Joint Committee on Finance, Public Expenditure and Reform, and Taoiseach díospóireacht -
Wednesday, 12 Jul 2023

We are joined from the Central Bank of Ireland by Mr. Colm Kincaid, Mr. Wesley Murphy, and Mr. Patrick Casey. We are dealing with the issue of authorised push payment, APP, fraud.

Members are reminded of the rules regarding privilege. Those on campus have full privilege but those off campus may only have a limited privilege. Members are reminded of the long-standing parliamentary practice to the effect that they should not comment on, criticise or make charges against a person outside the Houses or an official either by name or in such a way as to make him or her identifiable. I invite Mr. Kincaid to make his opening statement.

I am joined today by my colleagues, Mr. Patrick Casey and Mr. Wesley Murphy. We welcome the opportunity to discuss the important issue of authorised push payment fraud with the committee.

Over the last number of years, two key trends have shaped the payments landscape for consumers and businesses in Ireland. Those are speed and innovation. Irish consumers and businesses benefited significantly from these trends and, in particular, from our integration into the European Union payments system under the single euro payments area, SEPA. Consumers and businesses can now make electronic euro payments to anywhere in the euro system in a fast, safe and efficient way.

Key to the proper functioning of such a system is trust. Together with the European Central Bank and other euro system national central banks, the Central Bank of Ireland shares a common goal, namely, "to guarantee that people have access to efficient payment solutions that meet their preferences and to ensure that transactions remain safe, underpinning confidence in our currency and the functioning of our economy". We are supported in this goal by strong legislative protections for users of payment services within the European Union, in particular through the payments services directive, PSD2. A key feature of PSD2 was to formalise payment security requirements in national law, including the application of strong customer authentication, SCA. It also introduced reimbursement for cases of fraud where the payment is not authorised by the consumer, known as an unauthorised payment fraud. Properly applied, the protections of this regulatory framework should give confidence to consumers and businesses in their day-to-day activities. We see this confidence borne out in the increasing extent to which payment activity has migrated to digital means with, for example, the number of card payments more than doubling in the past five years.

Unfortunately, as we see the benefits of digitalisation and an open payments system within the European Union, we also see the ongoing emergence of ever more sophisticated frauds. This includes fraudsters utilising social engineering tactics to defraud consumers into authorising the making of a payment from their account, known as an authorised push payment fraud or APP.

As the committee is no doubt aware, under the European framework for unauthorised payment fraud, liability rests with the payment service provider to reimburse the consumer.

However, the current EU legislative framework does not set out liability for authorised push payment, APP, fraud. This gap in liability was called out, for example, in the European Banking Authority’s June 2022 report to the European Commission. The Central Bank therefore welcomes the recent European Commission proposals to extend the liability of payment service providers to include the case of APP fraud where an IBAN discrepancy is detected but not notified to the payer and where the fraud involves impersonation of a bank employee.

In our Consumer Protection Outlook Report 2023, the Central Bank repeated its expectation of the firms we regulate to have effective measures to mitigate the risk of fraud, be proactive in identifying and dealing with cases of fraud and engage effectively with consumers who have been the victims of fraud. This includes taking steps to support victims of APP fraud to retrieve their funds where possible. There will also be cases of APP fraud where firms should compensate consumers to the extent that the consumer’s loss arises from a failure in a payment service provider’s own established systems and controls. As part of its ongoing review of the Consumer Protection Code 2012, the Central Bank is also considering what policy measures it can introduce within the scope of its specific rule-making powers to contribute to the protection of consumers in a digital environment more generally. The measures under consideration include requirements on the design of digital platforms, firms’ systems and controls and online security standards.

The sophisticated and multidimensional nature of APP fraud requires a co-ordinated approach across industry and with public sector agencies. We are aware of initiatives in other countries such as the Observatory for the Security of Payment Means created under French law, which promotes information sharing and consultation between all relevant parties, including consumer representatives, ombudsmen, law enforcement and regulators. We would welcome the opportunity to participate in any future equivalent forums that are mandated domestically, involving all the key private and public sector stakeholders in the payments area. As well as continuing to develop their own systems, it is also important that payment service providers continue to work together to consider the overall functioning of the system and ensure their customers’ interests are effectively protected. This could include considering co-ordinated measures such as the introduction of IBAN checks, while recognising that no one step alone will provide full protection. It also remains important to continue to raise public awareness of fraud. There is more we can all do as a combined effort to support this domestically. Last year, the Central Bank launched an online public awareness campaign and this information remains available on our website. We also note the initiatives of industry to raise awareness of fraud and we believe this topic should also feature in ongoing work at Government level on a national strategy on financial literacy.

