Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach debate -
Wednesday, 28 Jun 2023

We have received apologies from Senator Higgins. Today the committee will meet with officials from the Department of Finance on authorised push payment, APP, fraud. I welcome Mr. John Palmer, EU banking and payment policy in the banking division and Ms Sorcha Keogh, payments policy.

Witnesses who are physically present or who give evidence from within the parliamentary precincts are protected, pursuant to both the Constitution and statute, by absolute privilege. They are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way as to make him, her or it identifiable or otherwise engage in speech that might be regarded as damaging to the good name of the person or entity. Therefore, if their statements are potentially defamatory in respect of an identifiable person or entity, they will be directed to discontinue their remarks. It is imperative they comply with any such direction. Members are reminded of the long-standing parliamentary practice to the effect they should not comment on, criticise nor make charges against a person outside the House or an official by name or in such a way as to make him or her identifiable. I remind members attending remotely of the constitutional requirements that members must be physically present within the confines of the place that parliament has chosen to sit, namely, Leinster House, in order to participate fully in public meetings.

My name is John Palmer and I am responsible for EU banking and payments policy in the banking division of the Department of Finance. I am accompanied by Sorcha Keogh, who is responsible for payments policy in my area.

Recent years have seen an increase in the incidence of financial fraud and scams. The rise in this form of crime is a serious concern and the Department is actively working on this issue, including consultation with stakeholders, to develop policy solutions. The statistics on fraud provided to the committee by Banking and Payments Federation Ireland, BPFI, and the Department of Justice highlight the problem, although the information from the latter, the provisional crime statistics for 2022, show a welcome decline in technology-based fraud.

The policy governing payments services is set by the European Union and currently we operate under the second payment services directive, generally referred to as PSD2, which was transposed by SI 6 of 2018, the European Union (Payment Services) Regulations 2018.

Tackling fraud in payment services was a key objective of PSD2 and it introduced a key measure to prevent fraud in the form of strong customer authentication, usually referred to as SCA. PSD2 also set out strict security requirements for protection of consumers’ financial data. PSD2 enhanced customer protection through a focus on authorisation, including a requirement for consent to execute a payment transaction, and requirements for the payment service provider, PSP, to provide proof that the payment transaction was authenticated, recorded, and entered in accounts. It provided that for unauthorised transactions, the payer must be immediately refunded the amount of the transaction, subject to a maximum loss to the payer of €50 resulting from the use of a lost or stolen payment instrument, except where the payer is unaware of the loss or theft. Once users have notified a PSP that their payment instrument has been compromised, payers are not required to cover further losses.

A payer is also entitled to a refund from the PSP of an authorised payment transaction which was initiated by or through a payee and which has already been executed, if the authorisation did not specify the exact amount of the payment transaction when the authorisation was made and the amount exceeded the amount the payer could reasonably have expected.

Under PSD2, where a payment order is executed in accordance with a unique identifier, the IBAN as we all know it, the payment order is deemed to have been executed correctly where payment is made to the payee specified by the unique identifier. Where the unique identifier provided by a payer is not the unique identifier of the person to whom payment was intended to be made, the payment service provider is not liable for non-execution or defective execution of the payment transaction. In these circumstances, both the payee and the payer’s PSPs must make reasonable efforts to recover the funds involved and communicate all relevant information.

PSD2 is a maximum harmonisation directive, which means that the transposing regulation cannot go beyond the provisions of the directive. However, elsewhere in Europe and in the UK, some voluntary schemes exist to provide for refunds in the case of authorised push payment fraud, the subject we are discussing here. While there is currently no statutory reimbursement requirement in the UK for APP scams, some UK PSPs have signed up to a voluntary contingent reimbursement model code that sets a framework for how liability should be apportioned when a scam occurs.

The UK is progressing legislation, the Financial Services and Markets Bill, which revokes retained EU law relating to financial services, including PSD2, and amends the Payment Services Regulations 2017, which was the UK's transposition of PSD2. The amendment changes the liability of a PSP in cases where the payment order is executed subsequent to fraud or dishonesty and allows for the UK's Payment Systems Regulator to develop a mandatory scheme for reimbursement for APP frauds.

A key requirement in PSD2 was that the European Commission review the directive and, if appropriate, deliver a legislative proposal, by January 2021. For various reasons that was delayed but the review and accompanying legislative proposals were published today at 12 noon. We are aware from consultations carried out by the European Commission that the issue of APP fraud would be considered. Based on a brief examination of the proposals, the Commission is proposing expanding refunds for authorised payment frauds but not introducing full liability in all circumstances.

Finally, the retail banking review, which was published last November, recommended that the Department of Finance should lead on the preparation of a new national payments strategy to be completed in 2024. Work has commenced and the terms of reference will include a requirement that analysis should be done at national level on fraud in payments and see if the problems can be mitigated.

