Is EU legislation fighting or fostering fraud?

Have you ever received a text message asking you to enter your banking credentials to confirm a package delivery? Or spotted a product offer on your social media feed that seems too good to be true? Or even better, had an e‑mail sent to you personally, offering you a unique opportunity to make a very high-return investment and turn a hefty profit? These are all typical examples of scam attacks that criminals make to try to get their hands on our money.

According to data collected from banks, Finns lost a total of €32.4 million to digital fraud in 2022 and more than €44 million in 2023. The actual figures are likely to be even higher because not all money lost to scammers is reported to banks. The trend is similar all over Europe. In fact, digital fraud is such a rapidly growing and highly lucrative industry that it may even be surpassing drug-related crime in lucrativeness.

The European Commission began to address the issue of payment fraud already in the Second Payment Services Directive (PSD2) that came into effect in 2019 and is now being revised. One of the directive’s key measures for reducing payment fraud was the introduction of strong customer authentication in electronic payments. This has significantly reduced card fraud.

======
In the most extreme cases, fraudsters make their victims accessories to crime.
======

But when one door closes, scammers open another one – and they sure seem to have a knack for finding new doors. Scammers employ a variety of methods: sometimes they trick their victims into making the payment transactions, other times they get their victims to give them their banking credentials so that they can make the transfers independently. In the most extreme cases, fraudsters make their victims accessories to crime by laundering illegally acquired money through the victims’ bank accounts, turning them into money mules without their knowledge.

The Commission has proposed new measures to combat payment fraud in the new set of legislative proposals to amend the PSD2, which includes the Third Payments Services Directive (PSD3) and a new Payment Services Regulation (PSR). One of the measures is enabling payment service providers to share fraud-related information between themselves. This is very desirable in itself, but as the proposal stands now, payment service providers may only exchange unique payee identifiers if at least two customers have reported the transfer as fraudulent. This two-customer requirement is threatening to flatten the effectiveness of this measure. It seems like data sharing opportunities will ultimately rely on the interpretations of national data protection authorities.

======
As customers, we really need to be informed and vigilant.
======

The Commission’s proposed measures also include an obligation for banks to increase awareness of payment fraud among their customers. Member states are obliged to take part in this education work. This, too, is a highly supportable measure. Banks are already using a variety of channels to increase customer awareness, but a government campaign run on television could improve reach significantly. As customers, we really need to be informed and vigilant because most modern scams involve us being tricked into giving our banking credentials to scammers or even transferring money to them ourselves.

To protect consumers, the Commission is also proposing to extend IBAN/name matching verification services to all credit transfers. The IBAN/name check verifies whether the IBAN number and the name of the payee match those provided by the payer. This verification requirement was first included in the quickly processed Instant Payments Regulation (IPR) and will start applying to instant payments from October 2025.

It remains to be seen what kinds of payment fraud this measure will manage to prevent and to what extent. It will hardly be able to stop scammers who have managed to get a hold of their victim’s banking credentials and can make the payment transactions themselves. After all, in these cases the fraudster knows fully well who the payee is. I am also doubtful of how effective the verification requirement will be in social engineering fraud, which relies on manipulation. Romance scammers, for example, may be able to make their victims’ head spin so thoroughly that the victim will easily buy a carefully crafted story of why the account holder has a different name than the dashing American pilot who is to receive the money. 

======
The PSD3 proposal’s updates to strong customer authentication
represent a step backwards in terms of security.
======

The PSD3 proposal’s updates to strong customer authentication requirements seem to represent a step backwards in terms of security. The strong customer authentication mechanism introduced in the PSD2 requires the use of strong authentication factors from two out of the following three categories: something only the user knows (e.g. a password), something the user is (e.g. a fingerprint) and something only the user possesses (e.g. a mobile phone).

Somewhat surprisingly, the Commission is now proposing that the required two authentication factors could belong to the same category, meaning that strong customer authentication could be based on two passwords, for example. Specialists do not think that this in any way constitutes strong authentication or improves security. In proposing this change, the Commission must have focused on its other objective, the ease of payments. However, the unfortunate fact is that the ease and security of payments tend to fall on the opposite ends of the spectrum. One would hope that legislators would prioritise the latter.

