European Legislators Playing Catch-Up On Payment Fraud Rules, Says MEP

European parliamentarian Ashley Fox has accused legislators of drafting rules on strong authentication that — less than a year ahead of their introduction — are already lagging behind the payments industry’s hi-tech approach to fighting fraud.

Speaking to PaymentsCompliance, Fox took aim at incoming regulatory technical standards that will take effect from September 2019 and supplement the revised Payment Services Directive (PSD2).

He said that progress in the sector has been remarkable in the past half-century, and with the rapid uptake of contactless card payments and mobile transactions customers are driving significant improvements in speed and efficiency.

“But there’s a ‘but’,” he said. “Public policymakers — by which I mean regulators and politicians — are really not keeping up with this. We provide outdated regulations and we slow up the rate of technological change.”

Fox, a Conservative Party MEP and active participant in the European Parliament’s Economic and Monetary Affairs Committee, pointed to the incoming requirement that strong authentication is carried out on all online transactions of more than €30 in value, unless the payment provider’s fraud rates are below certain thresholds.

“What purpose does that serve, other than to make politicians feel better? The reason I say that is because it’s the industry that already is responsible for a fraudulent transaction, so they have every incentive to use that technology to minimise fraud,” he said.

“I’ve been in a teaching session where I’ve seen industry demonstrate what they already do to minimise fraud. They look at the way I move the mouse when I make a transaction, they look at my location, they look at the device I’m using, they look at my purchase history.

“They absolutely do not need this arbitrary rule.”

That requirement was controversial from the start. When first proposed by the European Banking Authority in 2016 there was no exemption available based on fraud rates, prompting pleas from providers concerned about customer drop-off when shopping online.

Providers argued that existing tools for transaction risk analysis often make two-factor authentication redundant, and some questioned where the €30 figure had come from in the first place.

The final text was changed so that for online card payments between €30 and €100, the exemption will be applicable if risk analytics are used to keep fraud below 0.13 percent. The threshold then drops to 0.06 percent for payments between €100 and €250, and to 0.01 percent for transactions between €250 and €500.

For credit transfers, the thresholds are significantly lower.

According to Fox, tying strong authentication to value-based transaction thresholds is fundamentally flawed, not least because criminals are still able to operate under the radar.

“If you are a fraudster you’re going to make more money if you can continue to use a card or an account for a long time, taking a little bit now and then,” he said.

“If you try and do a £5,000 transaction you’re almost certain to get caught. So why don’t we let the industry decide the best way to minimise fraud, and let them get on with it?”

In his view, PSD2 would have been more effective if its objectives were outcome-based rather than mandating precisely how payment providers go about preventing fraud.

“There is no way back in the short term, but these regulations will be revisited,” said Ashley Fox. “I suppose there will be a PSD3 at some point. I think what will happen is we will see payment providers driving down fraud as best we can, and we will soon get evidence that strong customer authentication at €30 pays not the slightest difference to their efforts.”

Part of the motivation for introducing tough controls on online payments is due to significant improvements in tackling point of sale (POS) card fraud.

According to figures collated by Accenture in June, global losses to e-commerce fraud vary considerably but likely total between $25bn and $40bn per year.

Part of that is due to increased security at POS terminals, typified by the adoption of chip-based card payments rather than reliance on the magnetic stripe.

The European Association for Secure Transactions (EAST) published a report last week revealing losses due to card fraud at payment terminals have now fallen to a 13-year low.

Within the EU, it found just 6,790 incidents of payment terminal-related fraud in the first six months of this year, of which just 985 were due to skimming. That marks more than an 80 percent drop since 2010.

However, there has been a rise in other types of payment fraud — not least authorised push payment fraud, where the victim is tricked into making a bank transfer to an account controlled by a fraudster.

Data is scarce, but efforts from UK regulators to tackle the problem have unearthed some figures: a total of £145.4m was lost to authorised push payment fraud in the first half of this year.

Fox said that illustrates another example of the futility of strong authentication regulations.

“No amount of secure authentication is going to make any difference if I managed to trick you into putting in your password, or pressing a button,” he said.

“That really is your fault as a consumer, isn’t it?”

The Payment Systems Regulator has pressured banks into developing a confirmation of payee system, which would issue a warning if the holder of the receiving account’s name does not match the intended recipient.

Fox declined to comment on that initiative, but said that generally he would favour an approach that prioritised customer education over heavy-handed regulatory intervention.

“There is an educational role for financial authorities,” he said.

“My bank always says things like, ‘we will never ask you for your password’ and ‘if you’re in doubt, call this number and we can check whether this is a proper request or not’.

“It’s probably sensible that financial institutions should have a policy of making sure their customers are educated on this type of financial fraud.”

On strong authentication, Fox admitted that with the standards already finalised at EU level and due to take effect within 11 months, there is no way back “in the short term”.

“But these regulations will be revisited — I suppose there will be a PSD3 at some point,” he said.

“I think what will happen is we will see payment providers driving down fraud as best we can, and we will soon get evidence that strong customer authentication at €30 pays not the slightest difference to their efforts.”