I am happy to address any specific questions that the committee may have or provide further details.

It is all mine. I am here on my own. I thank Mr. Palmer for his concise opening statement and for presenting the legislative context under which the financial institutions have to deal with fraud. Mr. Palmer stated we are currently operating under this second payment services directive, PSD2, which was transposed into law in 2018 and that this directive provided that for unauthorised actions, the payer must be immediately refunded the amount of the transaction. I have previously dealt with cases of unauthorised fraud where the bank said it would need up to six weeks to ascertain whether the fraud was authorised or unauthorised. Is it permitted under the directive or the legislation transposed into Irish law that they would take six weeks to do that?

To be honest, that is getting into detail that I did not look into. It does say that if it is unauthorised it has to be refunded but there is no requirement other than the case I outlined where authorised fraud has to be done. However, I am aware from the general reading of the regulation, and I will admit to being relatively new to the area, that they can investigate cases and can take some time to ascertain. Ultimately, if the payments service provider is out of order on that, the first step is for the customer to appeal internally and then if they are not satisfied with the outturn there, they can go to the Financial Services and Pensions Ombudsman. I would have to look into it and check it out.

I think that is part of it; the ambiguity between what is authorised and not authorised is very broad. Is that broadness intentional where some might be authorised but not authorised to the end of it in terms of the actual payment that is to be made? Would that be cleared up under the most recent version?

The Deputy hits on an important point. Obviously, in any fraud or any claim for refund for unauthorised or indeed authorised payments, where the customer is grossly negligent or there are other factors, it is possible not to refund them. However, the issue raised by her is, in fact, one of the points the Commission brings out in its review of the revised payment services directive, PSD2, that is only out today. It is saying the boundary is getting very blurred between the two, which is why it is proposing the changes it is proposing and, hopefully, not going as far as full reimbursement the way the UK has because social engineering is very complex. It was never thought of prior to PSD2. If we look at PSD2, the whole emphasis on fraud prevention is very much around the area of ensuring that cards are not being skimmed, that the person initiating the transaction is the person who owns the payment instrument, and the other end of things was never really thought about. That has changed. The Deputy is right; the boundary is getting blurred and the commission is trying to address some of it in its proposals.

I appreciate for all of us, the most up-to-date information has only come out today and, therefore, we have not had the appropriate time to be able to do the proper analysis on it. Under the payment services directive, do banks have the responsibility to monitor suspicious activity and to protect customers, where possible, from the so-called authorised payment fraud?

They are required to monitor payment transactions, payment trends, activities, report suspicious activity and, where possible, warn customers about it. As far as I am aware, they do that. Banks have been known to. I have heard of several anecdotal cases where banks warn customers that they should not make a particular payment as it is may be a scam. If the customer decides to go ahead, it is at their own risk in the current environment.

That is where the ambiguity comes into it. I put an example to Mr. Palmer which I have put to other witnesses in a case I have been dealing with on push payments where a confirmation text from say Apple Pay came in at the same time as the person attempted to make the online purchase, essentially attaching their bank account to the fraudsters' Apple bank account. The sender then assumed the text was to confirm the purchase they approved. This allowed the fraudsters to begin making transfers out of the bank account without being prompted by the banking app each time for approval. In the space of one minute, they made initial payments of €50, €200, and €400. All told, the account was cleared out. My understanding of that is that there is a long-standing practice that banks monitor suspicious activity, as Mr. Palmer said, particularly on credit cards. However, in the case I have outlined, the Apple Pay account was opened for the first time and immediately began making the transfers that clearly looked suspicious, yet the bank took no action. The issue is at what point the banks get involved. What are the statutory rights of customers in terms of the banks protecting them from authorisation-based fraud?

At the moment, there are no provisions in the payment services directive, or the transposition of it that we did, providing for refunds in the case of authorised push payment fraud other than the one I mentioned in my opening statement, which was the only one I could identify, where an authorisation was given but not for the exact amount and then when the bill comes in, it is much higher than a person would have expected. In that case, the directive specifically mentions other factors. It was higher than one could have reasonably expected it, taking account of previous payment transactions and any other factors. That is an example where one would expect the bank to step in to try to prevent it because it would be on the hook if the customers looked for a refund, although it does put the onus on the payer, that is the customer, to prove the case.

That is the ambiguity that will give rise to many cases that will be contested.

I was also interested in Mr. Palmer's comment that the payment services directive 2 is a maximum harmonisation directive, which he states means transposing the regulation cannot go beyond the provisions of the directive. To be clear, does this mean the Government is precluded from bringing in stronger legislation to go further than the existing EU directive? How exactly are maximum harmonisation directives legislatively implemented? Are there sections in the transposed directive, through the 2018 statutory instrument, that commit the Government to not bringing forward additional legislation or is it based on an intergovernmental agreement not to go beyond the directive? Will Mr. Palmer comment on what can and cannot be done?