The conflict of motives is apparent also in the IPR. Its aim is on near instantaneous credit transfers that arrive into the recipient’s account within 10 seconds. But speed is not a synonym for security either, which is why the IPR introduced the IBAN/name matching verification requirement to help curb fraud.

The 10-second rule introduced in the IPR blocked sanctions screening, an established means to combat money laundering and terrorist financing. Sanctions screening would have slowed down instant payments unnecessarily, so legislators banned banks from performing it on a transaction-by-transaction basis under threat of a fine. But because legislators nevertheless felt that it is important to keep fighting crime, they allowed banks to continue to screen their customers against sanctions lists.

=====
Refunding victims does not help reduce crime – quite the contrary.
=====

As a measure to increase the safety of payments, the PSD3 proposal widens the scope of banks’ liability to refund fraud based on the impersonation of bank staff. In this kind of impersonation fraud, the fraudster contacts the customer pretending to be an employee of the customer’s bank, tricking the customer into making a money transfer. Under the PSD3, banks would have to recompense fraud victims for the full amount of the fraudulent transaction, except for cases of gross negligence by the victim.

At the moment, victims are only entitled to a refund in cases of unauthorised payment transactions where fraudsters use phished banking credentials. Even the current situation is peculiar in terms of the basic principles of damage compensation, because it puts the liability for the damages on the bank, which is not party to the fraud.

What’s more, refunding victims does not help reduce crime. Quite the contrary: Featurespace, a British company that uses adaptive behavioural analytics and real-time machine learning to detect fraud in the financial services sector, has found that the more extensive a bank’s fraud refund policy is, the more likely its customers are to fall victim to fraud. The explanation for this lies in the tendency of us humans to become less prudent when the risks are small. We are generally more prepared to take small rather than large financial risks, and knowing that banks will refund fraudulent transactions reduces the risks for us customers. It frightens me to think how much a more extensive refund requirement could increase the success of fraud, driving even more money into scammers’ pockets.

======
As customers, we must improve our ability to spot fraud attempts.
======

We need effective tools for preventing fraud at all levels. Banks must improve their ability to spot potential criminal activity. In Finland, banks have been able to successfully improve their performance: the number of detected fraud attacks grew by 80% from 2022 to 2023 (which is a lot!), but banks were able to increase the amount of intercepted and recovered funds by almost 140%. As customers, we must also improve our own ability to spot fraud attempts.

In the end, both banks and customers can only react – or not react – to the fraud attempts that we are bombarded with in every channel. It would therefore be vital to call attention also to where fraud attempts first see the light of day: the channels through which fraudsters approach us.

Scams often use text messages, e-mails or social media channels as their platform. Before the Commission put forward its proposal about the revision of the PSD2, attempts were made to stir up discussion about the platforms of fraud, but they fell flat and the proposal only came to include a vague request for teleoperators to work together with banks to prevent fraud.

Finland is already ahead of the game in this, obliging teleoperators to prevent the spoofing of phone numbers to make it look like calls and text messages are coming from a legitimate organisation or person. Thanks to this, operators report that they are now able to prevent tens of thousands of scam calls and text messages a day. Despite the success of this recent obligation, banks report that scammers still have too many loopholes to exploit and that the figures for 2024 are going to remain on a par with the previous years.

Everyone with intimate knowledge of digital fraud – even some legislators – seems to see eye to eye on the importance of taking a hand in the communication channels used by scammers. But what seems to be stopping this from happening is the Commission’s silo approach. Of the Commission’s Directorates-General, DG FISMA is responsible for payment services regulation and DG CONNECT for communications networks. DG FISMA feels it can only regulate payment services providers, whereas DG CONNECT seems to feel no need to solve a problem that surfaces in another DG’s remit, regardless of its origin.

The Commission’s legislative proposals for the PSD3 and the PSR are currently being discussed between member states at the Council, after which they will enter the trilogue between the Parliament, the Council and the Commission. We can only hope that legislators will be able to look at the big picture and come up with solutions that will actually help prevent fraud instead of trying to shift an even larger part of the financial responsibility to banks. Unlike the pockets of criminals, even bank vaults are not bottomless.