Draft EBA Guidelines on fraud reporting requirements

Similar documents
Draft EBA Guidelines on the security measures for operational and security risks of payment services under PSD2

Replies to Questions

Consultation Paper. on Draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2) EBA/CP/2017/13

EBA GL on fraud reporting requirements under Article 96(6) PSD2 Helene Oger-Zaher Consumer Protection, Financial Innovation and Payments, EBA

Consultation Paper on draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2)

Opinion of the European Banking Authority on the transition from PSD1 to PSD2

ESBG s reflections on EFRAG s Discussion paper on equity instruments impairment and recycling

ESBG response to the EFRAG consultation on Prepayment features with negative compensation (Proposed amendments to IFRS 9)

The EBA and its mandate on strong customer authentication & secure communication under Article 98 PSD2

Bird & Bird on the most important consequences of PSD2

PSD2 and draft EBA RTS: a lot of issues remain unclear. Scott McInnes, Bird & Bird LLP. 3 May 2017

WSBI-ESBG Common Response to the Basel Committee Consultation on Guidance on Accounting for Expected Credit

WSBI-ESBG common response to the Basel Committee consultation on the revision of simpler approaches of the Operational

EPCA PAYMENT SUMMIT Arno Voerman (Van Doorne N.V.) Edwin Jacobs (Time.Lex)

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

European Association of Co-operative Banks Groupement Européen des Banques Coopératives Europäische Vereinigung der Genossenschaftsbanken

ESBG (European Savings Banks Group) Rue Marie-Thérèse, 11 - B-1000 Brussels ESBG Register ID

PSD2 (Payment Services Directive) & RTS (Regulatory Technical Standards)

ESBG (European Savings and Retail Banking Group) Rue Marie-Thérèse, 11 - B-1000 Brussels. ESBG Transparency Register ID

EBF Response to the EBA Consultations on currencies with constrained availability of Liquid Assets

ESBG response to the EBA consultation on draft Guidelines on payment commitments under Directive 2014/49/EU on deposit guarantee schemes

WSBI-ESBG common response to the Basel Committee consultation on Monitoring indicators for intraday liquidity management.

Joint Response to EBA consultation Paper (CP 51) Draft ITS on Supervisory Reporting Requirements for large Exposures

The main regulatory changes introduced PSD2 in a nutshell

EBA/GL/2017/08 07/07/2017. Final Report

PSD2 IMPLEMENTATION: WHAT YOU NEED TO KNOW

ESBG response to the EBA s Discussion paper on the impact on the volatility of own funds of the revised IAS 19

Innovation in Payment Services: The Role of EU Policies

EBF COMMENTS ON THE EBA CONSULTATION PAPER ON DRAFT IMPLEMENTING TECHNICAL STANDARDS ON DISCLOSURE FOR OWN FUNDS BY INSTITUTIONS

Post Consultation Report on the implementation of the revised CBM Directive No 1 on the Provision and Use of Payment Services*

Response Dutch Banking Association (NVB) 1 to the ESMA Consultation Paper Draft guidelines on MiFID II product governance requirements

PSD2 Stakeholder Liaison Group. 10 February 2017

ESMA Consultation Paper: Guidelines on Reporting Obligations under Article 3 and Article 24 of the AIFMD.

EBA consultation paper on draft ITS on supervisory reporting requirements for institutions

European Association of Co-operative Banks Groupement Européen des Banques Coopératives Europäische Vereinigung der Genossenschaftsbanken

D1387D-2012 Brussels, 24 August 2012

OPINION OF THE EUROPEAN CENTRAL BANK

ESMA consultation on the review of the technical standards on reporting under Article 9 of EMIR

ESBG RESPONSE TO THE EUROPEAN COMMISSION S CONSULTATION ON THE RECOMMENDATIONS SUPPLEMENTING THE SHAREHOLDERS RIGHTS DIRECTIVE