I was trying to be brief on this. It is a maximum harmonisation directive, which means we cannot go beyond its provisions. In most maximum harmonisation directives, there are several, what we call, member state discretions. There were several in this directive but none relates to this area of fraud. Colleagues who were dealing with it at the time held the normal public consultations and we used the discretions allowed in all but one case. With maximum harmonisation, we cannot go beyond what the directive says. That is simply a treaty obligation; there is nothing we can do about it.

As regards whether we could do more, the flip side is that if a directive does not deal with a matter, and PSD2 does not deal with authorised push payment fraud, there is a possibility to separately bring forward domestic legislation on it. We were looking at it to see whether anything would rule it out. We have some issues of concern about the directive as it stands. However, we should draw the committee’s attention to the fact that very recently, in an answer Commissioner McGuinness gave to Chris MacManus in the European Parliament, she stated that as the directive does not contain any provisions relating to a liability regime for authorised push payment fraud, member states are free to introduce such regulations at national level. That said, if we were going to proceed down that path, we would be looking for a lot of legal advice on our own because it is one thing for the Commissioner to say it but that would not stop an affected payment service provider, PSP, taking a case stating Ireland had gone beyond the directive, if we did. Basically, it would be a very complex legal issue.

I can see we have a lot of work to do in this area.

I am particularly interested in what Britain will do now that it has left the EU. It is making its, what was heretofore voluntary practice, mandatory. It seems to have much tighter rules around this than we will have in the future. I am trying to get at what the picture between the two islands might look like, as we are so closely connected financially.

Sure. What the UK is doing is extremely interesting. We are monitoring it. We even talk to officials there about it occasionally to get more information. Of great interest to us is the fact that the UK will only make it mandatory when the retained EU law is revoked, PSD2 in essence, and will enact a new law to specifically allow for it. That is a little bit of an alarm bell for us, if we were to go down that path.

We are aware of the other elements of the scheme. The UK is going for a 50:50 split. It has certain logic, which Deputy Doherty has put to people in the past. The logic of the UK payment services regulator in the consultation report or its impact assessment was that this would create an incentive to invest in measures to stop push payment fraud, primarily at the receiving account end. The opening of fraudulent accounts would be stopped, which in theory should never happen anyway if anti-money laundering and know-your-customer provisions are being followed correctly, as the Deputy will be aware. However, it would not stop money mules.

One of the things I was interested in with regard to the UK logic on that was how many of the frauds in the UK are domestic, that is, in how many cases both sending and receiving entities, especially the receiving entity, are UK entities?

According to UK Finance's excellent Annual Fraud Report, 98% of APP fraud there occurs on a domestic UK payments system called Faster Payments. In Ireland we do not have a domestic payments system anymore. We used to but we now operate under the single euro payments area, SEPA, rules and there are various pan-European payment service providers, including as part of the ECB.

The only statistics I could find for Ireland were the Central Bank's payment statistics for 2021, which tell us just under 78% of domestic payments are domestic in Ireland, or in other words, payments done through Irish-resident payment service providers. By volume or number of transactions it is 78% and by value it is just over 35%. That changes the dynamic because if we were to do a domestic reimbursement scheme a bit like the UK one, we could possibly bring in that Irish-resident PSPs are required to refund something, but we would not be able to force non-Irish PSPs to do it. There might then be issues with a level playing field, competition issues and barriers to entry because obviously if a person is going to become resident in Ireland he or she will be subject to this. There are an awful lot of issues to think through and analyse.

I thank our guests for coming in. I put it to them that when parliamentary questions were asked very directly about the introduction of domestic legislation and its compatibility with the payment services directive, the information on the public record was false if not misleading, given what the Commission has now put into the public record. I say that as somebody who has been raising the need for the Government to move on APPs for a year now. When questions were put directly about whether this could be introduced in light of the payment service directive, the answer that was given could only be interpreted in one way, which is that is could not. I asked:

... if a requirement for payment service providers to compensate customers where authorised push-payment fraud occurs would require new legislation, to, for example, give the Central Bank powers to require compensation; if such legislation would be possible under [the revised Payment Service Directive] PSD2; and if [the Minister for Finance] will make a statement on the matter.

Part of the answer prepared for the Minister was:

Member States shall not maintain or introduce provisions other than those laid down in this Directive.

PSD2 provides the customer with recourse for unauthorised transactions. However, it does not directly provide recourse for the customer in the case of authorised push payment fraud.

Is it not clear now, as Mr. Palmer has said to this committee, that there should have been another paragraph in there, namely, that the directive is silent on APPs and therefore it is not curtailed by the provisions of the directive?