On reimbursement and liability, we are clear that firms should take steps to seek to recover funds for consumers and should compensate consumers to the extent that any loss arises from a failure in the firm’s own established systems and controls. We also support the European Commission proposal to expand reimbursement to the cases of APP fraud the Commission has specified. The question of whether the law should go further nevertheless arises, possibly up to requiring that consumers be fully reimbursed in all cases of APP fraud. If so, who should bear this cost? These are important social policy questions that require careful consideration. Such consideration should include looking at all the actors involved, including social media and other communication mechanisms through which APP fraud is carried out. This includes any consideration of a voluntary reimbursement arrangement such as that in the United Kingdom. We note the discussions the committee held with the Banking and Payments Federation Ireland on this aspect. The Central Bank would support any such initiative by industry, while recognising it must be properly calibrated. We believe it would be most effective if pursued as part of a wider engagement on enhancements to prevent fraud where all relevant actors are involved, including those outside the banking and payments sector. This approach could also support the development of the proposed shared fraud database, which would be of benefit to relevant stakeholders to prevent and combat fraud across the financial system.

Fraudsters prey on consumer vulnerabilities. Combating such bad actors will require all parties to act together to protect and preserve the freedoms of the EU payments system which we have worked so hard to build for the benefit of our society. Working together with other regulatory authorities within the EU framework and law enforcement agencies in the State, the Central Bank is playing its part in securing the safety of that payments system. We welcome the European Commission’s proposals to enhance that EU framework and stand ready to play our part in any future consideration of how to further enhance the framework at EU or national level. In the meantime, our expectations of the firms we regulate are clear. They must have effective systems in place to identify and prevent fraud and they must support consumers who fall victim to it. This includes APP fraud, where we expect firms to, among other things, take steps to trace and recover money lost where this is possible. We also expect firms to take responsibility to compensate consumers to any extent that a consumer’s loss has resulted from a failure of the firm’s own established systems and controls. I thank committee members for their attention. I and my colleagues are happy to take their questions.

Go raibh maith agat, a Chathaoirligh. Cuirim fáilte roimh Colm Kincaid agus roimh an chuid eile den choiste. Tosóidh mé le cuid den mhéid a bhí le rá aige sa ráiteas a léigh sé amach. I want to deal with something Mr. Kincaid mentioned in his opening statement, namely, SEPA. We touched on it last week with other witnesses. Mr. Kincaid talked about the benefits of SEPA but SEPA instant payments were introduced in 2017 and across the EU 2,200 banks are operating them. How many banks in this State are operating such payments?

I do not believe any banks in Ireland are operating the instant payments element of that. As the Deputy will be aware, it has had a mixed application across the EU and the EU legislation is now moving to make it mandatory. To be clear, in Ireland we have the benefit of being able to make euro-area payments across the Eurosystem and of course as a member of the EU we also have the passporting rights under the payment services directive for firms to provide their services across borders into Ireland and for people to access payment systems across the EU. The instant payments element of SEPA is yet to be made mandatory across the EU.

All European countries operate instant payments. Is that correct? Here it is only Barclays Bank that operates it and it is for corporate customers and users of prepaid cards from Prepaid Financial Services, PFS. In other countries the percentage of instant payments as a ratio of SEPA payments is as high as 100%, in the case of Slovenia. In Austria it is 64%, in Finland it is 63%, in Estonia it is 60%, and in Latvia it is 56%. We are at the bottom of the pile. We are the fifth-worst country. It is 7% and that is only corporate.

This was brought in back in 2017 to make life easy. I have experience of having to pay suppliers from my involvement in a community group. In this day and age, we are having to take a screenshot to show we have made a payment and send the screenshot to the supplier via WhatsApp, all because the banks here do not operate instant payments.

As I have said, what other banks have done in all those other countries is operate instant payments. There are 220,000 banks, none of which are in Ireland and, therefore, if someone is paying a supplier, the or she is not able to see that it is actually in the bank account. That has been the case since 2017. What is the Central Bank doing from a consumer point of view? Would it not ask them whether they would be better off investing in technology to apply instant payments, which banks across the EU are doing, instead of spending their profits on share buybacks or increased dividends for their shareholders?

We have seen a significant improvement in the digital capacity for payments for consumers in Ireland. The Deputy is correct that the instant payments element, which is not mandatory as things stand under the framework but is being made mandatory by the legislation, is not a feature that has been implemented by Irish banks in this system. That is the truth. However, I do not think it would be correct either to say that we have not seen significant digital functionality being provided for consumers in Ireland-----

I am not disputing that. However, we have also seen botched attempts by banks, which came together to try to do an instant payment app just between themselves. I am sure they spent a lot of money, although I am not sure what the total was. Why did they not just plug into SEPA instant payments, which are available across the European Union? Am I correct that Revolut offers instant payments?

I only raise this issue because Mr. Kincaid raised the issue of instant payments. There are rules relating to authorised push payment, APP fraud, instant payments and so on, but it is pointless for us because the volume of transactions is so low. The transactions are very much taking place in corporate areas.

