Authorised Push Payment Fraud: Suggestions for the Draft Payment Services Regulation

With the digitalisation of payment services there has been an increasing prevalence of payment fraud, as well as a change in the nature of payment fraud.

Historically, payment fraud was confined to stealing someone’s bank credentials, for example the bank card. This resulted in a so-called unauthorised (payment) transaction in which the transaction was not authorised by the payment service user (PSU) himself, but by the fraudster. Nowadays, payment fraud also concerns tricking the PSU into authorising himself/herself the payment to another account. An example of this type of fraud is pretending to be the bank of the PSU, requesting the PSU to take action to keep his money safe. This type of fraud is referred to as authorised push payment fraud (APP fraud), because the PSU himself has authorised the payment transaction.

Notably, the current EU Payment Services Directive (PSD2) provides that the payment service provider (PSP) of the PSU  is liable in case of unauthorised payments, unless the PSU failed to fulfil its obligations to keep the account safe with intent or gross negligence or acted fraudulently. However, in case of APP fraud, there is no provision in PSD2 allocating liability to the PSP. As soon as the PSP has proven that the transaction was authorised by the PSU himself, the latter must bear all the consequences. Only in some EU jurisdictions the PSU can obtain compensation from his PSP, if the PSU can substantiate that (i) the PSP had a duty of care based on national private law to monitor his transactions, (ii) should have noted that transactions were suspicious and (iii) failed to act.

This growth in APP fraud and the weak legal position of the victim has led to a growing feeling of discomfort with legislators, which came to the fore in the European Commission’s (EC) proposal for a update of PSD2, which will be laid down in a regulation (the draft proposal for a Payment Services Regulation (PSR)). The EC has proposed, a liability for the PSP to the payer for APP fraud when the fraudster impersonates his PSP. This specific proposal of the EC was welcomed by the EU co-legislators, although complemented by the latter with a suggestion to compensate the PSU in more scenarios than sole PSP impersonation fraud. This has led to a vehement debate about which measures to take.

A group of 10 academics representing 5 jurisdictions joined forces to provide suggestions to the EU co-legislator.  This resulted in a paper now featured in the European Banking Institute Working Paper series. In this paper the authors aim to give guidance to the EU co-legislators on how APP fraud should be regulated. In order to do so, they also discuss how fraudulent payments are currently dealt with under PSD2.

Their key conclusions are:

1. There is no consistent interpretation across the EU when a transaction is authorised. Notably in case the PSU himself has authenticated the transaction, but whilst being under influence of a fraudster, some jurisdictions consider that the transaction is not authorised. Many other jurisdictions consider this transaction authorised.
2. There is no consistent interpretation across jurisdictions whether in case no liability can be grounded on PSD2 itself -because the transaction was authorised- there is nevertheless room for liability of the PSP based on national private law.
3. (i) and (ii) above lead to the conclusion that the European co-legislator should clarify in PSR: (i) whether a transaction is also authorised if the PSU authenticated this transaction under influence of a fraudster and (ii) to what extent the liability regime under PSD2 leaves room for liability of the PSP based on national private law (for example a PSP’s duty of care). The co-legislator should remedy this, either by truly harmonising liability, or deliberately leaving discretion with Member States. A majority of the authors of this paper are of the view that if the PSU himself initiated and authenticated the transaction even under influence of fraud, this transaction should still be deemed authorised under the PSR.
4. A majority of the authors of this paper are of the view that in PSR liability for APP fraud should not be limited to cases of bank impersonation fraud, but should also cover other scenarios of payment fraud, provided that peoples’ trust in the payment system has been abused by the fraudster (for example police or regulator impersonation). In cases of payment fraud not directly associated with peoples’ trust in the payment system (for example WhatsApp fraud, invoice fraud or relationship fraud), it should be left at the Member State’s discretion whether to allocate liability to the PSP (for example based on a PSP’s duty of care pursuant to national law).
5. A majority of the authors of this paper argue for a definition of ‘gross negligence’ in the context of APP fraud in the PSR, possibly combined with some concrete examples of gross negligence in the recitals, indicating that this exception to the rule of reimbursement in case of impersonation fraud involving peoples’ trust in the payment system is intended to be a very narrow one. Such a definition could be that gross negligence entails a serious degree of culpability on the part of the PSU and that, in order to establish gross negligence, the PSP must prove that the user was aware or should have been aware under the concrete circumstances of a specific risk of becoming victim of payment fraud.
6.  A majority of the authors believe that the European co-legislator should specify to what extent PSPs can monitor transactions in order to combat fraud and to what extent PSPs can suspend transactions or apply cooling of periods for large transactions, especially taking into account the recent Instant Payments Regulation which sets as a rule that transactions need to be instant.
7. A majority of the authors believe that the rules to be developed in the context of PSR may need to be extended to fraud involving the European Digital Identity Wallet (EDIW), consumer credit or fraud concerning investment products or crypto-assets. The same logic which requires that PSPs are liable in case trust in the payment system has been abused by the fraudster, points to the conclusion that when trust in the security and safety of these other financial institutions is at stake the consumer should be held harmless as well.

The full paper can be found here.

E.J. van Praag is the Professor of Financial Technology and Law at Erasmus University Rotterdam and attorney-at-law at Kennedy Van der Laan.