Collecting data necessary for two new fraud reporting fields under the second Payment Services Directive (PSD2) could prove difficult for some Payment Services Providers (PSPs), according to Manish Garg, founder and chief executive officer, Reflow.
“Those new fields do add some regulatory burden – it will require more time and resources,” he says. “Especially for the companies that are payment gateways and the acquirers, this definitely adds a greater burden. I think they will likely in the first or second instance not be able to provide this information because they are dealing with the SCA implementation at the same time.
“Probably when the SCA implementation is more stable and used widely then they would be able to provide this on a more regular basis.”
On January 22, the European Banking Authority (EBA) published changes to its guidelines on fraud reporting under PSD2. The amendments include changes to the frequency of fraud reporting for PSPs from a detailed annual report to one every six months. PSPs will be required to report data on transactions that are “domestic, cross-border within the European Economic Area (EEA), and cross-border outside the EEA”.
Also added to the guidelines are two data fields to be reported for transactions where “SCA is not applied for reasons other than an exemption to SCA”.
For transactions that fall outside the scope of SCA and the regulation’s exemptions, PSPs will have to fill out two new reporting fields to indicate whether the transaction was “merchant initiated” or “other”.
Exemptive measures exist under PSD2 where SCA doesn’t need to be applied. For example, for a recurring payment, SCA is applied to the first transaction and other subsequent transactions can reference the initial agreement.
But there are certain instances where transactions fall outside the scope of SCA, and its exemptions.
PSPs must report fraudulent transactions outside the EEA where the “payment initiation service provider is within the EEA and the account servicing payment service provider is located outside the EEA.”
But Garg says there may be less willingness from companies who are outside of the EU to provide the data.
“If a business or bank based in the US has a person who is coming into the UK making transactions, and the transaction is exempted, the bank or whoever that issuer is may not be able to provide sufficient data to the acquirer here in the UK or in the EU. That would not allow companies to [report] the data. So, there are operational challenges in terms of how the data can be complied.”
For Garg, the EBA wants to see the extent of fraud in transactions that fall outside of SCA and analyse whether there may need to be changes to the exemptions.
“If these [guidelines] are outside of the PSD2 regulation it is more on the business side [to] provide that information,” he says. “It’s not immediately analysed. There could be a problem if businesses need more time to compile the data as part of the reporting.
Whitepapers
Related reading
Payments industry must adjust to heightened VAT reporting
New VAT reporting procedures will place an unnecessary burden on the payments sector, says Elie Beyrouthy, board member of the European Payments ... read more
Travel payments predictions 2020
By Jeremy Dyball, head of commercial, payments, Amadeus Just a few years ago it was customary to pay for travel with cards, ... read more
Open Banking raises fraud liability concerns
Banks and third-party providers may suffer from ambiguity in fraud accountability, according to members of the Open Banking scheme. Rachel Gentry, information ... read more
Corporate level backing required for successful fraud prevention
Ensuring fraud prevention strategies are implemented across banks operations requires buy-in from corporate management, according to Rob Rendell, global client success leader ... read more