Fraud Reporting Compliance Under PSD2

Society is becoming more digital by the day, this is especially true when it comes to how we manage our finances and engage in transactions for goods and services. Fintech companies are looking to capitalize and disrupt the $6.78 trillion global banking industry. The recent Payment Services Directive (PSD2) implemented across the EU in January 2018 is helping these companies bring innovation and competition to the banking industry at a level simply never seen before.

However, with innovation to financial systems comes increased risk of fraud. This article will look at how PSD2 is changing the banking game and how fraud reporting compliance is changing under this new directive. This article will briefly discuss this new directive and how fraud reporting compliance guidelines help keep consumers safe in this new age of open banking.

A Brief Summary on PSD2

The Payment Services Directive or PSD2 for short is a recent revision of the original payment services directive (PSD1) which was implemented across the EU in 2007. Designed by the countries of the European Union (EU) this directive has the main goal of breaking down EU banks monopoly on consumer data. This means bank customers, which includes individuals and businesses, can now use third-party providers to manage their finances.

This directive will open the doors for companies like Facebook and Google to help you pay your bills, engage in peer-to-peer (P2P) transactions, and monitor your spending habits, all while your money is safely secure in your personal bank. PSD2 is a major win for the fintech industry, which currently provides platforms where individuals and businesses can exchange funds outside of their current banks.

A direct result of PSD2 could be the emergence of the next massive fintech disruptor, similar to how Uber and Airbnb changed their respective industries forever. Think about it, Uber is the world’s largest taxi service but owns no vehicles and Airbnb is the world’s largest accommodation provider but owns no real estate. Could we see the creation of the largest financial services provider that holds no direct bank accounts? An educated assumption would be a firm yes.

PSD2 is Fighting Fraud

One of the main objectives of PSD2 is to increase security and lower overall fraud in the financial system. This is huge because according to Charles Damen, SVP of Payment Strategy at Worldpay, over two-thirds of fraud is directly linked to a card, not present (CNP) payments, this new legislation aims to reduce this.

The main way PSD2 is looking to combat fraud in an age of financial innovation is through stronger customer authentication, protecting consumers engaged in digital transactions outside of their normal bank. Electronic payments will now need at least a minimum of two user authentication methods, meaning something they know (e.g. password), something they own (e.g. phone), or something biometric (e.g. iris scan).

The ultimate goal of these new security measures is to increase consumer confidence in digital transactions and reduce fraud at the same time. Unfortunately, no matter what security is put in place there will always be the risk of fraud attached to digital transactions. Payment service providers (PSPs) under PSD2 are now required to meet certain regulations around reporting fraud data to competent authorities.

The European Banking Authority (EBA) released guidelines in July 2018 specific to article 96(6) of PSD2. The guidelines were developed in collaboration with the European Central Bank (ECB), requiring PSPs to collect and report data on payment transactions (both fraudulent and not) using a consistent methodology, definitions, and data breakdowns.

Let’s take a closer look at a few of these guidelines focused on fraud reporting compliance under the new PSD2 legislation.

Key Attributes of Fraud Reporting Compliance Under PSD2

Reporting the Right Fraud Data

Under PSD2, payment service providers must report statistical fraud data for all unauthorized payment transactions made and payment transactions made as a result of payer manipulation, where a fraudster manipulates a payer to issue a payment order or give instruction to do so by the payment services provider.

This fraud data should be reported on a semi-annual basis to remain in compliance with EBA guidelines on reporting fraud under PSD2. Furthermore, payment service providers should only report transactions that are executed not transactions that have not resulted in a transfer of funds.

Consistency is a Key Theme

The word consistent is a popular theme throughout the fraud reporting guidelines for PSD2. The EBA and ECB focused on consistent implementation across all member states ensuring data is aggregated in a way that it is both reliable and comparable. These two regulatory agencies worked closely together and gathered feedback through a public consultation period. This resulted in changes to the guidelines with the sole focus of creating consistent steps to provide accurate and reliable data to the proper entities.

For example, the EBA changed certain terminology to align terms consistently throughout the guidelines creating clear and concise guidance on fraud reporting under the new PSD2 legislation. Consistent fraud data reporting guidelines will help gather data across the European Union resulting in a holistic, transparent view of fraud activities related to transactions by payment service providers.

Alignment with Outside Standards

The main concern raised by respondents during the consultation was the alignment of the PSD2 fraud data reporting guidelines to other directives, decreasing the chance of overlapping data aggregation by payment service providers. The EBA and ECB used responses from the consultation to align the fraud reporting guidelines with other reporting directives such as the ECB Regulation on Payment Statistics (ECB/2013/43) and the ECB Recommendation on Payment Statistics (ECB/2013/44).

The EBA also made an effort to align the guidelines in terms of data categories being collected to calculate the fraud rate to gain exemption from the transaction-risk analysis requirement under Article 18 of the Regulatory Technical Standards. These standards promote strong customer authentication and communication which are key in achieving the objective of PSD2, enhancing consumer protection, promoting innovation and improving payment service security across the EU.

Wrapping Up

The newly implemented Payment Services Directive will change the financial landscape of the European Union forever. Third-party providers will now be competing directly with financial institutions to help customers manage their finances. A key to ensuring consumer protection is the EBA guidelines on fraud data reporting. A consistent, fully aligned set of guidelines which will help the entire European Union create transparency into fraud data which can be used to further improve security and protection of customer data. The financial future is here in the European Union, it will be interesting to see which areas of the world join this financial movement going forward.