Response to discussion Paper on the EBA’s preliminary observations on selected payment fraud data under the Payment Services Directive
Go back
In the experience of Featurespace, many Payment Service Providers (PSPs) in Europe are still in the process of evolving their fraud prevention strategies beyond rules-based engines*, which look at historic data patterns. The speed of change in consumer attitudes and fraud trends creates instances where these rules-based engines struggle to provide accurate risk thresholds for current operations. A minimum application of adaptive rules technologies is prudent in the short term to prevent further rises in cross-border fraud. Featurespace recommends PSPs transition to a real-time machine learning strategy which has shown greater effectiveness to reduce the rate of cross-border fraud in POC and benchmark tests.
*Research from the European Commission in 2020, published in 2021 found a that only 15% of firms in the 'IT, finance, real estate & scientific' sector had adopted an AI application for fraud and risk.
This is a challenge for the industry as scams appear genuine within traditional fraud prevention rules-based strategies. The industry has made good progress in developing strategies to combat Authorised Push Payment (APP) fraud particularly for instant payments and is a primary focus for many issuers. Much of that focus in markets with high levels of APP such as the UK, has been on the development of additional tools within the payment flow experience, such as Confirmation of Payee (CoP). CoP is beneficial in preventing some less sophisticated APP scams, but it still places the responsibility with the PSU to identify they are the victim of an attempted scam and does not provide the level of consumer protection that PSD2 regulations set out to achieve. Ultimately, the fraud prevention strategies at the financial institutions, issuers, acquirers, networks, Payment Initiation Service Providers (PISPs), Payment Service Providers (PSPs) and other participants in the ecosystem including Account Information Service Providers (AISPs), need to evolve to make more accurate risk-based decisioning in real time across much more varied and complex data sets to better protect PSUs. Among current fraud detection tools, the use of real-time machine learning is best suited to address this type of fraud preventing.
Scams are not only an issue for instant payments, while APP has much of the current industry focus, more needs to be done to prevent scams on card transactions. Fraudsters are developing new scams which work to exploit the 2FA workflow and PSU familiarity with 2FA components such as One Time Passwords (OTP). Common scam techniques using cards present as phone calls to the PSU purporting to be from the issuer, requesting an OTP in order to block or cancel a suspicious transaction. Preying on the emotion of the PSU and providing a time pressure has proven successful in convincing PSUs to provide their OTP, which is used in combination with card and Personally Identifying Information (PII) phished or smished from other channels to make large purchases, not always of goods. Purchasing cryptocurrency in this way, and then transferring the funds to a crypto wallet, creates a complex trail for PSPs to follow if they attempt to recover scammed funds.
Most modern scams centre on convincing the PSU to authenticate or authorise the transaction, partly because the criminal networks know that this then pushes the incident out of the fraud and recovery team's purview. They are in fact less likely to be directly pursued by the banks.
Without a regulatory framework to oblige banks to consider scams under the same consumer protections as other kinds of fraud, PSUs will continue to bear the burden. Because of the considerable rate of APP scams in the UK, an optional charter was created by some banks in order to reimburse PSUs they felt had been truly scammed. This was partly as result of lobbying by the public and industry bodies such as the Financial Conduct Authority (FCA). However, without clear legislation the level of protection for PSUs varies between institutions. There is a clear need for a consistent regulatory framework against which FIs must comply, rather than recommendations to which they may choose to ascribe.
There are also payment trends which contribute to these differences. As noted in our response to question 4, in instances of fraud which are executed as scams in which the PSU authenticated or authorised the transaction many local regulations do not require the issuer to bear the losses. Figure 12 evidences that the payment type where PSUs bear the highest percentage of losses is credit transfers, therefore countries with large volumes of credit transfers as a percentage of total payments are likely to see a higher percentage of overall losses borne by PSUs. These may be individual EEA countries which have higher levels of adoption of instant payments services, such as Hungary, Netherlands, Spain, and Sweden, although the preliminary findings in the EBA report do not specify the breakdown of losses borne for credit transfers by country.
Greater specificity within the reporting taxonomy more broadly would be beneficial for future data analysis. Within the payment types, breaking credit transfers into specifics of SEPA Credit Transfers (SCT) and BACS versus instant payments should help validate some of the current potential explanations. Globally, we see central bodies looking to specify both the taxonomy and the reporting structure more strictly, in order to receive more usable data for data analysis. The Federal Reserve Bank Fraud Classifier Model is one example.
The increase in scams and the generally higher average transaction value associated with those partly contributes to the correlation. Exacerbating the fraud losses is the increasing adoption of instant payments, and irrevocable nature of those payments. When fraud scams are committed on instant payments, often as APP, the funds are almost impossible to recover.
