The European Banking Authority (EBA) has published the final Guidelines on fraud reporting under the revised Payment Services Directive (PSD2).
Article 96(6) of PSD2 mandates EU Member States to ensure that all "payment service providers" ("PSPs") submit to their competent authorities (i.e. the Supervisors), at least on an annual basis, statistical data on fraud relating to different means of payments. It also mandates the competent authorities to provide the EBA and the ECB with such data on an aggregated form.
The Guidelines published by the EBA set forth the methodology, definitions and data breakdowns so payment service providers (PSPs) in the EU/EEA can collect and report data on payment transactions and "fraudulent payment transactions" in a consistent manner.
The publication of these Guidelines follows the draft Guidelines published by the EBA for public consultation in August 2017. According to the EBA, following the assessment of the responses received – around 200 – they have incorporated a number of changes in the final Guidelines.
The relevant changes can be summarised as follows:
In relation to the interaction with other legislative instruments and reporting requirements, and specifically with the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication ("RTS on SCA and CSC"), the EBA clarifies that the final Guidelines are relevant for the calculation of fraud rates under Article 18 of the RTS on SCA and CSC (i.e. the exemption based on "Transaction Risk Analysis"). In this sense, the final Guidelines sets forth a definition of "fraudulent payment transaction" that includes "unauthorised payment transactions" as defined in PSD2, as well as transactions that "result of the manipulation of the payer". The previous draft Guidelines also categorised as fraud the transactions where the payer was the fraudster, but the final Guidelines do not include this category as, according to the EBA, this type of fraud is outside of the control of the PSP.
The EBA has also modified the final Guidelines to align them with related reporting requirements, in particular with the ECB Regulation on payment statistics (ECB/2013/43).
In relation to the addressees of the Guidelines, the EBA has clarified that providers of "Account Information Services" ("AISP") remain excluded from the reporting requirements under Art. 96(6) PSD2. It also indicates that the acquirer (or "sub-acquirer") that has the contract with the payment service user is the one required to report data.
The EBA has also indicated that only gross fraud (and not net fraud), defined as the general value of losses borne by the PSPs and the relevant payment services users, needs to be reported and that the reporting obligations include both, consumer and corporate transactions.
The EBA has modified the frequency of reporting: the final Guidelines no longer require quarterly reporting of high-level data and a more detailed set of data on a yearly basis, but the reporting of auniform set of data on a semi-annual basis instead.
Finally, in relation to the date of application, the EBA has postponed the first reporting period and thus, PSPs are required to start collecting data as of January 2019. Furthermore, data collection in relation to the fraud levels for the "Transaction Risk Analysis" SCA exemption based on "Transaction Risk Analysis" will start from the date of application of the RTS on SCA and CSC (i.e. 14 September 2019).
The final Guidelines on fraud reporting under PSD2 are available here.
If you have any questions, please do not hesitate to get in touch with any member of the Bird & Bird international payments team - see the contacts in the EU below.