4.5 Payments Fraud
4.5 Payments fraud
Trust is one of the fundamental cornerstones of a well-functioning, resilient payment system. Fraudulent activity and the risk of being defrauded, can instil mistrust among consumers that may lead to their reluctance to use digital payments. Consequently, one of the focuses of the NPS is to assess the issue of payments fraud in Ireland and to consider potential responses to ensure that the Irish payments system is a secure and trustworthy.
It is important that fraud on a national level is considered holistically with the linkages between new trends, methods and technologies and their potential impact of fraudulent activity is fully analysed. For example, while the rollout of instant payments may bring many positives, it does have the potential to increase the levels of fraud in Ireland. This has been mitigated by the safeguards embedded in the legislation, but it is important to pre-empt possible downsides as early as possible.
The issue of payment fraud is broad and complex, but can be roughly divided into two categories: unauthorised payment fraud, and authorised push payment fraud. Ireland like other EU Member States, is currently undergoing a period of change in relation to fraud activity relating to payments. While unauthorised fraud remains the dominant form of fraud, it has been addressed via EU legislation, technological advances etc., and is declining. authorised push payment fraud on the other hand has until now not been subject to the same degree of legislative scrutiny at EU level, however, this will be addressed in forthcoming legislative texts.
Unauthorised payment fraud involves a payment being made without the authorisation of the payer. In terms of addressing this type of fraud, PSD2 which became law in Ireland in 2018, required the implementation of preventative measures such as strong customer authentication (SCA). The ECB notes that the implementation of requirements such as SCA had positive impact on the level of digital payment (card not present[1]) fraud[2]. ECB data from 2019 shows that In Ireland, for every 1000 inhabitants, 59 cases of fraud were recorded compared to an euro area average of 40 fraud cases per 1000 inhabitants.[3] Unauthorised payment fraud continues to be a serious issue in Ireland and it represents the largest share of Ireland’s fraud level, albeit on a declining trajectory. The BPFI’s Payment Fraud reports shows that in 2022, unauthorised fraud (card fraud, paper based fraud and unauthorised electronic fraud transfer) amounts to €84.6 million[4].
Authorised push payment fraud, involves the use of social engineering techniques by the fraudster to deceive the payer into making a payment to someone other than the intended recipient or for a purpose other than what led the payer to make the payment. Losses from this type of fraud amount to €9.9 million the lowest level since this reporting began and significantly lower than unauthorised fraud, according to the BPFI[5]. The reasons for the decreasing level of authorised push payment fraud are unclear, particularly as the majority of measures to address such fraud are due to be implemented incoming as part of the PSR. While the value of this type of fraud may be declining, it has a very high profile in Ireland and receives ongoing coverage in the media.
On 16 June 2023, ComReg issued a consultation on combatting scam calls and texts[6] in which it points out that “Ireland, as an English-speaking country with a developed economy, is disproportionately targeted compared with our EU neighbours.” Some of the statistics in the report include that:
- Over 90% of adults in Ireland have received a scam call to their mobile phone in the last year;
- 84% have received some form of scam text;
- The most impersonated organisations are banks along with postal and courier services;
- Younger demographics are more susceptible to fraudulent calls often due to pre-existing affinity with mobile technology;
- Older generations while less susceptible are more concerned over scams.
On 28 June 2023, the European Commission published proposals for PSD3 and PSR. These proposals amend and modernise the current PSD2. The proposed revisions to PSD2 represent a package of changes which will enhance the functioning of the EU payments market and substantially reinforce consumer protection.
In the PSR, the European Commission is seeking to target new types of fraud for which PSD2 is not equipped to address. PSD2 focussed primarily on unauthorised forms of payment fraud, but PSD3 and PSR will go beyond PSD2 to tackle the social engineering methods which allow authorised push payment fraud, for example, if a customer is deceived into making a payment to a fraudster who fraudulently uses the telephone number or email address of a bank. It is evident that prevention mechanisms such as SCA have been insufficient to prevent this type of fraud. One of the new measures is the unique identifier (such as an IBAN)/name check, where a payer is notified when undertaking a credit transfer if the payee’s unique identifier and name do not match, it is then up to the payer to determine whether they wish to proceed with the transaction.
Measures being implemented by the European Commission to tackle authorised push payment fraud include:
- A good-faith consumer who has been the victim of ‘spoofing’ fraud where fraudsters pretend to be employees of a customer's payment service provider and misuse the payment service provider's name, mail address or telephone number should therefore be entitled to a refund of the full amount of the fraudulent payment transaction from the payment service provider, unless the payer has acted fraudulently or with gross negligence;
- An extension of IBAN/name matching verification services to all credit transfers. These have been proposed by the European Commission for instant payments in euro;
- A legal basis for PSPs to share fraud-related information between themselves in full respect of GDPR[7] via dedicated IT platforms;
- The strengthening of transaction monitoring; and
- An obligation by PSPs to carry out education actions to increase awareness of payments fraud among their customers and staff; and an extension of refund rights of consumers in certain situations.
The European Commission notes that any changes to the PSD2 liability framework via PSD3 and PSR, should contribute to reducing fraud without creating moral hazard where consumers believe that they will always be compensated for instances of fraud regardless of their actions when subjected to suspicious actions that are consequentially found to be fraudulent. There continues to be a duty on consumers to be careful when dealing with messages relating to financial transactions when making electronic payments. This includes ensuring that they know who they are making a transfer, along with the purposes of that transfer.
In regard to authorised push payment fraud, the PSR as currently proposed places the liability on a consumer’s bank to provide compensation if the bank in question, is impersonated to trick a consumer into making a payment, somewhat replicating protections under PSD2 and the current €50 contactless tap limit. However, as demonstrated by ComReg’s consultation, an array of public and private organisations are often impersonated by fraudsters to facilitate payment fraud including delivery services, telecoms, toll companies and banks. The UK Payment Services Regulator has gone further than the EU in requiring reimbursement for authorised push payment fraud. Rather than limiting the liability requirement to bank impersonation scenarios, the UK regime requires “payment firms to reimburse all in-scope customers who fall victim to APP fraud in most cases”, the scope of that policy will apply to all in scope PSPs, “this includes high-street banks and building societies but also smaller payment firms”.[8] However, the approach from the EU is different under PSR, where it is proposed to avoid moral hazard where consumers feel that they will always be compensated for instances of fraud.
Questions
Security and Resilience are the cornerstone of a well-functioning payment system, capable of being trusted by consumers and small businesses. To ensure continued trust in the Irish system consumers need to have the confidence to be able to make payments without the risk of being subject to fraudulent transactions. Fraud can be divided roughly into two types, authorised push payment fraud and unauthorised payment fraud. Unauthorised payment fraud involves a payment being made without the authorisation of the payer. By comparison, authorised push payment fraud, involves the use of social engineering techniques by the fraudster to deceive the payer into making a payment to someone other than the intended recipient or for a purpose other than what led the payer to make the payment.
4.7 Unauthorised payment fraud constitutes the largest share of fraud levels in Ireland. Are there initiatives beyond those in current legislation that can be undertaken domestically to address the issue? Are there best practices in other jurisdictions?
Fraudsters impersonate an array of organisations. Nevertheless, the European Commission’s proposed PSR concentrates the liability on banks under specific circumstances to provide redress to the consumer.
4.8 To what extent do you agree that a cross-industry engagement including actors outside the banking and payments sector is needed to adequately address the issue of authorised push payment fraud? If so, which sectors and actors are most relevant?
[1] Note: Card not present includes online purchases, phone orders, reoccurring payments and online invoices.
[3] Source: ECB Seventh report on card fraud
[5] Source: Ibid