There has been a steady increase in the recruitment of money mules, particularly amongst vulnerable segments of PSUs, in response to the launch of instant payments. More data is needed on account opening and application fraud in relation to mule accounts, which are often leveraged in a chain of rapid sequential transactions to ensure fraud losses are impossible to trace and recover. There also needs to be more coordinated education across PSPs aimed at PSUs to ensure the understanding of the criminality of mule accounts.
Perhaps one contributing element of the increasing value of losses not directly represented in the available data relates to the emergence of cryptocurrencies and their easy accessibility to all, including organised criminals. Scams 'cashed out' as cryptocurrency are also more complex for PSPs to attempt to recover.
In these scenarios, 2FA alone may meet the letter of the law but not the spirit. It is not sufficient to truly improve payments protection for PSUs in Europe. Again, more dynamic fraud prevention solutions and strategies are needed to identify if the behaviour of the PSU is out of character and perhaps subject to manipulation. Real-time machine learning can be successfully leveraged to identify these anomalies and prevent credit transfer fraud even when authenticated with SCA non-remotely. It is crucial that the industry shift to adopt solutions and strategies that focus on the individual customer if they are to protect these vulnerable PSUs and prevent fraud on payments authenticated with SCA.
We should expect a drop in the rate of this kind of fraud when analysing data collected during the lockdown and social distancing timeframes of the pandemic, as neither PSUs nor criminals could move as frequently or freely. But it may again rise as restrictions on movement were lifted.
Question 1: Do you have any views on the high share of cross-border frauds in the total volume of fraud?
The driving principle in relation to fraud within the Payments Services Directive 2 (PSD2) regulations, specifically SCA was to better protect consumers in purchasing and payments transactions. While this ambition has been broadly successful, not all regional authorities around the world have been proactive in implementing similar regulations to tackle fraud. The data shared in the preliminary findings by the EBA shows the benefits of stepping up transactions to Two Factor Authentication (2FA) in combatting and reducing rates of fraud. The challenge now is in 'authorised fraud', i.e. transactions where customers themselves follow the 2FA process to authenticate themselves in the transaction. eCommerce in particular has become increasingly globalised, with consumer attitudes evolving to accept the risk of purchasing from unfamiliar website and merchants, regardless of their geolocation. There are international markets where we see higher numbers of fraudulent merchants conducting scams in the eCommerce environment. This creates a challenge for issuers and banks in Europe when attempting to recover funds from these incidents of fraud on behalf of their PSUs.In the experience of Featurespace, many Payment Service Providers (PSPs) in Europe are still in the process of evolving their fraud prevention strategies beyond rules-based engines*, which look at historic data patterns. The speed of change in consumer attitudes and fraud trends creates instances where these rules-based engines struggle to provide accurate risk thresholds for current operations. A minimum application of adaptive rules technologies is prudent in the short term to prevent further rises in cross-border fraud. Featurespace recommends PSPs transition to a real-time machine learning strategy which has shown greater effectiveness to reduce the rate of cross-border fraud in POC and benchmark tests.
*Research from the European Commission in 2020, published in 2021 found a that only 15% of firms in the 'IT, finance, real estate & scientific' sector had adopted an AI application for fraud and risk.
Question 2: Do you have any comments on the patters that are outlined in the chapter “patterns emerging from the selected data”?
What is clear in the preliminary data is that, even without 100 percent adoption across the payment ecosystem, SCA has begun to deliver the desired effect of reducing fraud in traditional typologies. However, the unanticipated consequence of this has been for fraudsters to target a new vulnerability in payments: the customer, or PSU. The rising fraud typology is scams, which necessitates a shift in how the industry approaches fraud prevention. Historically, a market-wide trends analysis approach worked well for identifying specific vulnerabilities such as merchant compromise. But with scams, the challenge is to understand the individual behavioural trends of each PSU and protect the individual rather than the customer segment.This is a challenge for the industry as scams appear genuine within traditional fraud prevention rules-based strategies. The industry has made good progress in developing strategies to combat Authorised Push Payment (APP) fraud particularly for instant payments and is a primary focus for many issuers. Much of that focus in markets with high levels of APP such as the UK, has been on the development of additional tools within the payment flow experience, such as Confirmation of Payee (CoP). CoP is beneficial in preventing some less sophisticated APP scams, but it still places the responsibility with the PSU to identify they are the victim of an attempted scam and does not provide the level of consumer protection that PSD2 regulations set out to achieve. Ultimately, the fraud prevention strategies at the financial institutions, issuers, acquirers, networks, Payment Initiation Service Providers (PISPs), Payment Service Providers (PSPs) and other participants in the ecosystem including Account Information Service Providers (AISPs), need to evolve to make more accurate risk-based decisioning in real time across much more varied and complex data sets to better protect PSUs. Among current fraud detection tools, the use of real-time machine learning is best suited to address this type of fraud preventing.