I am looking at some of the parliamentary question replies on my screen. I think in at least one reply the Minister said it was silent and that held out the possibility of domestic legislation. The focus for us is that we have been awaiting the Commission's review of PSD2. As I said, we were aware from its consultation that it was looking at APP fraud. Our policy generally is that we like to see an EU-wide solution so we have a level playing field and do not have some people benefiting and others not because the payment was to a receiving PSP outside Ireland. We will happily review the replies we gave to the Deputy's parliamentary questions and see-----

With respect, whatever about the reasons the Department may not want to do this domestically, I have two questions dated 22 February and it was later I actually put on record the Commission's view, which is:

Since the Directive does not contain any provision on a liability regime for authorised push payments fraud, Member States are therefore free to introduce such regulations at national level. This possibility is also open to payment service providers on a voluntary basis.

It is only after I put that on the record that the Department made it clear for the first time, after being asked numerous times, and after the Minister responded in the Dáil that it appeared it was not possible to introduce provisions other than those that were laid down in the directive, but that only applies to unauthorised push payments.

Sure. We will review all the answers we provided to the Deputy. If we are in the wrong, we will go to the Minister and correct the record. However, there was never an intention to say that because frankly, we have been poring over this quite a bit, when we have had a chance, to see what the situation is. There are several provisions in the payment services directive that run one way and then the other. It is silent on APP fraud because that was not envisaged back when the directive was done. We knew there was a possibility there, but we also have to see whether there are other provisions in the directive that might run contrary to it or cause a problem.

We run into potentially the same issue with the new proposals from the Commission, which we have yet to study in detail as they only came out a couple of hours ago. This time it will be a regulation. We would not normally be allowed to go beyond what a regulation says because it has got direct application and we will have to see whether there is any member state discretion in that and whether it is possible. The Commission has decided to expand refunds for APP in two spaces; namely, impersonation and if the new IBAN name verification check is not carried out correctly. It specifically states in the review that it will not go to full liability because it anticipates significant upheaval and large costs if it did. It seems a bit strange that the Commission would decide it will not introduce it but then suggest that we can. We will have to review it and see whether we can.

I will see if I can find the note. It basically said:

The Commission believes that any changes to the PSD2 liability framework should contribute to reducing fraud but without creating a new moral hazard, which a general refund right could create, or simply reallocating the financial consequences of fraud.

The Commission also stated separately in the impact assessment that it was one of the options it decided not to proceed with because of the cost and upheaval it would cause.

One of the options was full liability for fraud reimbursement. I am just saying it is interesting and instructive that the Commission has decided, when it had the opportunity to do so with its proposals on the new payment services regulation, not to introduce a full liability on banks and other PSPs for fraudulent payments caused by social engineering because it considers it "would have caused significant costs or upheaval in the market, for uncertain benefit". That is something we would have to take account of in analysis of whether it is a good idea to do it here.

Moving on from that, I assume the Deputy is interested in what we are doing on it-----

I just want to clarify this. The Commission has proposals out today. Mr. Palmer is saying it is interesting the Commission has not recommended dealing with this but that we can do it domestically. The question was whether the domestic legislatures have the power to do this. I asked this because we are fighting a battle with two hands tied behind our back with APP fraud. There are loads of issues here we will come to talk about, such as the lack of a shared database. The Commission is going to demand Mr. Palmer's colleagues in the Department of Justice get off their backsides and establish one.

I am not blaming the Department of Finance for this but it is a sad day when the European Commission directive is going to force us to do something with the banks that the authorities have been screaming for, which is to share information in real time. They are also going to have a compensation scheme. The reason I have been raising this issue and wanting to know whether we could domestically legislate for this, as other countries have done, is because we are fighting a losing battle. Authorised push payments, are in the main, not reimbursed to the customer. People are out hundreds of millions of euro. Account takeover fraud is up by 560% since 2019. Investment fraud is up 258%. Phishing, vishing and smishing are up 417%. As a legislator, I wanted to know whether we could legislate to do what other countries have done. I wanted to know if we could legislate to do confirmation of payee or do reimbursement schemes at whatever level, be that 50%, 10%, 90% or 100%. That question was not stated in my response. The question was whether it was compatible with PSD2 and I was given misleading and wrong information. That is really bad. If I have to go to the European Commission through my MEP to secure that information that I cannot get here as a Member of the Oireachtas, then there is a serious problem. Either the Department deliberately misled me in repeated responses in terms of parliamentary questions on this issue, or the Department was not aware that this could be legislated for domestically. It is one or the other,

Yes. Commissioner McGuinness has stated in that reply that we can. However, as I said to Deputy Conway-Walsh, we would still need to get detailed legal advice. We did an informal check with our own legal unit in the Department and its view was that we would have to get detailed legal advice as to whether it is possible. The Commissioner stating it in a reply would not be a defence if a case was taken against us, having introduced one or having attempted to introduce one, by an affected PSP. We would have to be a very solid legal ground. That is all I can say on it. We will review the answers to see if the Deputy is correct in asserting that we have misled him. If we have done so, we will duly correct the record.

