific data breakdowns are required, the geographical scope of the data has been reduced in terms of size and complexity compared to the consultation draft.
• The EBA has clarified that the final guidelines must be used for calculating fraud as specified by Art 18 delVO. This relates to the applicability of threshold exemptions for strong customer authentication based on the transaction risk analysis. In this sense, the definitive guideline provides a definition of the term "fraudulent payment transaction", which includes non-authorized payment transactions as well as transactions resulting from manipulation of the payer by the fraudulent person. The draft also classifies transactions as fraudulent when the fraudulent person is the payer. However, these types of operations do not fall within the scope of the guidelines because the EBA holds that this type of fraud is subject to the control of the payment service provider.
• In addition, the EBA, together with the ECB, has made a special effort to appropriately adapt the guidelines to the reporting obligations, the ECB regulation regarding payment statistics.

How can we help you?

If you have any questions about implementing the reporting requirements or collection of data or creating appropriate corporate policies based on the EBA fraud reporting guidelines, please do not hesitate to contact us.