Scams are not only an issue for instant payments, while APP has much of the current industry focus, more needs to be done to prevent scams on card transactions. Fraudsters are developing new scams which work to exploit the 2FA workflow and PSU familiarity with 2FA components such as One Time Passwords (OTP). Common scam techniques using cards present as phone calls to the PSU purporting to be from the issuer, requesting an OTP in order to block or cancel a suspicious transaction. Preying on the emotion of the PSU and providing a time pressure has proven successful in convincing PSUs to provide their OTP, which is used in combination with card and Personally Identifying Information (PII) phished or smished from other channels to make large purchases, not always of goods. Purchasing cryptocurrency in this way, and then transferring the funds to a crypto wallet, creates a complex trail for PSPs to follow if they attempt to recover scammed funds.
Question 3: Do you have any potential further explanations as to why, in the specific case of the remote credit transfers, the fraud rate reported by the industry is higher for payments authenticated with SCA compared to payments that are not authenticated with SCA?
As with other types of fraud rates, the increase in unanticipated areas is likely a result of fraudsters switching from historic fraud typologies to new scams. Banks in Europe, in particular, have been working towards SCA for some time now, even ahead of the regulatory deadline. This has in large part halted fraud on lower value transactions in the card space. The increased effort and resource needed to commit fraud scams compared to traditional card fraud means that organised criminals have begun to target credit transfers with tactics such as investment scams, to drive a higher average fraud loss per incident. Fraudsters are also becoming increasingly sophisticated, and are aware of regulatory requirements, and thus know that these higher value credit transfers will necessitate a step up to 2FA. More and more scammers are engineering their scam tactics around this requirement.Question 4: Do you have any potential explanations why PSUs bear most of the losses due to fraud for credit transfers and cash withdrawals?
Based on current payments fraud regulation, PSPs may decline fraud reimbursement claims by PSUs on the basis of negligence by that PSU. These rules were designed to protect issuers from liability around chip and PIN (EMV) authenticated card transactions, where a PSU might have negligently allowed a fraudster to obtain their PIN. In the modern payments era these rules are no longer fit for purpose. They were designed for an age when fraudsters targeted the payment instruments, but in this epidemic of scams the target is the PSU. Individual PSUs cannot be expected to be alert to every potential scam tactic, particularly when the tactics have become so sophisticated. Organised criminal networks are now operating these scams at scale, with convincing collateral branded as though to appear from the banks themselves, as well as highly trained teams of bad actors to execute the scam scripts on the phone or in person. Cash withdrawals have been drawn into the rising fraud rates as an unanticipated consequence of new digital services, such as the 'get cash' function within many banks apps. Criminals no longer need a physical card and PIN in order to fraudulently withdraw funds from an ATM, as long as they can gain access to digital banking services via techniques such as phishing and smishing. This means it is crucial to create a holistic view of each customer and their genuine behaviours across all banking and payments channels, in order to stop fraud even in instances where it may appear to have been authenticated by the PSU.Most modern scams centre on convincing the PSU to authenticate or authorise the transaction, partly because the criminal networks know that this then pushes the incident out of the fraud and recovery team's purview. They are in fact less likely to be directly pursued by the banks.
Without a regulatory framework to oblige banks to consider scams under the same consumer protections as other kinds of fraud, PSUs will continue to bear the burden. Because of the considerable rate of APP scams in the UK, an optional charter was created by some banks in order to reimburse PSUs they felt had been truly scammed. This was partly as result of lobbying by the public and industry bodies such as the Financial Conduct Authority (FCA). However, without clear legislation the level of protection for PSUs varies between institutions. There is a clear need for a consistent regulatory framework against which FIs must comply, rather than recommendations to which they may choose to ascribe.
Question 5: Do you have any potential explanations why the percentage of losses borne by the PSUs substantially differs across the EEA countries?
The inconsistency of liability regulations between individual European Economic Area (EEA) countries as well as the differing customer strategies account for some of the differences in the percentage of losses borne by PSUs between these markets. Additionally, as the EBA itself has noted in point 10 of its methodology, there is a lack of consistency in terms of data structuring and reporting between the EEA countries which also contributes to the substantial differences.There are also payment trends which contribute to these differences. As noted in our response to question 4, in instances of fraud which are executed as scams in which the PSU authenticated or authorised the transaction many local regulations do not require the issuer to bear the losses. Figure 12 evidences that the payment type where PSUs bear the highest percentage of losses is credit transfers, therefore countries with large volumes of credit transfers as a percentage of total payments are likely to see a higher percentage of overall losses borne by PSUs. These may be individual EEA countries which have higher levels of adoption of instant payments services, such as Hungary, Netherlands, Spain, and Sweden, although the preliminary findings in the EBA report do not specify the breakdown of losses borne for credit transfers by country.
