Thanks for watching our fraud and financial crime update! For more around PSD3 predictions, Payment Systems Regulator proposals, and payments industry news, please subscribe: / @feedzai.riskops
CHAPTERS:
0:00 Payment Systems Regulator Proposals & PSD3 Predictions
0:32 Looking Back at PSD2 and SCA
1:13 PSD3's Proposed Principles
4:34 Emerging Details of the PSR Proposals
TRANSCRIPT:
Before we get into PSD3, I firstly want to take a quick look back at PSD2 and in particular, Strong Customer Authentication.
A retrospective review carried out by the European Commission has concluded that SCA has broadly had a positive impact in terms of reducing unauthorized fraud. However, one of the unintended consequences of SCA is that it's allowed other fraud typologies to emerge, such as scams, or better known in the European market as spoofing.
Spoofing occurs when a victim is contacted by a scammer and the scammer convinces the victim to make an authorized transaction on their behalf. This presents a whole new set of challenges for banks in terms of protecting customers and better detecting those fraudulent transactions, and PSD3 attempts to address some of those challenges.
The first of these principles is IBAN-name checking. What it allows customers to do is validate that they're paying who they expect to pay through communication between the sending bank and the receiving bank. And in the event of a mismatch, a customer can be warned of that and potentially avoid a scam as it's occurring.
The second principle is a legal basis and framework that allows banks to more effectively share data amongst one another. So banks being able to share known bad data, such as known mule accounts, or known high-risk beneficiaries, will ultimately allow them to make better risk decisions as transactions occur.
The third principle is that banks will be asked to improve what they are doing from a fraud transaction monitoring perspective. Now it's unclear in detail what that means at this stage, but one possible outcome could be that banks are forced to move away from a rules-based approach to fraud detection, and focus more on an automated machine learning-led way of detection.
The fourth principle is around education of both consumers and staff members. What we're seeing is banks move away from traditional education awareness where customers have to go hunting to find best practices and guidance, and we're starting to see banks overtly put that into user journeys as transactions are occurring.
The fifth and perhaps most important principle, however, is that customers will have enhanced rights to refund if they fall victim to a spoofing scam. Currently in the EU, there's no law that mandates that customers have to be reimbursed if they fall victim to a scam. PSD3 looks to offer some enhanced consumer protection in the event that certain scam types occur.
That caveat of certain scam types is an important one, because currently the proposal outlines that victims will only be reimbursed if they're the victim of an impersonation scam. So that leaves questions around investment scams, romance scams, and all these other types of scams that we know are at large on the market.
The second caveat is that they may be entitled to a refund if there's a failure in the aforementioned IBAN-name checking service.
This is important for banks because their risk exposure will be greatly increased. Currently today, they're not providing those refunds. They're going to have that liability going forward. That means they’re going to have to find fraud budgets that they haven't previously had.
For those familiar with the concept of PSR, there are some clear parallels to what I described in PSD3. The concept of the PSR is that it offers enhanced consumer protection if somebody falls victim to a scam. So in principle, that means more refunds more often. It also means a 50/50 liability split in a world first between the sending bank and the receiving bank, putting emphasis on both sides of the transaction to do more when it comes to consumer protection in fraud detection.
Now, some details have emerged this week from the PSR that allow us to see firstly and most critically, an initial deadline date has been proposed, which will be April 2024. As we move towards that April deadline, finer details of the policy are starting to emerge, such as we now know that the initial proposal of £100 claim minimum limit has been removed and that anybody who is a victim of a scam, regardless of the loss amount, is in scope for a refund.
We also know that it will be faster payments only in the short term that are in scope for refund. This removes scams therefore that occur via a cash loss or via international transactions. The logic there is that data analysis shows that 97% of scams currently take place via the faster payment rails. Other payment types such as CHAPS will be considered in future iterations of the policy.
Информация по комментариям в разработке