May 10 • 2023

Instant SEPA Payments, Forthcoming Rules, and EPI buying IDEAL- How to get ready for the fraud issues?

Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.

Written by @Rob.Tharle, CYBERA’s Head of Product 

In the last couple of weeks the EPI announced it has purchase of iDEAL and its desire to increase instant payments in the EU. This builds on the EUs proposed regulation to increase the use of instant payments. In this blog I’ll explore what these are, their impact on fraud and scams and what firms should do to be ready. 

What are SEPA Instant Payments? 

SEPA Instant was introduced in November 2017 and as its name suggests allows the customers of participant institutions in the Europe to send real time payments in Euros. SEPA Instant has a limit of 100k EUR, which is lower than the UK and US equivalent limits of £1m & $1m respectively.

Unlike the UK and US, the take up has been fairly slow with only c14% of SEPA transactions instant at the end of 2022, compared to c11% a year earlier. This is partly to do with a premium being charged for instant payments and not all PSPs being ready to receive or send instant payments. 

As I explained when reviewing the impact of FedNow, the UK has seen extensive use of real time payments since its introduction 15 years ago and fraud to go along with it. 

What the EU is proposing? 

This slow growth has led the EU to make a proposal last year that would seek to increase the volume of instant payments. The key points put forward were: 

The ECB has recently published its thoughts with some amendments, namely: 

It is likely this will not be law until well into 2024, however. 

What is EPI looking to do with iDEAL and PQI? 

Moving on, the news in late April that the European Payments Initiative (EPI) has purchased iDEAL of the Netherlands and PQI of Luxemburg is interesting in this context. 

In the first instance EPI will be providing a digital wallet to provide P2P to customers in Germany and France, targeting the two largest economies and targeting a large percentage of cash transactions in the EU. From here, expanding this to other counties and then to remote and mobile retail payments. 

The EPI’s aim is to take on/replace US Centric card schemes with European based A2A transfers utilising Instant payments to take on remote payments, so these purchases can help it on its way. 

What’s this mean for fraud and scams? 

As we’ve seen elsewhere in the world, as real time payments become the norm, the level of fraud and scams increases1. So expect this to also increase in the EU. I’d expect to see more much higher volumes of real time payments, particularly P2P and online purchases and the fraud and scams that go with them. 

However, whatever systems already in place will need further investment to combat this increase in fraud. As such the IBAN name checking service, similar to the UKs and Netherlands Confirmation of Payee (COP) services is welcome. 

However, real time profiling models, even if in place already, will need to be developed, as these models will no longer be fit for purpose for a full P2P and open banking A2A eCommerce services. 

This is because the way people use these services and the data points are all different. Not only that how the fraudsters abuse them is also different. 

As such what it will also be interesting to see is how EU regulators approach scams and if they want to follow the UK’s example. The UK for instance is now running at c£583m p.a. of authorised fraud losses on top of c£130m unauthorised losses. And whilst unauthorised need to be refunded everywhere in the EU, the UK is pushing for 100% refunds by the paying bank with 50% rebate paid by the beneficiary bank. Will this become PSD3 for instance?  

Therefore, firms should be using the next 18 months or so to get ready for this. 

What should PSPs be doing to be ready? 

There are a number of areas PSPs in the EU should be investing in: 

  1. Improve application fraud and KYC system at onboarding, by adding mules watchlists and integrating to a fraud hub. This helps target mules throughout the lifecycle. 
  1. Undertake real time transaction monitoring of all transactions; outbound and inbound payments and non-monetary. This should include any extra details submitted as part of the ISO20022 payment message, e.g., invoice details. 
  1. Build multiple models using machine learning/AI to target unauthorised, authorised fraud and for mule behaviour to cover P2P, corporate and merchant payments. 
  1. Build the system to be scalable to ensure the performance is available when required – Instant payment values grow fast. 
  1. Ensure your fraud operations can support the 24/7 nature of real time payments and have the right volume of trained staff. Augment with smart workflows and automation to improve efficiency, including strong data sources for investigation. 
  1. Utilise a global fraud reporting service to improve the customer experience and help get victims funds back. 

Instant payments are an important part of the economy and as such its key that European citizens can actually utilise them and the EU regs and the EPIs wallet ambitions will help this. However, it is clear from this high-level analysis, that additional investment is required in fraud systems and people in order to protect the benefits that instant payments can bring to the economy.