Okay. The point here with PSD2 is that it dealt with unauthorised push payments and it was a maximum harmonisation measure, meaning you cannot go beyond it and you have to do what is in the directive. Authorised push payments are different. The directive is silent on these. It does not deal with them. There is no directive on authorised push payments. There is no maximum harmonisation in terms of authorised push payments and that is what the Commissioner explains in her response to my colleague.

We will be raising this issue in the context of working groups and so forth as we move forward on to the payment services regulation proposal, that has just come out. We will engage with the Directorate-General for Financial Stability, Financial Services and Capital Markets Union, DG FISMA, on that to clarify it.

To the extent that it is within our remit, yes. However, once it is a crime, it is a crime. We have made it clear to the Department of Justice that we support the calls from the BPFI for the legislative changes they need to do the database. We very much welcome what we see in the Commission proposal, that it will give a Europe-wide legal basis for sharing fraud information.

I have read the transcript of the Deputy's engagement with the Department of Justice and the Garda Síochána. We welcome that they are moving ahead with that.

Once it becomes a crime, it is a matter for An Garda Síochána. Regarding legislative changes that can be made to help prevent fraud, or as the Deputy would like, cases where refunds were possible, we will work on those. However, the operational matters are for the regulator, the Central Bank, the PSPs themselves and the Garda Síochána and the justice system, once crimes have been committed.

Regarding the Department of Finance, I understand that things move to other Departments or authorities as crimes are committed. However the Department has lead policy in the area of authorised push payments. I gave the statistics earlier on. I make the point that we are fighting a losing battle but in my view, we are fighting it with both arms behind our back. Will Mr. Palmer point to me the success of his Department in relation to policy initiatives that have helped us in that fight over the last couple of years?

One of the documents issued today by the Commission regarding the successes of PSD2 states that in its estimation, secure customer authentication has helped reduce fraud by nearly 50%. As the policy Department that negotiated that and transposed it, that is an extremely helpful policy improvement. Only last year, we did the retail banking review. This made a large number of recommendations. In the area of consumer protection, we made various recommendations addressed to the Central Bank. As the Deputy is aware, the Central Bank is undertaking a very wide ranging review of its consumer protection code. We want to see a lot of changes in there that will help customers be treated fairly and hopefully help reduce fraud. We can only sell the policy framework. The Central Bank has its own work on policy to do in terms of the consumer protection code and other measures it can take to help reduce fraud.

I have been arguing that we should domestically legislate for confirmation of payee and the reimbursement scheme. That argument has not been taken on board by the Government. I understand that the Government sets policy and the Department is there to advise.

We now have the directive, which is going to do both those things I have been looking for.

Yes, a regulation that is going to do three of the things I have been seeking for the last year, namely, a compensation mechanism for authorised push payment fraud victims, a confirmation of payee scheme to be set up right across Europe, including here in Ireland and to force the State to enter into a fraud-share database. Does Mr. Palmer welcome the proposals from the European Commission?

Yes, I have already mentioned that the Department of Finance supports the database and would like to see that come through.

In terms of the compensation mechanism, I think we have to say that is a matter that needs to be looked at. I can explain how we expect to be looking at that in the coming year or so.

Regarding confirmation of payee, I do not see any problem with that. The proposal has only come out today so we have not gone to the Minister about it yet. However, it is already a feature of the single euro payments area, SEPA, instant regulation that should be heading towards trilogues shortly.

Well aside from one the well known banking app that many of us use, very little. Although instant payments were permitted and allowed under PSD2, there was no real take-up of the system here. That is quite common. Some countries did do it, but most did not. That is one of the reasons why they brought out the SEPA instant proposal to make it the norm.

Confirmation of payee is badly needed. It is needed in this country more than any other country. Why? Because instant payments in the State is a tiny fraction of transactions. In other states they are over 90%. While the SEPA has this big feature, it only applies to less than 10% of payments in the State. Confirmation of payee is required to protect all of the rest of us who do not use instant payments or who only use them infrequently with Revolut and so on.

We welcome it. The Deputy may be aware that one of the issues the Commission highlighted in its review of PSD2 was that strong customer authentication, SCA, was more complex and more difficult to introduce than expected and was much delayed.

We were one of the countries that was a bit behind with bringing that in, as far as I know, but it has had a very strong effect.

As regards confirmation of payee, we certainly welcome it in the context of instant payment and in the context of the new proposals today. As to whether it is feasible for us to move ahead of everyone else and introduce it, I know it is in operation in some places, like the UK and the Netherlands, but it is not available in most places and it is not an easy thing to do.