Insurance Europe concerns over the ESAs PRIIPs final draft RTS. COB-PRI Date: 18 May 2016

EBA FINAL draft Regulatory Technical Standards

POSITION PAPER MiFID II PRODUCT GOVERNANCE

Chapter 1 Subject matter, Scope and Definitions

ESMA Consultation Paper on Review of the technical standards on reporting under Article 9 of EMIR (10 November 2014 ESMA/2014/1352)

Instructions for the EBA qualitative survey on IRB models

The main regulatory changes introduced PSD2 in a nutshell

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

WSBI-ESBG Position Regarding the Implementation of Automatic Exchange of Information within the EU and Globally

Eurofinas is entered into the European Transparency Register of Interest Representatives with ID n

EBF response to EBA consultation on homogeneity of underlying assets

ESBG position paper on the EBA consultations on draft Implementing Technical Standards (CP50 and CP51)

N 0400 SA. . CESR/CEBS/CEIOPS Brussels, 25 June Dear Sir,

EBA/GL/2013/ Guidelines

Revision of the Payment Services Directive (PSD2) Krzysztof Zurek and Silvia Kersemakers DG FISMA, European Commission PSMEG meeting 3 December 2015

EBF Response to EBA Consultation on draft ITS amending ITS on supervisory reporting on Liquidity Coverage Ratio (EBA/CP/2014/45)

The Changing EU Regulatory Framework for Retail Payments

Brussels, 23 rd September 2013

comments on Consultation Paper 26 Jul 2012

Financial Crime Governance, Risk and Compliance Fund Managers & Fund Administrators. Thematic Review 2017

FINANCIAL INSTITUTIONS Retail issues, consumer policy and payment systems

EUROPEAN CENTRAL BANK

PSD2 and other European legal developments

Payment Services Directive: frequently asked questions

Banks Preparing. A Guide to the. SEPA Migration

JC/GL/2017/ September Final Guidelines

Final Report Draft regulatory technical standards on indirect clearing arrangements under EMIR and MiFIR

Questions and Answers Implementation of the Regulation (EU) No 648/2012 on OTC derivatives, central counterparties and trade repositories (EMIR)

Proposal for a regulation on the establishment of a framework to facilitate sustainable investment Contact person:

FINAL REPORT ON GUIDELINES ON UNIFORM DISCLOSURE OF IFRS 9 TRANSITIONAL ARRANGEMENTS EBA/GL/2018/01 12/01/2018. Final report

Position Paper. of the German Insurance Association ID number

COMMISSION DELEGATED REGULATION (EU) /... of

Banks Fine-tuning Their PSD Preparations

EBA/Rec/2017/02. 1 November Final Report on. Recommendation on the coverage of entities in a group recovery plan

On behalf of the Public Affairs Executive of the EUROPEAN PRIVATE EQUITY AND VENTURE CAPITAL INDUSTRY

EBA final draft Implementing Technical Standards

Position Paper. of the. European Savings Banks Group. on the. ESCB CESR Draft Standards 1 for Clearing and Settlement Systems in the European Union

Instructions for EBA data collection exercise on CVA

EUROPEAN COMMISSION Directorate General Internal Market and Services

THE COMMITTEE OF EUROPEAN SECURITIES REGULATORS

Questions and Answers Implementation of the Regulation (EU) No 462/2013 on Credit Rating Agencies

Response to CESR Consultation Paper on its draft technical advice to the European Commission in the context of the MiFID review equity markets

EFAMA welcomes the final report by ESMA to the European Commission on technical advice on possible implementing measures of the AIFMD.

