PSD2 Fraud Reporting


PSD2, also known as the second Payment Service Directive, is European legislation on payment services in the internal market that entered into force in January 2016 and applies since January 2018. This directive aims to remove account-holding financial institutions‘ monopoly on consumers‘ data by allowing customers, which are individuals and businesses, to use third-party financial service providers to manage their finances outside of their account-holding financial institutions. To provide consumers with the right to choose wanted payment service providers, PSD2 requires account-holding institutions to open up their data channels to third parties through dedicated interfaces only when account holders give their explicit consent to do so. However, with the requirement for account-holding institutions to exchange data with other financial service providers comes an increased risk of fraud. To boost security and lower overall fraud in the financial industry, PSD2 upgrades the protection of consumers through strong customer authentication, also known as SCA. SCA requires payment service providers to verify the consumer's identity with at least two of three independent authentication elements, for instance, a smartphone or token combined with a password or biometric feature, such as an iris scan. In addition to stronger consumer authentication, PSD2 demands all payment service providers to include an additional requirement known as dynamic linking that links each transaction to its value and the recipient. Even though PSD2 provides advanced security requirements, there is always a higher possibility of fraud regarding digital transactions. For this reason, PSD2 also demands all payment service providers continuously report fraud data on means of payments to their national regulatory authorities. Let us take a closer look at the requirements under PSD2 on fraud reporting for payment service providers in the EU.

Guidelines on fraud reporting under the PSD2

Guidelines for fraud reporting were developed with the help of the European Central Bank and released by the European Banking Authority in July 2018 in article 96(6) of PSD2. These guidelines require payment service providers in the EU and the EEA and the Member States’ competent authorities to meet certain regulations in regard to reporting data on fraud. Specifically, payment service providers under PSD2 are obligated to collect and provide statistical data on both fraudulent and valid transactions using a consistent methodology, definitions, and data breakdowns. Payment service providers then must report information on fraud to their competent authorities. Guidelines on fraud reporting under PSD2 also demand these competent authorities to deliver this data in aggregated form to the European Central Bank and the European Banking Authority. Moreover, these guidelines for fraud reporting ensure that competent authorities report data on fraudulent payments without ruling out any specific types of payment service providers. However, payment service providers that can only access and consolidate information from different consumers‘ payment accounts are excluded from the PSD2 fraud reporting requirement because they cannot deliver any data on fraudulent transactions.

The fraud data reported under PSD2

As already mentioned, guidelines on fraud reporting require payment service providers to report information not only on the number and amount of all payment transactions but also on the number and amount of fraudulent transactions made on an annual or semi-annual basis. Fraudulent payments that can result in the consumers‘ loss of funds, personal information, or personal property include the following:

  • unauthorized payment transactions executed as a result of loss, theft, or misappropriation of payment information;
  • payment transactions resulting from manipulation of the payer when the fraudster scams and uses the payer to initiate a payment or give instruction to issue a payment transfer by the financial services provider.

To ensure the accuracy of provided data, PSD2 requires payment services providers to report only those fraudulent transactions that have already been executed and resulted in a transfer of funds. Also, payment service providers must exclude fraudulent transactions blocked before their execution due to suspicion of fraud. Moreover, payment service providers should not report fraudulent transactions made by the payment service user. For compliance with PSD2 fraud reporting requirements, financial service providers must adopt appropriate measures to be able to detect when payment service users are potentially being deceived by fraudsters.

How is PSD2 fraud reporting performed?

When performing PSD2 fraud reporting, two categories of fraudulent transactions: unauthorized transactions and transactions resulting from manipulation of payer by the fraudster, must be further divided using the different breakdowns. These data breakdowns depend on the following features:

  • the type of payment services, for instance, money remittance services, payment initiation services, debit or credit card based payment services, such as direct debit or credit transfer;
  • payment instrument, for example, e-money or card;
  • relevant reporting payment service provider, for instance, payment transactions made by card can be reported by the issuer, that provides and validates credit or debit cards for consumers and issue payments, or acquirer that authorize and process card-payment transactions.

These categories can be divided even further depending on payment channel and authentication method, etc. Also, guidelines for fraud reporting under PSD2 require payment service providers to deliver transaction data following the geographical breakdown. In other words, payment service providers must indicate whether the fraudulent transaction is one of the following:

  • the domestic transaction, when payment initiation service provider and the account servicing payment service are located in the same country of the EEA;
  • cross-border transaction within the EEA, when the payment initiation service provider and the account servicing payment service provider are located in different countries of the EEA;
  • cross-border transaction outside the EEA, when the payment initiation service provider is from the EEA and the account servicing payment service provider is outside the EEA.

Finally, when carrying out PSD2 fraud reporting, payment service providers should report separate losses due to fraud for the payment service provider, payment service user, aka payer, other institutions, and total losses of all parties affected by fraudulent transactions.

How frequently must financial service providers perform PSD2 fraud reporting?

To maintain compliance with guidelines on reporting fraud under PSD2 payment service providers must deliver the statistical data on fraudulent transactions every six months. However, the requirement to carry out fraud reporting on a semi-annual basis is exempted for small payment institutions and e-money institutions. These payment service providers have to provide data on fraud annually with a semi-annual breakdown.

Conclusion for PSD2 fraud reporting

The second Payment Services Directive transforms the banking industry of the European Union prominently by demanding account-holding financial institutions to share data with third-party providers. Even though the exchange of data between different parties ensures more innovative financial services to consumers, it also brings new challenges for consumers' security. Guidelines on fraud reporting under PSD2 ensure that payment service providers deliver transparent fraud data, which helps to improve the protection of customer information.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.