Can I explain this to Mr. Palmer again? I am sorry, I do not mean “explain” and that was the wrong way to put it. In other European jurisdictions that do not have confirmation of the payee, the majority, in some cases 93%, of their payments are instant payments and they have this covered by SEPA. In Ireland, instant payments make up approximately 3% so we have the biggest gap in the market. If there was any country that wants to move ahead, it should be Ireland. We have this regulation now and I do not know how long it is going to take to implement. Can Mr. Palmer shed any light on that?

It is not something we have discussed or broached yet with anyone. It is something we can look at or we can look at it in the context of the national payments strategy.

We have a huge problem with fraud, and authorised push payment, APP, fraud is an element of that. However, the figures provided to the committee by the BPFI suggest that it declined considerably in 2022, in terms of value anyway, if not numbers. That is to be welcomed. In terms of looking at the UK problem with this, we are bad but the UK really has a huge problem. According to the UK finance fraud report, something like £440 million of push payment fraud happened in the UK in 2022. The BPFI, which is the only one that can tell us, says it is just under €10 million here. Based on population, we are not as bad per capita but it should not be a source of complacency and we still have to take a lot of measures and do what we can to get that down.

It was the Department of Justice that gave me the figures. As Mr. Palmer said, the figures show a reduction in 2022 but an explosion in 2021, which was related to Covid, with more people at home doing online shopping, who were easier targets for fraud. One thing is very clear. If we look over a longer horizon, this is a losing battle. It is going up and up. We have had people from the BPFI at the committee saying that the problem is that, as other jurisdictions close down, including Britain, and have stricter regulations and so on, we can become an easy target.

I would like to move on to the issue of the third part of the regulation from the European Commission, which is the compensation mechanism. Mr. Palmer may elaborate on this but of the three measures, he was probably more cautious in regard to that measure. Has he reservations or issues in regard to the compensation measure? All types of fraud are wrong. Obviously, the banks are losing money through unauthorised push payments but with unauthorised push payments, the victims in the main are compensated. With authorised push payments, they are not. We have people losing tens of thousands of euro in investment frauds. We have people losing thousands of euro, if not tens of thousands, in romance scams. We have others losing thousands of euro in accommodation scams. There is no recourse for them. People could lose their shirt, lose their savings, on an account takeover but there is no compensation measure. If a person lives in Newry, Derry or Strabane, there is, but here, there is not.

That is why I particularly ask the committee to focus on this area and to push ahead with proposals that would secure, from a victim point of view and a consumer point of view, greater protections, but also force the banks to put in place the procedures that would help the banks to identify these types of fraud, like confirmation of the payee, which is so basic. This will result in the bank having to confirm that the person you are sending money to - the IBAN number - is really Joe Bloggs and not some other person who is scamming you. I do not understand why we have taken so long to introduce this. As I said, the regulation will now introduce this.

On compensation, will Mr. Palmer explain the Department's early view of the compensation proposals from the European Commission? They will compensate in two areas, or that is my understanding. They will compensate where the confirmation of payee was not carried out properly by the bank. If you make the payment and the bank told you that the IBAN matched the person's name, and it did not, then you are entitled to compensation. It will also compensate you where there is spoofing involved, where a person pretends to be from the bank and you make a payment. As a result, you are entitled to a 100% refund in that case, as long as you meet certain conditions. Has the Department concerns in regard to those measures?

While the Deputy obviously would allow us time to review them, do an analysis on them and so forth, an initial reaction is that we should probably be welcoming both of these. One of the reasons is that we are not doing it on a level playing field and it will be a European-wide solution. That is a very important thing. As regards going beyond that, there would be concerns, particularly if we were to go it alone. There is always a concern about this. Are we erecting barriers to entry? Would some of the smaller PSPs say the Irish market is not there? We have to remember that the UK market is a much bigger market so it can compensate with its size for a lot of barriers to entry because there is still a viable business proposition. We are quite a small market so we have to be careful about that.

There are all sorts of other issues about competition. This is one of the areas where we would be very interested to see what the committee recommends. If it does recommend that there should be a full reimbursement scheme, would it apply to all PSPs or just the large banks? What would be the impact of that in terms of competition? If people know that if they go with one entity, they are going to get a refund if they make a mistake and become the victim of a fraud, then why would they go with one that would not give a refund? That is a serious competition issue that would have to be considered.

In terms of where we are going with this, as the Deputy knows, the national payments strategy which was recommended by the retail banking review last year is to be completed by 2024. The Department is working on that. The terms of reference were only published yesterday but they include a requirement for it to examine or analyse fraud on a domestic basis and see what measures can or should be taken to help to address that. In that context, as regards all the measures on whether we should do the confirmation ahead of time, that would be a very good place to look at this, and then the whole area of APP reimbursement is another issue. Does it stack up? Would it provide a valuable way to encourage banks to invest more money to stop the fraud, or is there a danger that it would in fact become a pull factor for fraudsters?