OPINION OF THE EUROPEAN CENTRAL BANK

Final Report ESMA Technical advice to EC on fees to TRs under SFTR and on certain amendments to fees to TRs under EMIR

Confirmations. 1. Introduction

Consultation on Supervisory reporting requirements for leverage ratio (EBA/CP/2012/06)

27/03/2018 EBA/CP/2018/02. Consultation Paper

Guidelines on the application of the definition of default and RTS on the materiality threshold

Insurance Europe Position Paper on the EU Audit legislative package. ECO-ACC Date: 11 June 2012

Final Report. Guidelines on specification of types of exposures to be associated with high risk under Article 128(3) of Regulation (EU) No 575/2013

Visa response EBA public consultation on the draft RTS on Strong Customer Authentication

CENTRAL BANK OF MALTA DIRECTIVE NO 1. in terms of the. CENTRAL BANK OF MALTA ACT (Cap. 204 of the Laws of Malta)

EBA FINAL draft implementing technical standards

IFRS Foundation 30 Cannon Street Moorgate Place London EC4M 6XH United Kingdom. Submitted electronically via go.ifrs.org/comment.

Minutes of the meeting of the PAYMENT SERVICES STAKEHOLDER LIAISON GROUP

EUROPEAN ASSOCIATION OF CO-OPERATIVE BANKS The Co-operative difference : Sustainability, Proximity, Governance. EACB Comments

European Savings Banks Group (ESBG)

Insurance Europe comments on the Exposure Draft: Conceptual Framework for Financial Reporting.

Final Report Technical Advice under the CSD Regulation

Frankfurt am Main, 23 March BVI s response to the ESA s consultation on EOS PRIIPs. General Comments

Transcription:

Draft EBA Guidelines on fraud reporting requirements ESBG (European Savings and Retail Banking Group) Rue Marie-Thérèse, 11 - B-1000 Brussels EU Transparency Register ID 8765978796-80 November 2017

ESBG Position Paper on Draft EBA Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2) Question 1: Do you consider the objectives for the guidelines as chosen by the EBA, in close cooperation with the ECB, including the link with the RTS on SCA and CSC (and in particular Articles 18 and 20 RTS), to be appropriate and complete? If not, please provide your reasoning. ESBG welcomes the opportunity to review and comment on these draft Guidelines. ESBG believes that the objectives are going in the right direction in general. Nevertheless, the following two objectives are missing: First, ESBG believes that here should be an objective for an ad-hoc exchange of fraudulent data (fraudulent or fake) such as ID documents, names, IBANs, phone numbers, addresses and other information that could be used to commit fraud) between PSPs, ideally via competent authorities. Second, ESBG is of the opinion that there should be an objective for an automated reporting possibility to law enforcement without the need for a thorough or immediate investigation (an ITIL -like distinction between incident management and problem management). Besides, we would like to make the following remarks: As per Guideline 2.7, PSPs need to submit the required data to the competent authority following the procedures defined by the competent authority. In order to prevent fragmented approaches across Europe, and in order to assist PSPs that operate across multiple countries, all competent authorities should have the same and uniform procedures on how to perform the reporting. For example, in addition to setting the content, the EBA could publish some additional ITS on the format and data exchange (between Competent Authorities and between Competent Authorities and Payment Service Providers) for fraud reporting. ESBG believes that only gross fraud is a relevant indicator in tracking fraud and underlying trends. Net fraud is more an indicator of PSPs individual capabilities to recover fraud from various sources including insurances and seems hence not relevant in tracking the underlying fraud. Therefore we believe only gross fraud should be reported. ESBG is always in favour of proportionality in regulation, and as such welcomes EBA s recital 12 in section 2 on subject matter, scope and definitions. The recital states The Guidelines are subject to the principle of proportionality, which means that all payment service providers within the scope of the guidelines are required to be compliant with each Guideline, but the precise requirements, including frequency of reporting, may differ between payment service providers, depending on their size, business model and complexity of their activities. However, ESBG would welcome more clarity on this aspect. More specifically, how and by whom will this principle of proportionality be executed, on what aspects, and what will be the exact differences? Can additional proportionality criteria be expected from this recital 12? Question 2: In your view, does the definition of fraudulent payment transactions (in Guideline 1) and the different data breakdown (in Annexes 2 and 3) cover all relevant statistical data on fraud on means of payment that should be reported? If not, please provide your reasoning with details and examples of which categories should be added to, or existing categories modified in, the Guidelines. 2

