July 7 • 2023

EU PSPs to become liable for authorised frauds when they are impersonated 

Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.

EU Payment Services Regulation (PSR) and PSD3 replacing PSD2

Written by @Rob.Tharle, CYBERA’s Head of Product. 

Another month and another update on regulators starting to place liability onto to Banks and Payment firms for authorised fraud transactions. And this time it is a big one as it’s a new EU regulation, so covers the whole of the EU. The Payments Service Regulation (PRS), which together with Payments Services Directive 3 (PSD3) replaces and extends PSD2. In addition, there is also a new FIDA for data sharing that extends Open Banking to Open Finance. 

Given the size of these regulations I’m going to focus on the following points: 

What has been proposed by the European Commission for the EU? 

Unauthorised fraud transactions are already well covered by PSD2 and this will carry across to the new legislation. However, there will now be some, albeit limited when compared to the UK liability for PSPs for authorised transactions.  

Article 59 of the PSR states that customers should be refunded in full by their PSP when: 

A consumer (not business) is manipulated by a third party that is impersonating their PSP using: 

Any refund is conditional based on the consumer reporting this the PSP and the police. The PSP must refund in full within 10 days or provide justification for not refunding, i.e. as the customer has acted fraudulently or with gross negligence. 

Article 59 does not make a differentiation between credit transfers and card-based transactions so should apply equally to both and also to PISPs where appropriate. The proposals allow for PSPs to be favourable than the regulations stipulate. 

In addition, it brings an obligation on telcos and other messaging providers to work with PSPs to stop these types of impersonations. We’ve seen this y countries already e.g. the UK, Singapore and Australia.  

The PSR also brings in an IBAN to name checking service requirements. This service has already been proposed for Instant SEPA payments and is the equivalent of the UKs Confirmation of Payee (COP) service. The PSR will cover both non-Euro Instant and Non-instant Euro credit transfers as the Euro Instant SEPA payments are covered already. 

Article 57 states that if a PSP does not let a consumer know of a IBAN to Name Mismatch, then, the PSP is liable for any fraudulent transactions. 

PSPs are also liable (really unauthorised) where SCA is not undertaken when it should be or the PSP has utilised an exemption to SCA. This can be the Payees PSP in the case of merchant transactions. 

In addition it also brings in Open Banking Payment Initiation Service Providers (PISP)s as being liable for unauthorised transactions and should refund the Account servicing PSP.  

The PSR also provides the ability for PSPs to block payments being made or the underlying credentials where this can be justified, e.g. in the prevention and detection of fraud. Such blocks should not be permanent.  

To help clear up the complications of data sharing for fraud prevention and GDPR, firms will also be allowed to share financial data to prevent fraud and money laundering. This will need to be authorised by the EBA and be via established schemes.  

Article 83 will likely need some clarity in EBA guidance. At present it suggests firms can share unique identifies (i.e. IBANs) where two customers of the PSP have reported the IBAN as receiving fraudulent payments. This sharing on its own should not result in a closed account or an account not being opened, but does allow for payments to be stopped and investigated. Further investigation should allow firms to close accounts where fraud and ML have occurred and likewise not onboard customers where their investigations believe this to the case, but this will need to be clarified. 

Article 83 also covers revisions to the fraud profiling that firms should undertake. As ever this should also encompass authorise frauds as well as unauthorised frauds. Firms should not just constrain themselves to outbound payments, but also inbound payments. 

On top of this with the extra liability firms should be helping customers to get their funds back, to help victims and reduce their own liability. 

We can see that in the EU will join countries bring liability to banks for authorised fraud, but will not go as far as the UK. This is important as the increased use of instant payments that will come from the Instant payment regulation, will increase authorised fraud and scams in the EU. 

Timescales complicated by Euro elections in 2024, so either very fast or a hiatus until they are finished. A such and new RTS and or amended RTS to replace the PSD2 one will see his take some time to become law. If old ones are not changed they stay in place. 

Becomes law after 20 days after publication in official journal and into force 18 months after that. So earliest likely date coming into force is Q3 2025. 

About CYBERA  

At  CYBERA  we’re on a mission to stop money laundering and help protect customers from scams and other financial cybercrime. We close gaps that allow cyber criminals to thrive by sharing crime data in real-time with financial institutions, fintech, and crypto exchanges, and coordinating a global response to support customers who have become victims of financial cybercrime.  

CYBERA WATCHLIST™ helps support firms to reduce fraud and money laundering and meet regulatory requirements as part of a holistic fraud and financial crime strategy.  

Financial Institutions (FIs) can check against the CYBERA WATCHLIST™ for confirmed mule accounts when processing payments. For outbound & inbound payments, where there is a match on either IBAN (Account Number & Sort code) or on Name the transaction can be flagged as high risk.  

At account opening and ongoing CDD, email, phone and name can be used to match to CYBERCRIME WATCHLIST™ to reduce opening new mule accounts.  

CYBERA VSR™ further supports by providing users with alerts of any of their accounts reported as mules directly in their dashboard.  

Unlike other data sources, CYBERA is a global solution, so is well placed to support the increasing levels of cross-border real-time payments.