As the Deputy has highlighted, the UK has stronger regulation and it already has the voluntary reimbursement code, yet push payment fraud there, as I said, was about £440 million last year. According to the BPFI, push payment fraud is about €10 million here, as opposed to the Garda figures, which are basically for full economic crime, not for push payment fraud per se. Given the UK population is about 13 or 14 times bigger, we would be up at around €140 million. Can we explain the difference between the two? Is it just that the UK is a larger market and it attracts a lot more fraudsters, or are there any other factors? We have to think through all of that analysis and do a lot of research to decide whether it would make sense.

Those are BPFI figures. People are more likely to report they are the victim of a fraud to their own bank but there will be people who will not.

There is under-reporting but even if it is-----

I may come back to that. Let us deal with reporting. From a policy perspective, the committee has asked the banks a series of questions. Bank of Ireland responded stating it reports all incidences of authorised push-payment fraud when it or somebody else is the victim. AIB stated it only reports fraud when it is the victim and it encourages the other victim, the third-party victim, to report it. I believe the same applies with regard to Permanent TSB. AIB definitely said that. I believe that, under criminal justice legislation, where someone believes a fraud is being committed, he or she has a responsibility to report the crime, even a suspected crime. I do not know how AIB is not reporting this but it is not doing so. It told the committee it does not report it when AIB is not the victim. Until today, Mr. Palmer's division held the majority shareholding in AIB, did it not?

The Department held it. In this day and age, why are these reports not being sent to the Garda? Why is there a different approach? We do not have many big institutions here, unfortunately. Why is it that one of two main lenders states it reports all cases of fraud to the Garda while the other states it does not, yet the latter runs advertisements asking people to report these crimes? It has the information.

I cannot answer that. It is definitely a matter for the banks. Whether they are, as Deputy Doherty contends, breaching justice legislation, I really cannot comment. To go back into deep history here, a protocol or whatever was done when we took over the banks under which we would not interfere in their operation. There is a hands-off relationship. These are operational matters for the banks. We cannot interfere. We are not supposed to go in there and be the shadow manager or the Minster a shadow director. Other than that, I cannot say. The committee put the matter to AIB, Band of Ireland and co.

There are meetings with the banks during which issues come up. This is not directing the banks but simply saying to them, "For God's sake folks, report the fraud". They have the information, they know a fraud is being committed and they should pass it on to the Garda. They should not only do it when they are losing money. There are countless thousands of other people losing money and their cases should be reported as well. The banks have the information and Bank of Ireland is doing it, so why can the others not do it? That would not be a direction. I was not aware of this until AIB informed us. Perhaps the Minister was not aware of it either. I imagine he was not because it is surprising.

I am only raising it so that somebody will perhaps stick in a note, or perhaps somebody from AIB or Permanent TSB is watching.

It was interesting that AIB also went into great detail about the social media platforms. In Britain, compensation must be paid by some of the social media platforms. AIB confirmed to us that it runs anti-fraud campaigns on social media websites. It also stated these same online platforms receive income from criminals for paid advertisements and for hosting fraudulent websites. It is maddening that banks are paying for ads on social media trying to alert people of scams, the scammers are paying for ads on the same social media platforms and the social media platforms are getting paid twice.

We asked the banks to indicate how they take down some of these websites or how they alert the public to fraudulent ads. AIB stated:

... establishing direct contact with social media companies has proved to be difficult as social media companies do not engage at industry level or publish their fraud team members contact details. They utilise general e-mail boxes. The 'report ad' function [which any of us can see on Facebook and so on] that is in place for individuals is the same process that is utilised by organisations, including AIB and other financial institutions.

If we see an ad that is a wee bit dodgy, there is a "Report Ad" function. The board of AIB has no other direct contact than this same function. If AIB sees ads on any online platform - I am not saying specifically Facebook, Amazon or Google but it could be any of those - it has no way of making direct contact with any of those online platforms. AIB also stated:

When the Bank proactively reports cases, it is normal to receive a standard acknowledgement "the report does not breach community standards". No feedback is ever received from the companies on the background to or progress on their investigations, if any.

Mr. Palmer is not in charge of Google, Amazon, Facebook and all the rest but he is the policy lead on this issue. We cannot have a situation in which many of these companies are headquartered just down the road yet our financial institutions have no way of contacting them and saying the fraudulent websites targeting citizens across this State need to be taken down. If we have to legislate for it or do something about it, we have to do that. Other Departments have direct contact with these companies. There needs to be a pathway for financial institutions to instruct or alert social media organisations and platforms that there is fraudulent activity or that they are running paid advertisements that are fraudulent in the first place. I am not holding Mr. Palmer to account over that but asking him to try to deal with it. It is ridiculous in this day and age.