ESBG would like to remind the EBA the fact that PSPs are required to provide payment statistics under the Payment Statistics Regulation EU1409/2013 of the ECB of 28 November 2013 on payments statistics (ECB/2013/43). Under the headings of Total Payments Transactions the same data is being requested in this particular reporting, effectively requiring PSPs to report the same data twice. With respect to Guideline 1.1, ESBG is of the opinion that the types of fraud b and cdo not occur because of vulnerabilities or weaknesses in in PSPs payment systems, but that are a result of some form of relationship between a Payment Services User (PSU) and a fraudster. Consequently, and as they involve transactions that have been properly authorised, there is no way PSPs could possibly identify those transactions as fraudulent and prevent them from happening. As such, requiring PSPs to report fraud that is beyond their control can have a possible negative impact on both the PSPs fraud rate and possible exemptions from strong customer authentication under the RTS on SCA and CSC. Regardless, ESBG recognises that the commented types of fraud should be classified as fraud under PSD2 in relation to other actions that can be to prevent them to happen. In order to address your question in more detailed terms, ESBG would like the following definitions to be clarified, for the avoidance of any doubt and misinterpretations: E-Money; TRA transactions; MOTO transactions; Are money mule accounts part of fraud, or part of AML, or both? Are correspondent banking transactions in or out of scope? What is the exact definition of a delayed debit card how much delay is sufficient for that classification? ESBG also observes that some items seem to be missing from the Guidelines: Rules to identify or to avoid the impact of double reporting, especially for card transactions, seem to be missing; also, paragraph 46 is not completely clear. There are no rules provided to identify or to avoid the impact of later corrected volumes and/or values, for example due to different reporting periods. There is no distinction between the various counterparties, like differentiation between AISPs or PSPs or a distinction between PSPs with a banking license and PSPs without a banking license. As remittances can cover both cash-in as well as cash-out transactions, the introduction of cash into or the extraction of cash out of these cycles are relevant as well. With respect to the structure, ESBG is wondering whether it is an option to combine all separate tables into one flat structure as this allows also the possibility to slice and dice the data across the various dimensions. Question 3: Do you agree with the EBA s proposal to exempt Account Information Service Providers from reporting any data for the purpose of these Guidelines? Please provide your reasoning with detail and examples. No, ESBG does not agree. It is true that the legal basis for these Guidelines resides on article 96(6) PSD2, which is directly related to the legislative mandate for the issuance of Guidelines for major incident reporting on article 96(1-5) PSD2. As such, if we relate both issues, it could be understood that the Guidelines on major incident reporting cover single incidents that are considered impactful (major) and therefore need to be promptly reported, while these Guidelines cover periodic reporting of fraud data with the objective 3

