Question ID:
2018_4032
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
18
Type of submitter:
Other
Subject Matter:
Criteria for the application of the transaction risk analysis (TRA) exemption – Fraud rate calculation methodology for the application of the TRA exemption
Question:

Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?

Background on the question:

Under the Transaction Risk Analysis (TRA) exemption, PSPs may bypass SCA for remote transactions provided risk analysis is applied and the PSP’s fraud rates and transaction amounts are under certain thresholds (Article 18 of the RTS).

The formula to calculate the PSP’s fraud rate for the application of the TRA exemption is total value of unauthorized and fraudulent remote card transactions divided by the total value of all remote card transactions. 

The EBA draft Guidelines on Fraud Reporting under Article 96(6) PSD2 of August 2017 include in the definition of fraudulent transactions:

"[A]ll instances of payment fraud that occur in the payment market, including not only unauthorized payment transactions but also transactions where the payer was manipulated, or where the payer acted fraudulently” (paragraph 16, page 10). 

In its Opinion of June 13, 2018 on the implementation of the RTS, however, the EBA states that unauthorized transactions and “fraudulent transactions resulting from the manipulation of the payer” must be included in the calculation of fraud rates (point 46, page 10).  Thus, in its Opinion the EBA does not require that transactions “where the payer acted fraudulently”, i.e., ‘friendly’ frauds, are to be included in the calculation of fraud rates.

We therefore believe that ‘friendly’ frauds are excluded from the calculation of fraud rates.

If ‘friendly’ frauds were to be included, PSPs would be penalized for conducts that cannot be avoided through the use of SCA and that ultimately fall outside their control.

Date of submission:
28/06/2018
Published as Final Q&A:
07/12/2018
EBA Answer:

Subject to the conditions set out in Article 18 of the Commission Delegated Regulation (EU) 2018/389, the Payment Service Provider (PSP) may choose not to apply strong customer authentication to remote electronic payments identified as posing a low fraud risk. One of the conditions, as set out in Article 18(2)(a) requires the fraud rate to be calculated in accordance with Article 19 of the Delegated Regulation, where Article 19(1) prescribes that ‘the overall fraud rate for each type of transaction shall be calculated as the total value of unauthorised or fraudulent transactions’.

The EBA clarified in paragraph 46 of the EBA Opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 [RTS on Strong customer authentication and secure communication] that fraudulent transactions include those resulting from the manipulation of the payer. Based on the question submitted, ‘friendly fraud’ is understood as fraud where the genuine payment instrument holder claims a fraud that has taken place on their payment instrument although they knowingly used their own payment instrument for the reported transactions. Such ‘friendly fraud’, also called ‘first party fraud’ shall not be included in the calculation of the fraud rate detailed in Article 19 of this Delegated Regulation.

Status:
Final Q&A