New fraud reporting fields a burden for PSPs

Collecting data necessary for two new fraud reporting fields under the second Payment Services Directive (PSD2) could prove difficult for some Payment Services Providers (PSPs), according to Manish Garg, founder and chief executive officer, Reflow.

“Those new fields do add some regulatory burden – it will require more time and resources,” he says. “Especially for the companies that are payment gateways and the acquirers, this definitely adds a greater burden. I think they will likely in the first or second instance not be able to provide this information because they are dealing with the SCA implementation at the same time.

“Probably when the SCA implementation is more stable and used widely then they would be able to provide this on a more regular basis.”

On January 22, the European Banking Authority (EBA) published changes to its guidelines on fraud reporting under PSD2. The amendments include changes to the frequency of fraud reporting for PSPs from a detailed annual report to one every six months. PSPs will be required to report data on transactions that are “domestic, cross-border within the European Economic Area (EEA), and cross-border outside the EEA”.

Also added to the guidelines are two data fields to be reported for transactions where “SCA is not applied for reasons other than an exemption to SCA”.

For transactions that fall outside the scope of SCA and the regulation’s exemptions, PSPs will have to fill out two new reporting fields to indicate whether the transaction was “merchant initiated” or “other”.

Exemptive measures exist under PSD2 where SCA doesn’t need to be applied. For example, for a recurring payment, SCA is applied to the first transaction and other subsequent transactions can reference the initial agreement.

But there are certain instances where transactions fall outside the scope of SCA, and its exemptions.

PSPs must report fraudulent transactions outside the EEA where the “payment initiation service provider is within the EEA and the account servicing payment service provider is located outside the EEA.”

But Garg says there may be less willingness from companies who are outside of the EU to provide the data.

“If a business or bank based in the US has a person who is coming into the UK making transactions, and the transaction is exempted, the bank or whoever that issuer is may not be able to provide sufficient data to the acquirer here in the UK or in the EU. That would not allow companies to [report] the data. So, there are operational challenges in terms of how the data can be complied.”

For Garg, the EBA wants to see the extent of fraud in transactions that fall outside of SCA and analyse whether there may need to be changes to the exemptions.

“If these [guidelines] are outside of the PSD2 regulation it is more on the business side [to] provide that information,” he says. “It’s not immediately analysed. There could be a problem if businesses need more time to compile the data as part of the reporting.

Related reading