On 18 July 2018, the EBA published a report containing final Guidelines on fraud reporting under Article 96(6) of PSD2.
The Guidelines, which have been developed in close co-operation with the ECB, require PSPs to collect and report data on payment transactions and fraudulent payment transactions using a consistent methodology, definitions and data breakdowns.
The first set of Guidelines contained in the report is addressed to PSPs while the second is addressed to Competent Authorities (CAs). This article focuses on the Guidelines applicable to PSPs.
Fraud reporting requirement under PSD2
One of the PSD2 requirements applicable to all PSPs relates to the reporting of fraud data on means of payment. More specifically, Article 96(6) PSD2 states that PSPs must provide ‘statistical data on fraud relating to different means of payment to their competent authorities’ and that CAs must, in turn, ‘provide EBA and the ECB with such data in an aggregated form’.
What key changes have been made to the Guidelines?
The EBA received 48 responses to its consultation paper published in August 2017 (CP), representing a wide range of market participants, including PSPs, merchants and technology service providers. The EBA agreed with some of these proposals, and their underlying rationale, and has made a number of changes to the Guidelines and related annexes as a result.
Key changes that have been made include the following:
- Many respondents were critical of the administrative burden of reporting on a quarterly basis. This has now been changed to semi-annual reporting. (GL 3.1)
- The Guidelines now foresee an exception to this rule for small payment institutions and electronic money institutions that, under Article 32 PSD2 and Article 9 of the second Electronic Money Directive (EMD2), would be able to benefit from an exemption. These PSPs would need to report only annually with a semi-annual breakdown. (GL 3.2 and 7)
- A large number of respondents disagreed with the need for country‐level data for a many of the data breakdowns proposed in the CP. This has now been reduced to the same area for all of the requirements in the Guidelines (with no country‐by‐country data requirement).
- The Guidelines do, however, require PSPs to distinguish between payments that are domestic, cross border within the EEA and cross‐border outside the EEA for the purposes of their reporting. (GL 4.1 and Annex 1)
Categories of fraudulent transactions to be reported
- The number of categories of fraudulent transactions to be reported has been reduced from three to two, with fraudulent transactions where the payer is the fraudster (i.e. the category ‘payer acting fraudulently’) no longer within the scope of the Guidelines. (GL 1.1)
- The EBA has clarified that the term ‘executed’ should be understood in the sense of PSD2, meaning when the ASPSP has processed (or acquired) the payment transaction and the funds have been transferred to the payee’s PSP. (GL 1.2).
- In respect of fraudulent payment transactions in the context of direct debits, the EBA has clarified that refunds given within eight weeks should not be automatically reported, as they do not always indicate fraud cases; such transactions should be reported only if they were subject to fraud and the reporting PSP was aware that this was the case.
Alignment with other instruments
- The EBA and the ECB have sought to align the Guidelines with other similar reporting instruments identified in responses to the CP, notably the ECB Regulation on Payment Statistics (ECB/2013/43) and the complementary ECB Recommendation on payment statistics (ECB/2013/44).
- The EBA also clarifies in the final report that the Guidelines and the RTS on SCA and CSC are aligned to the extent that the same two categories included in the reporting for the purpose of the Guidelines, namely unauthorised transactions and transactions as a result of the manipulation of the payer, should be used to calculate the fraud rate for the purpose of the transaction‐risk analysis exemption under Article 18 of the RTS on SCA and CSC. This is also explained in paragraph 46 of the EBA Opinion published on 13 June 2018.
Who do the Guidelines apply to?
The Guidelines set out requirements applicable to all PSPs, with the exception of registered AISPs (which remain excluded from the requirement under Article 96(6) of PSD2 to report on ‘means of payment’).
The Guidelines are subject to the principle of proportionality, which means that all PSPs within the scope of the Guidelines are required to be compliant with each Guideline, but the precise requirements, including on frequency of reporting, may differ between PSPs, depending on the payment instrument used, the type of services provided or the size of the PSP.
When will the Guidelines apply?
The next step is for the Guidelines to be translated into the official EU languages and published on the EBA website.
The Guidelines apply from 1 January 2019, with the exception of the reporting of data related to the exemptions to the requirement to use SCA under the RTS, which apply from 14 September 2019.