Question 6: Do you have any potential explanations why the industry has reported fraud losses as having been borne mostly or significantly by “others”?
The category of others could include merchants. This could be explained by the variable states of readiness for 3D Secure (3DS) amongst merchants ahead of the PSD2 and SCA deadlines. As the data in the preliminary findings was primarily gathered during a period before the final readiness deadlines for SCA, many merchants were not 3DS prepared at this time. It is likely that many issuers were looking to move away from direct authorization exemptions agreements with merchants and shift liability for fraud to those merchants. Now that we see across the region approximately 80 percent of remote (or Card Not Present, CNP) transactions undergo 3DS and SCA, this percentage of fraud loss burden is likely to shift. We suggest that the reporting model be updated to include a merchant category against which to assign the bearing of losses.Greater specificity within the reporting taxonomy more broadly would be beneficial for future data analysis. Within the payment types, breaking credit transfers into specifics of SEPA Credit Transfers (SCT) and BACS versus instant payments should help validate some of the current potential explanations. Globally, we see central bodies looking to specify both the taxonomy and the reporting structure more strictly, in order to receive more usable data for data analysis. The Federal Reserve Bank Fraud Classifier Model is one example.
Question 7: Do you have any views regarding the observed correlation between the value of fraud and the value of losses due to fraud between H2 2019 and H2 2020?
As per the response to question 1, the increasing number of cross border transactions and the challenges associated with monitoring those transactions, preventing fraud, and recovering fraud losses plays a role in the increasing value of fraud losses, despite a slight reduction in the overall volume.The increase in scams and the generally higher average transaction value associated with those partly contributes to the correlation. Exacerbating the fraud losses is the increasing adoption of instant payments, and irrevocable nature of those payments. When fraud scams are committed on instant payments, often as APP, the funds are almost impossible to recover.
There has been a steady increase in the recruitment of money mules, particularly amongst vulnerable segments of PSUs, in response to the launch of instant payments. More data is needed on account opening and application fraud in relation to mule accounts, which are often leveraged in a chain of rapid sequential transactions to ensure fraud losses are impossible to trace and recover. There also needs to be more coordinated education across PSPs aimed at PSUs to ensure the understanding of the criminality of mule accounts.
Perhaps one contributing element of the increasing value of losses not directly represented in the available data relates to the emergence of cryptocurrencies and their easy accessibility to all, including organised criminals. Scams 'cashed out' as cryptocurrency are also more complex for PSPs to attempt to recover.
Question 8: How do you explain the fact that the manipulation of the payer by the fraudster represents a substantial share of the fraudulent non-remote credit transfers authenticated with SCA? How is this fraud type concretely executed by the fraudsters?
Another unanticipated consequence of the shift to SCA and 2FA processes is that for those segments of society which are not typical digital natives, such as the elderly or other vulnerable PSU groups, are now required to authenticate transaction via digital means. These vulnerable groups have become the target of high value scams committed on credit transfers, which focus on convincing vulnerable PSUs to divulge their OTP to pass the SCA requirements through social engineering. These are often committed via the phone or even in person, with impersonation scams growing as fraudsters impersonate anything from law enforcement to utilities companies in order to confuse or convince these PSUs. Given the fact that these 'analogue' PSUs are most likely to visit a branch to execute a payment instruction for a credit transfer, the scammers can convince them to present in person to a branch and provide 2FA for an APP fraud transaction.In these scenarios, 2FA alone may meet the letter of the law but not the spirit. It is not sufficient to truly improve payments protection for PSUs in Europe. Again, more dynamic fraud prevention solutions and strategies are needed to identify if the behaviour of the PSU is out of character and perhaps subject to manipulation. Real-time machine learning can be successfully leveraged to identify these anomalies and prevent credit transfer fraud even when authenticated with SCA non-remotely. It is crucial that the industry shift to adopt solutions and strategies that focus on the individual customer if they are to protect these vulnerable PSUs and prevent fraud on payments authenticated with SCA.
We should expect a drop in the rate of this kind of fraud when analysing data collected during the lockdown and social distancing timeframes of the pandemic, as neither PSUs nor criminals could move as frequently or freely. But it may again rise as restrictions on movement were lifted.