While the majority of the PSD2 changes are set to make the banking and finance industries more secure, they're also requiring financial institutions to open up their data and implement new technologies, two things that might open the door for potential abuse.
The second Payment Services Directive, also known as PSD2, is an European legislation on payment services that aims to end financial legacy institutions’ monopoly on financial relevant information.
In order to provide consumers’ the right to choose a wanted payment service provider (PSP), this regulation requires account-holding institutions to open up their data channels to third-party providers (TPPs), through dedicated application programming interfaces (APIs). Nevertheless, this only happens when account holders give their explicit consent to do so.
This exchange of relevant information between legacy financial institutions and other service providers does not happen, however, without an increased risk of fraud.
To boost security and lower overall fraud risk in the financial industry, the PSD2 upgrades the protection of consumers through strong customer authentication, also known as SCA. In addition to SCA, the revised Payment Services Directive also demands all payment service providers to include an additional requirement known as dynamic linking, that links each transaction to its value and the recipient.
Even though the PSD2 sets advanced security requirements, there is always a higher possibility of fraud regarding digital transactions. For this reason, this set of rules also demands that all payment service providers continuously report fraud data on means of payments to their national regulatory authorities.
In order to address these risks as quickly and effectively as possible, banks should partner with experienced security providers and educate their customers on these changes and how they can affect them.
Open banking will only get more important as time goes on, so it is important that institutions incentivize their customers to keep their contact information up to date and make strong passwords mandatory.
Fraud monitoring: tools and mechanisms provided by the PSD2
In order to evaluate risk in real time and deal with potential abuse, regulators have introduced some tools and mechanisms that are designed to diminish the risk of fraud and improve consumer trust on online payments.
A fraud monitoring tool serves as a primary way of detecting and countering fraudulent activity. They are a part of the Regulatory Technical Standards and SCA and relate to mandatory mechanisms that enable Payment Service Providers (PSPs) to detect and prevent unauthorised or fraudulent payment transactions.
In the past, these tools used to be simple to control, but also introduced a few functions that required manual labour. As technology improved, however, fraud analysis became more complex, yet agile and user friendly.
Automated processes now make this type of assessment more dynamic, and can combine multiple solutions simultaneously to create extensive fraud monitoring tools.
PSD2 transaction monitoring mechanisms
Transaction monitoring mechanisms are a part of the payment transaction analysis process, that has to meet regulations and requirements in order to successfully implement the authentication parameters.
There are minimum specifications that must be executed, but they are not limited to these five:
- Investigation to determine whether there are any compromised or hijacked authentication components;
- Application and examination of established fraud scenarios;
- Screening process against malware in the device used for authentication;
- Divergences in the payment amount;
- If a Payment Service Provider (PSP) presents a device/software for authentication - devices/softwares analysis;
Transaction monitoring vs transaction risk analysis
Transaction monitoring is often confused with transaction risk analysis. In the scope of the PSD2, transaction monitoring embraces the aforementioned scrutiny and is a legal mandatory process to maintain SCA.
On the other hand, transaction risk analysis entails a comprehensive risk evaluation in real-time. Its scope is much broader than transaction monitoring, emphasising more risk aspects.
Fraud reporting: guidelines under the PSD2
The guidelines for fraud reporting in open banking were developed in collaboration with the European Central Bank, and released by the European Banking Authority in July, 2018 (article 96(6) of the PSD2).
These guidelines require payment service providers in the European Union (EU) and European Economic Area (EEA) to meet certain regulations regarding fraud reporting. The same is valid for the Member States’ competent authorities.
Payment service providers have to collect and provide statistical data on both fraudulent and valid transactions, and do so by using a consistent methodology, definitions and data breakdowns. The collected information must then be reported to competent authorities.
After that, competent authorities have to deliver this data in an aggregated form to the European Central Bank and European Banking Authority. It is worth mentioning that competent authorities have to report data on fraudulent payments without ruling out any specific types of payment service providers.
However, payment service providers that can only access and consolidate information from different consumers‘ payment accounts are excluded from the PSD2 fraud reporting requirement, since they cannot deliver any data on fraudulent transactions.
What is considered a fraudulent payment under the PSD2?
Guidelines on fraud reporting require payment service providers to provide information not only on the number and amount of all payment transactions but also on the number and amount of fraudulent transactions made on an annual or semi-annual basis.
