Call for unity on payments fraud reporting

European payments fraud experts are calling for a single set of regulatory requirements for payments fraud reporting across the European Union.

 

By Heather McKenzie
Account servicing payment service providers (ASPSPs) across the EU are implementing national transpositions of the Euro Banking Association’s (EBA’s) Guidelines on Fraud Reporting under PSD2. However, an updated version of the European Central Bank (ECB) Regulation on Payments Statistics is scheduled to become applicable in 2021. A group of 18 ASPSPs from 10 European countries believe the ECB Regulation will incorporate and supersede the EBA Guidelines.

According to the group, this runs the risk of the fragmentation of fraud reporting in Europe. While the EBA, working with the ECB, has tried to align its Guidelines with the ECB’s regulation, the ASPSPs “share the considerable concern” that the resulting reporting requirements may “noticeably differ from one country to the next”. Such differences could arise in relation to transmission formats, channel or interface, start dates and deadlines.

In addition to the fragmentation risk, PSPs are also faced with a high level of uncertainty regarding the longer-term viability of their implementation efforts around the EBA fraud reporting requirements, given the current review of the EU’s statistics regulation.

The group issued a note in April setting forth recommendations to ensure a uniform, consolidated and stable approach to fraud reporting across EU member states. The recommendations are:

  • There should be full alignment of the reporting content and format.
  • Start and end dates of each reporting period and the applicable submission deadlines should be identical.
  • Data collection and transmission should be fully standardised based on reporting IT taxonomy.
  • PSPs (and national competent authorities) should not be required to run two subsequent implementation programmes: one for meeting the EBA fraud reporting requirements applicable as from 2019 and one for complying with the revised ECB Regulation on Payments Statistics that will become applicable as from 2021.

In order to minimise fragmentation risks and ensure maximal legal certainty and longer-term viability for the related implementation programmes, the group recommends:

  • Put on hold the implementation of the EBA Guidelines on fraud reporting until the entry into force of the revised ECB Regulation on payment statistics, which is foreseen to incorporate and supersede the EBA Guidelines on fraud reporting, and
  • Ensure the introduction of a fully standardised set of requirements and related approach by means of this ECB Regulation, including the data requirements (reporting content) defined by the EBA Guidelines on fraud reporting.

“Fraud experts throughout Europe are very concerned about the lack of alignment they have come across in their practical analysis of the new fraud reporting requirements in terms of content, format and deadlines,” said Thomas Egner, secretary general of the EBA. “The different national transpositions of the EBA Guidelines and the fact that these will be closely followed by an ECB Regulation superseding them are challenging for the implementation projects of multinational and smaller PSPs alike. That is why these experts are calling for the introduction of one single set of regulatory requirements, ideally via the ECB Regulation, which should establish fully standardised and comprehensive data collection and transmission requirements as well as uniform reporting periods and deadlines.”

The recommendations were put together after a series of workshops jointly organised by the PSD2 Practitioners’ Panel and the SCT Inst Migration Action Round Table (Smart2). Both practitioners’ groups are open to representatives of ASPSPs operating in Europe and are facilitated by the EBA as part of its Market Practices and Regulatory Guidance stream.

ASPSPs are organisations that provide and maintain a payment account for a payer. They are typically banks that offer accounts (such as current accounts) to customers. Under PSD2, ASPSPs must grant a third party service provider (TPP) direct access to certain payment accounts of their customers so that the TPP can, as requested by that customer, provide its own services to that customer.

The ASPSPs that endorsed the recommendation include Bank of America Merrill Lynch, Barclays Bank, Commerzbank, Deutsche Bank, DNB, Intesa Sanpaolo, Nordea, Raiffeisen Bank, Svenska Handelsbanken, BNY Mellon and UniCredit.

«