Different Ministers in different Department have their own responsibilities. We can certainly raise the matter with them. As the Deputy is well aware, the BPFI has raised the issue with the relevant Department and regulator on many occasions and is seeking to get involved. I draw the committee's attention to one proposal in the draft payment service regulations, PSR, that came out today. The Deputy may think it is in a slightly limited way but it is in Article 59. It is about payment services providers' liability for impersonation fraud, which was mentioned earlier. This is a case which we should welcome. Paragraph 5 of Article 59 states:

Where informed by a payment service provider of the occurrence of the type of fraud as referred to in paragraph 1, [that is impersonation fraud] electronic communications services providers shall cooperate closely with payment service providers and act swiftly to ensure that appropriate organizational and technical measures are in place to safeguard the security and confidentiality of communications in accordance with Directive 2002/58/EC, including with regard to calling line identification and electronic mail address.

That is a very welcome development. We will have to talk to the Department of the Environment, Climate and Communications about it regarding what will be the competent authority and how this will work in that case.

I take Mr. Palmer's point.

The Government does not have an economic crime strategy, despite the Hamilton report recommending one over two and a half years ago. The Department of Justice would be the lead policy Department in relation to this. I am sure there is a lot of passing the buck in the room next door, from RTÉ, but the public wants this. We should take off the handcuffs and take this head on, instead of with two hands behind our backs. What role does the Department of Finance have, if any, in the development of this economic crime strategy? Will Mr. Palmer explain why it has been so delayed?

Although I was not involved in drafting the reply to the particular parliamentary question, there was a priority parliamentary question on this exact topic, economic crime, the other day that the Minister answered. I do not have the reply with me. That would be the Department's position, as far as I know.

I wish to make a final point. The gaps here relate to the lack of joined-up thinking. Perhaps not completely a lack of joined-up thinking, but, rather, a question as to how everything fits in the context to the witnesses and their Department, the Department of Justice and the social media companies. There are many different actors and stakeholders. Whose responsibility is it to bring everything together to ensure that the consumer is protected? The weakness lies in getting that right across the board.

Information was provided by AIB, but the other banks have not reported back yet. The information the committee sought is extremely interesting regarding the social media companies and their hands-off approach to all of this. If there is a big piece missing there, who will ensure that all of those involved are accountable? It seems like everybody and nobody is responsible at the same time. There is no one arm of Government that is saying, “This is where the responsibility lies to ensure that we are protecting our consumers and citizens against that”.

I have a final question. Regarding preparation within the Department for AI and what that will mean in terms of being able to do quick analysis but also the financial fraud threats that it poses, how far are we thinking ahead?

With regard to latter point, as the Deputy is aware, the Central Bank is carrying out a review of its consumer protection code. This will lead to a new consumer protection code. I suspect it will be a regulation in 2024. With regard to the banks and payment service providers, the Central Bank has the lead operational role. It supervises them. It has the consumer protection code and all that entails and what changes need to be made. AI should form a part of that. The basic policy position on consumer protection is that your rights should not change depending on the mode of delivery. With most financial products, we hear much about fintech. I am not talking about crypto and all the rest; that is very different. I am talking about the basic bread and butter – vanilla banking products. We have fintech involved now, so we are all paying with our phones and can do things online. However, ultimately, we are still using the same products. We still have a current account that we make payments with. We still have savings accounts and loans. The actual basic products are the same. Whether people access that product in a bank branch, over a counter, through An Post at the counter, online, through an app or using a phone, their rights should not be affected. That is the policy position. Making sure that happens is an operational matter, and that is where the Central Bank and the consumer protection code come in. They are there to ensure that people’s rights are respected and protected to the greatest extent possible.

We obviously try to liaise across Government. Ultimately, however, different legislative proposals must have an owner and they are the ones that do it. I hear what the Deputy is saying about the Departments of Justice and the Environment, Climate and Communications. We can certainly make representations to them and express our support for things like the database. However, we cannot physically go and do it.

I refer to the overarching mechanism to ensure that all of the parts fit together so that we are not leaving ourselves exposed, which we are at the moment. One of the biggest weaknesses identified is the co-operation of the social media companies with the banks in this. Whose responsibility is it to ensure that gap is filled?

It certainly wants to be if it is not. In respect of the social media companies and so forth, it has to be whoever regulates them, which is ComReg, I think, that can get them to take action. That said, one of the big principles that the Commission has to highlight in its impact assessment when it produces proposals is the "one in, one out" thing. When you bring in something, are you taking something out? It is far too easy for us to regulate and introduce burdens and obligations on the basis of this or that being a good idea. Again, who is taking the overall view? We can end up with serious overregulation, which may affect competition, affect new entrants and erect barriers to entry. It is a broad topic, but we have to careful with what we are doing.

Sure. We do our best to take that overall view and we make representations to the other relevant parties. They have their own jobs to do and so forth. There are many things that different identities and representative bodies would have liked over the years, but when they go to the Data Protection Commission, it tells them they cannot do that, and for good reason. It has a job to do as well.