The EBA has identified new types of payment fraud and proposes measures to mitigate underlying risks and protect consumers

The European Banking Authority (EBA) published an Opinion, in which it assesses payment fraud data that has recently become available to the EBA, identifies new types and patterns of payment fraud, and develops proposals to mitigate them.

This Opinion aims at further strengthening the forthcoming legislative framework under the Third Payment Services Directive (PSD3) and Payment Services Regulation (PSR), as it will enshrine anti-fraud requirements for several years to come and needs to be as future-proof as possible.

In the Opinion, the EBA confirms that regulatory measures such as the Strong Customer Authentication (SCA) that the revised Payment Service Directive (PSD2) and the EBA’s Technical Standards have imposed on the payments industry have been successful in achieving the aim of significantly reducing fraud that involves the stealing of customers’ credentials. However, fraudsters have adapted their techniques and are using more complex types of fraud, such as those based on what is commonly referred to as ‘social engineering’.

To mitigate these dynamic new fraud types, the Opinion is proposing that new security measures are prescribed that are in addition to those articulated in the EU Commission’s welcome proposals for the PSD3 and a PSR as well as the provisions that recently entered into force through the Instant Payments Regulation (IPR). 

Fraud related figures

Fraud levels for credit transfers have been contained to 0.0008% of the total value for credit transfers (i.e., 8 euro defrauded out of 1 million euros transmitted) and 0.0020% for direct debits in 2022.

For card payments, while the absolute fraud rate is higher, i.e. 0.029% in value (according to data reported by payer’s PSP), the average fraudulent transaction is limited to €80, compared to a corresponding value of €2,252 for credit transfers. Already in 2020 – 2021, in the period of migration to SCA, the EBA had observed a reduction in the average fraud rate in value between 40% and 60%, in card payments alone.

Similarly, more recently, the ECB card fraud statistics published in May 20236 show that the implementation of SCA by PSPs and merchants in 2021 was accompanied by a significant decline of remote card payments fraud.

In parallel, the EBA observes that SCA is now widely used to authenticate remote electronic transactions, including those for e-commerce. Indeed, while several exemptions to the use of SCA were provided in the RTS, with the aim of supporting user-friendly and innovative means of payment while taking into account the need to ensure the safety of customers’ funds and personal data, in 2022 SCA was applied for 70% of remote credit transfers and 36% of remote card transactions (as reported by the payer’s PSP), for a percentage of the aggregate value of 77% and 55% respectively. Correspondently, the use of the exemptions to SCA set out in the RTS has been generally limited for these two payment instruments. In particular, SCA exemptions were used for 32% of remote card transactions.

The EBA has also observed that PSPs have reported a high volume of non-SCA authenticated transactions as merchant-initiated transactions (MITs), equivalent to 13.1% of all remote cardbased payments in the EU (as reported by the payer’s PSP). Similarly, payment transactions by mail order or telephone order (so called MOTO transactions), which are out of scope of the SCA requirement, were significant in volume, too. Both MITs and MOTO transactions featured considerably higher fraud rates in H1 2022 (i.e. more than 0.1% in value – or more than 1 euro defrauded out of 1000 euros transmitted) both with respect to SCA authenticated transactions and transactions exempted from SCA.

Opinion on new types of payment fraud and possible mitigations (251.53 KB – PDF) – Download