of gathering statistics and insight on fraud under PSD2-related activities. That is, the Guidelines on fraud reporting requirements would actually include the fraud resulting from the major incidents reported under the other Guidelines, plus every other minor incident that has caused fraud on the PSP. In conclusion, taking into account that (i) incidents affecting AISPs can cause fraud and (ii) account information services are included in the Guidelines on major incident reporting, these Guidelines on fraud reporting requirements should include AISPs. At the same time, article 96(6) mentions statistical data on fraud relating to different means of payment, neither explicitly discarding account information services nor mentioning payment initiation services only. Therefore, it could be that fraud itself can occur not only during a payment transaction, but also within the relationship between PSUs and AISPs. Examples of fraudulent activities through AISPs can include phishing, hacking, identity theft or any sort of data breach or leakage. Any of these fraudulent activities can cause major problems on PSUs, even though they often cannot be measures in a quantitative way. So, AISPs with loose controls could be the originator of the majority of fraudulent cases and volumes and therefore this should be identified as soon as possible. As this is currently not addressed in these draft Guidelines ESBG recommends that either AISPs should report their relation to fraudulent transactions separately, or these should be reported via PSPs at least as separate channels as defined in Annex 2 and 3. Question 4: Do you agree with the rationale for not including in Guideline 2.5 a requirement to report data for attempted fraud for the purpose of these Guidelines? If not, please provide your reasoning with detail and examples. We disagree with the rationale behind the exclusion of attempted fraud from reporting requirements. As the EBA admits on rationale 25, capturing data on attempted fraud would enable competent authorities to assess the effectiveness of the internal controls of the PSP in blocking transactions before they are executed. In support of this rationale, one of our Member s internal fraud reports show that attempted fraud currently accounts for as much as 98.89% of all gross fraud. Also backing that inclusion of attempted fraud, as rationale 27 states, under the EBA s RTS on SCA and CSC, all PSPs shall have risk and fraud monitoring systems in place to enable them to block any suspicious payment as foreseen by PSD2. As this is expected to be already in place with the entry into force of the PSD2, and taking into account that most PSPs already report attempted fraud internally, the additional burden that this requirement would impose on PSPs is not large enough to justify the application of the proportionality criteria. The inclusion of attempted fraud would substantially improve the information the competent authorities and the EBA could work with in order to achieve the objectives behind these Guidelines. That is, the inclusion of attempted fraud would allow competent authorities to get information about the effectiveness of the security processes applied by PSPs, which would not be otherwise possible only taking into account executed fraud. This would also assist in identifying trends in fraud attempts which are very useful and insightful for knowledge exchange on fraud prevention across entities and across borders, and it could also prevent fraudsters to perform small test transactions in test-markets before deploying their modus operandi in other markets. Question 5: Do you agree with the proposal for payment service providers to report both gross and net fraudulent payment transactions, with net fraudulent transactions only taking into account funds recovered by the reporting institution (rather than any other institution) as set out in Guideline 1.5? If not, please provide your reasoning with detail and examples. As mentioned in our observations under Question 1, ESBG believes that the reporting of net fraudulent payment transactions does not contribute to the overarching goal of fraud reporting as it rather is an indication of an individual PSP s capability to recover fraud from regardless source than that it 4

is an indication of the underlying fraud. Besides, it is worth noting that this recovery can be a very lengthy process and as such, the recovery and the reporting of it can take place in another period than that over which the underlying fraud was reported, which may lead to misinterpretations of the data. For example, a lot of fraud could happen during the Christmas shopping season as due to high transaction volumes fraud could slip through, indicating high fraud levels in the relevant annual or quarterly report, whilst any recovery would be offset in the reporting over the next year or quarter. If regardless of the above, the EBA insists on keeping both notions of fraud in, ESBG would recommend the EBA to make clear distinctions between recovered, covered by insurance or burdened by customers in other to get better views. Question 6: Do you consider the frequency of reporting proposed in Guideline 3, including the exemption from quarterly reporting for small payment institutions and small e-money institutions in light of the amount of data requested in Annexes 1, 2 and 3, to be achieving an appropriate balance between the competing demands of ensuring timeliness to reduce fraud and imposing a proportionate reporting burden on PSPs? If not, please provide your reasoning with detail and examples In relation to the frequency of reporting, even though ESBG can agree with the exemption from quarterly reporting for small payment institutions, we recognise that it can create a significant information gap for a considerable time. The reporting obligations are not sophisticated and these can contribute to many insights when fraud modus operandi prevail. Due to the fact that the first annual report will take place in 2020H1, while the PSD2 enters into force on 13th of January of 2018, there will be almost two years where competent authorities will receive no information from small payment institutions. Although the RTS on SCA and CSC will not be applicable, fraud activities may be significant during those two years. Therefore, we consider that an intermediate solution must be found as to, for example, require small PSPs to report on a quarterly basis until the first reporting period in 2020H1. From that point onward they could be exempted from the quarterly reporting due to the rationale presented. In general, with respect to the frequency of the reporting, ESBG agrees with the frequency of the high-level reporting as indicated in the Annexes 2 and 3, but ESBG disagrees with respect to the frequencies for ad hoc fraud cases and data exchanges. Question 7: Do you agree that payment service providers will be able to report the data specified in Guideline 7 and each of the three Annexes? If not, what obstacles do you see and how could these obstacles be overcome? As per Guideline 3.3, the payment services provider should submit their data within the timelines set by the respective competent authorities. Also with respect to this Guideline we would like to repeat our remark as stated in our response to Question 1, namely that in order to prevent fragmented approaches across Europe, and in order to assist PSPs that operate across multiple countries, all competent authorities should have the same and uniform procedures on how to perform the reporting, for example in terms of content and formats but also in terms of communication channels. Further, ESBG would like to observe that the differentiation between the various Geographies only increases filter-logic which may confuse interpretations. If everything is reported under Geo 3, the filtering can take place elsewhere. Question 8: In your view, do the proposed Guidelines reach an acceptable compromise between the competing demands of receiving comprehensive data and reducing double counting and double reporting? If not, please provide your reasoning. 5

