The European Banking Authority have just published their final report and guidelines on fraud reporting under PSD2. There’s much to digest and understand, but one thing that stands out for me is categories of fraud that must be reported.
While PSPs don’t need to report ‘payer acting fraudulently’ — also known as first-party fraud — they are required to report fraud that involves ‘manipulation of the payer,’ in other words authorised push-payment fraud. In line with other fraud reporting, PSPs will have to report this in two categories: when strong customer authentication has been used and when it hasn’t.
To date, reporting of authorised push-payment fraud has been ad-hoc and generally doesn’t involve reporting to any formal body. The EBA says that PSPs have a responsibility to identify such cases and calls out the use of transaction risk analysis to do so.
The fraud reporting requirements of PSD2 mean that PSPs must overhaul their processes and be ready to report fraud by January 2019. This challenging deadline will be further complicated by the inclusion of authorised push-payment fraud.
By definition, strong customer authentication will not make any difference to a fraud where the accountholder has been manipulated into providing that authentication. Strong customer authentication makes some kinds of fraud more difficult and criminals will be looking for the next opportunity. Could it be that they turn their attention to types of fraud where strong customer authentication doesn’t offer protection, such as authorised push-payment fraud?
Getting Ready to C0mply
A further layer of complexity is added when real-time payment schemes are considered. While the use of Faster Payments in the UK has been near-ubiquitous for some time, many European nations are rolling out new schemes now, including the cross-border SEPA CT Inst. This raises two challenges:
- A real-time push-payment mechanism is an incentive to criminals who can get their hands on the proceeds of their crime much more quickly – therefore we can expect an imminent rise in authorised push-payment fraud.
- Where real-time payments are relatively new, access to historical data that can be used in fraud prevention models is limited or not available.
None of this means that PSPs can’t be ready for the reporting and strong customer authentication requirements of PSD2, or that they can’t manage fraud where strong customer authentication doesn’t offer protection. We recommend a three-pronged approach:
- Prepare by understanding what your fraud rates are now across all payment mechanisms. Where you would like to use transaction risk analysis to secure payments in addition to strong customer authentication, understand how your fraud rates relate to fraud basis points laid out in PSD2. Use trusted, expert advisors to build and implement a plan that will drive down fraud rates where it is most important to do so – before PSD2 strong customer authentication is mandatory.
- Research and implement solutions that can help you to meet both the reporting requirements and the need to drive down fraud rates using transaction risk analysis. You may need to deploy transaction risk analysis across more payments – do you have solutions that can scale to the volumes and speeds needed?
- Be ready to adapt. PSD2 and the impact on fraud will be an evolving situation for some time to come. We don’t yet know what impact new players such as PISPs and AISPs will have on the data you are reliant on for managing fraud. New payment mechanisms such as SEPA CT Inst will also mean making fraud decisions based on little historical data. Look for those solutions that can adapt rapidly to changing fraud patterns, and can use a range of supervised and unsupervised machine learning models for the best outcomes.
For more information about PSD2 and how we can help you visit www.fico.com/PSD2.