You can find below a description of fraudulent payments that may result in consumers’ loss of funds, personal information or personal property:
- unauthorised payment transactions executed as a result of loss, theft, or misappropriation of payment information;
- payment transactions resulting from manipulation of the payer when the fraudster scams and uses the payer to initiate a payment or give instruction to issue a payment transfer by the financial services provider;
The accuracy of the provided data is guaranteed by the fact that PSD2 requires payment service providers to report only those fraudulent transactions that have already been executed and resulted in a transfer of funds.
Moreover, PSPs have to exclude fraudulent transactions that were blocked before their execution due to suspicion of fraud and refrain from reporting fraudulent transactions made by the payment service user.
In order to comply with the PSD2 fraud reporting requirements, financial service providers must adopt appropriate measures to be able to detect when payment service users are potentially being deceived by fraudsters.
How to report a fraud under the PSD2
The PSD2 guidelines for fraud reporting determine two categories of fraudulent transactions: unauthorised transactions and transactions resulting from the manipulation of the payer by the fraudster.
These categories must be further divided using different breakdowns, that depend on the following features:
- the type of payment services: money remittance services, payment initiation services, debit or credit card based payment services, such as direct debit or credit transfer;
- payment instrument: e-money or card;
- relevant reporting payment service provider: payment transactions made by card can be reported by the issuer, that provides and validates credit or debit cards for consumers and issue payments, or acquirer that authorise and process card-payment transactions;
These categories can be further divided depending on the payment channel or authentication method, for example.
Also, guidelines for fraud reporting under PSD2 require payment service providers to deliver transaction data following the geographical breakdown. In other words, payment service providers must indicate whether the fraudulent transaction is one of the following:
- Domestic transaction: when payment initiation service provider and the account servicing payment service are located in the same country of the EEA;
- Cross-border transaction within the EEA: when the payment initiation service provider and the account servicing payment service provider are located in different countries of the EEA;
- Cross-border transaction outside the EEA: when the payment initiation service provider is from the EEA and the account servicing payment service provider is outside the EEA.
Finally, when carrying out fraud reporting under the PSD2, PSPs should report separate losses due to fraud for the service provider, payment provider user (the payer), other institutions and total losses for all parties affected by the fraudulent transactions.
To maintain compliance with the guidelines on reporting fraud under the PSD2, payment service providers must deliver the statistical data on fraudulent transactions every six months.
The requirement to carry out fraud reporting on a semi-annual basis is exempted for small payment institutions and e-money institutions. These payment service providers have to provide data on fraud annually with a semi-annual breakdown.
PSD2 insurance: Professional Indemnity Insurance (PII)
Before diving into the conceptual importance of Professional Indemnity Insurance, let's first refresh the central concepts of Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
What are AISPs?
AISPs are digital service providers that aggregate your financial information from all banking institutions and portray it in one place, for better financial management purposes or to ease loan application processes, for example.
What are PISPs?
PISPs are third-party providers that can initiate online payments from a customer's account on their request.
Entities that provide one or both of these payment services must be able to meet their liabilities to consumers and banks, resulting from the provision of their services. In order to cover potential liabilities, the PSD2 demands that both AISPs and PISPs hold a Professional Indemnity Insurance (PII).
The European Banking Authority issues guidance on what the PII must address to be suitable for third-party providers. AISPs have to hold an insurance that covers any liabilities that may result from unauthorised or fraudulent access or unauthorised or fraudulent use of a customers’ payment account information.
On the other hand, under the PSD2, PISPs must guarantee the coverage of liabilities arising from unauthorised payment transactions, non-execution and defective or late execution of payment transactions.
The European Banking Authority provides a formula for calculating the minimum monetary amount of the PII, based on a few criteria:
- Number of payment transactions authorised or payment accounts accessed;
- Range of business activities undertaken;
- Number of clients or amount of transactions in a given period;
Professional Indemnity PSD2 Insurance is therefore crucial for both AISPs and PISPs, as it protects third-parties against claims for alleged negligence or breach of duty that may arise from an act, error or omission.
The PII does not, however, cover liability towards a third-party who has suffered loss or expenses resulting from a cyberattack or theft.
With this in mind, it is important that AISPs and PISPs consider a broader insurance program, combined with the PII coverage that is provided by the revised Payment Services Directive.