ESBG is not of the opinion that an acceptable compromise has been reached, as it is especially unclear on the PSP-payee side where to deduct the double reporting (only very high level possible for Geo 3 indications, but not for the other two regions as there will be no country breakdown. Besides, different data quality and interpretation ambiguities as well as different time delays between payer s and payee s PSPs might lead to different numbers and therefore to unclear double counting calculations. An improvement could be that only the PSP who represents the payer should provide the information, but amended with the counterparty information as outlined in our answer under question 2. Question 9: Do you agree that prevent payment services providers should distinguish between payment transactions made by consumers and payment transactions made by other PSUs?? Please provide your reasoning with detail and examples. We do, at this point in time, not consider it necessary to distinguish between payment transactions made by consumer or other PSUs, as the breakdown of data proposed by the EBA already reflects the data necessary to achieve the objectives behind these Guidelines (i.e. assess the effectiveness of legal and regulatory requirements, identify trends and potential risks, and assess security incidents and emerging fraud trends and threats). Currently neither our internal nor external fraud reporting mechanisms include this distinction as it does not provide valuable insight on measures against fraud, so the distinction suggested on this question would cause an unnecessary burden with no clear benefits. Also, currently this distinction cannot be made when both consumers and others are using the customer interface (also known as screen scraping). However, going forward, this issue could become more relevant. From the moment TPPs start using dedicated interfaces, it can be possible to distinguish between consumers and other PSUs. ESBG Members believe that in these circumstances a distinction will be beneficial because higher fraud rates could be expected on transactions made by other PSUs compared to transactions made by Members own customers. EBA is expected to provide respective definitions though (for example no representative of any legal entity ). 6

About ESBG (European Savings and Retail Banking Group) The European Savings and Retail Banking Group is a Brussels-based association that helps its member savings and retail banks thrive, focus on providing service to local communities and boost SMEs. ESBG brings together nearly 1000 savings and retail banks in 21 European countries that believe in a common identity for policy in Europe. Its members represent one of the largest European retail banking networks, comprising one-third of the retail banking market in the European Union, with 190 million customers, more than 60,000 outlets, total assets of 7.1 trillion, non-bank deposits of 3.5 trillion, and non-bank loans of 3.7 trillion. ESBG members come together to agree on and promote common positions on relevant regulatory or supervisory matters. Learn more about ESBG at www.wsbi-esbg.org. European Savings and Retail Banking Group aisbl Rue Marie-Thérèse, 11 B-1000 Brussels Tel: +32 2 211 11 11 Fax : +32 2 211 11 99 Info@wsbi-esbg.org www.wsbi-esbg.org Published by ESBG. November 2017. 7

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback