Written by @Rob.Tharle, CYBERA’s Head of Product
In the last couple of weeks the EPI announced it has purchase of iDEAL and its desire to increase instant payments in the EU. This builds on the EUs proposed regulation to increase the use of instant payments. In this blog I’ll explore what these are, their impact on fraud and scams and what firms should do to be ready.
What are SEPA Instant Payments?
SEPA Instant was introduced in November 2017 and as its name suggests allows the customers of participant institutions in the Europe to send real time payments in Euros. SEPA Instant has a limit of 100k EUR, which is lower than the UK and US equivalent limits of £1m & $1m respectively.
Unlike the UK and US, the take up has been fairly slow with only c14% of SEPA transactions instant at the end of 2022, compared to c11% a year earlier. This is partly to do with a premium being charged for instant payments and not all PSPs being ready to receive or send instant payments.
As I explained when reviewing the impact of FedNow, the UK has seen extensive use of real time payments since its introduction 15 years ago and fraud to go along with it.
What the EU is proposing?
This slow growth has led the EU to make a proposal last year that would seek to increase the volume of instant payments. The key points put forward were:
- It would be mandatory for all PSPs that provide credit transfers in EUROs to provide instant payments 24/7/365
- From the date of the law:
- 6 months to be ready to receive
- 12 months to be ready to send
- Not be able to charge a premium for Instant Payments
- In addition:
- IBAN Name check service – Confirmation of Payee (COP) like the UK
- Check accounts to sanctions lists as they are updated and at least once a day. If a firm has failed to do this and allowed funds to move via instant payments, they take liability.
The ECB has recently published its thoughts with some amendments, namely:
- Excluding EMIs and PIs from the rules, leaving only the direct participant banks covered
- Offer IBAN Name checking for no additional cost
It is likely this will not be law until well into 2024, however.
What is EPI looking to do with iDEAL and PQI?
Moving on, the news in late April that the European Payments Initiative (EPI) has purchased iDEAL of the Netherlands and PQI of Luxemburg is interesting in this context.
In the first instance EPI will be providing a digital wallet to provide P2P to customers in Germany and France, targeting the two largest economies and targeting a large percentage of cash transactions in the EU. From here, expanding this to other counties and then to remote and mobile retail payments.
The EPI’s aim is to take on/replace US Centric card schemes with European based A2A transfers utilising Instant payments to take on remote payments, so these purchases can help it on its way.
What’s this mean for fraud and scams?
As we’ve seen elsewhere in the world, as real time payments become the norm, the level of fraud and scams increases1. So expect this to also increase in the EU. I’d expect to see more much higher volumes of real time payments, particularly P2P and online purchases and the fraud and scams that go with them.
However, whatever systems already in place will need further investment to combat this increase in fraud. As such the IBAN name checking service, similar to the UKs and Netherlands Confirmation of Payee (COP) services is welcome.
However, real time profiling models, even if in place already, will need to be developed, as these models will no longer be fit for purpose for a full P2P and open banking A2A eCommerce services.
This is because the way people use these services and the data points are all different. Not only that how the fraudsters abuse them is also different.
As such what it will also be interesting to see is how EU regulators approach scams and if they want to follow the UK’s example. The UK for instance is now running at c£583m p.a. of authorised fraud losses on top of c£130m unauthorised losses. And whilst unauthorised need to be refunded everywhere in the EU, the UK is pushing for 100% refunds by the paying bank with 50% rebate paid by the beneficiary bank. Will this become PSD3 for instance?
Therefore, firms should be using the next 18 months or so to get ready for this.
What should PSPs be doing to be ready?
There are a number of areas PSPs in the EU should be investing in:
- Improve application fraud and KYC system at onboarding, by adding mules watchlists and integrating to a fraud hub. This helps target mules throughout the lifecycle.
- Undertake real time transaction monitoring of all transactions; outbound and inbound payments and non-monetary. This should include any extra details submitted as part of the ISO20022 payment message, e.g., invoice details.
- Build multiple models using machine learning/AI to target unauthorised, authorised fraud and for mule behaviour to cover P2P, corporate and merchant payments.
- Build the system to be scalable to ensure the performance is available when required – Instant payment values grow fast.
- Ensure your fraud operations can support the 24/7 nature of real time payments and have the right volume of trained staff. Augment with smart workflows and automation to improve efficiency, including strong data sources for investigation.
- Utilise a global fraud reporting service to improve the customer experience and help get victims funds back.
Instant payments are an important part of the economy and as such its key that European citizens can actually utilise them and the EU regs and the EPIs wallet ambitions will help this. However, it is clear from this high-level analysis, that additional investment is required in fraud systems and people in order to protect the benefits that instant payments can bring to the economy.