I turn to the Central Bank's advertisement campaign online. Was it last year that it had the campaign on fraud?

Does Mr. Kincaid have any concern that the same companies the Central Bank is paying to carry their public awareness campaign, "How can I protect myself from financial services scams?", are actually benefiting from the financial scammers? The Central Bank paid €100,000 to online platforms. I commend the bank on its initiative regarding the scams they are trying to alert people about, yet the scammers are paying the exact same companies money to host the scams. Does Mr. Kincaid have any concerns about that issue?

I am glad the Deputy raised that issue. This is a very strong view we have and it speaks to the agenda issue of APP fraud, for example. Some 80% of this fraud begins with an online advertisement. If we are talking about places to put checks in the system and ways to prevent, with prevention being the best thing we can do in respect of that type of fraud and others, we hold the view that social media companies, Internet service providers and communications companies have a significant role to play in this, as well as the banking and payments sector, and our own role as a regulator. We are definitely of the view that they have a very significant role to play. Nevertheless, the Deputy will understand that for us to get a message across to consumers that we want to help, we have to get to those consumers in the places where they are interacting, and indeed the places where they may actually fall prey to some of these scams. Like others, we have done that online.

As I said, I commend the Central Bank on the public awareness campaign. We will need a lot more of them as these frauds become more sophisticated and develop over time, as we know has been happening. However, there is a serious issue with paying them. These companies are having it both ways. They are getting paid by the authorities who are trying to protect people and they are benefiting from the scammers.

I was quite taken aback by some of the information the banks gave us, which is that their communications with the social media companies are the same communications that I can have, or that any member of the public can have. They do not have any direct contact with them when they see scam advertisements. They use the same alert buttons. If I go on to my Facebook page and see a post, I can report the post. That is the access that our main financial institutions have. They explained to us that when they do this, a message usually comes back to say that the advertisement did not breach any of the platform's terms and conditions and so on. Does the Central Bank have a level of engagement with the social media companies that goes beyond that in relation to the issues of their platforming what is a criminal activity at the end of the day?

We do not but we believe, and as I said in my opening remarks, that one of the gaps we see at the moment is that we do not have a whole-of-system, joined-up engagement across the State agencies and others. We cited the example in France. That in itself is not necessarily even as comprehensive as we would wish it to be. We definitely are of the view that the involvement of those technology companies is critical to this. We have a very strong working relationship with ComReg, for example. We had a very strong working relationship with them through issues such as the migration exercise, etc.m, but, as the Deputy said, in comparison to what we see in the banking and payments sector, there is a need for similar proactivity by the social media and technology companies.

I agree 100% with Mr. Kincaid. I refer to some of the activities and checks they have. I imagine they have some checks, but they are not robust enough if they are taking paid advertisements from scams. Just yesterday, I saw one about Gweedore. They were selling tee-shirts with Gweedore on them. That is my local town. Somebody posted underneath it saying, "Don't go near this; this is a scam". Obviously, that is the type of technology they have. I am sure there is one for Clonmel and everywhere else. However, social media platforms are allowing this to take place.

We know the dual role the Central Bank has. It has a consumer protection role. We have heard from the banks and we have heard from the Central Bank about the role social media and online platforms need to play, including the likes of Amazon. Would it not be the Central Bank's role from a consumer protection point of view to try to co-ordinate that? Where does Mr. Kincaid believe this role lies? We are hearing that there are silos here. The banks are here, the Central Bank is there and the online platforms are over there. In the middle of all that, more scams are going on, more people are losing money and scams are getting more sophisticated. Does Mr. Kincaid believe that the Central Bank should be co-ordinating and calling a forum together with social media companies, the Department, the authorities and the banks to say that we have a problem and ask if can we come together? That would be a logical step. Where does Mr. Kincaid see that role? Is that a departmental role? It has to happen. I imagine it would come from the Central Bank.

I would say 100% that we have a leadership and co-ordination role to play in it. We discharge that through our engagements with the Department and the BPFI and the supervision of the entities we regulate. We have a retail payments forum where, within the context of payments, we look to have that co-ordination through bringing in users of payments. When we speak about APP fraud, and indeed payment fraud more generally, the issue is that the other commercial actors are not in the regulated payments sector. They are the other firms that we have been speaking about but insofar as we are talking about activity within the payments system and the safety of the payments system, the Central Bank 100% has a leadership and central role to play in that.

In talking about a wider need for co-ordination, I do not in any way seek to dilute the role we have to play in banking and payments. However, with regard to fraud, there are other actors outside of the banking payment sector that we need to bring in as well.

I understand. That needs to happen with a bit of urgency and pace. Let us look at the scam that is probably the most costly to the victim, which is the investment scam. We have seen the stats that they have been increasing since 2019. We know that in some cases, people have lost more than €100,000 on them. We heard from the Garda, who gave an example of a civil servant who put their lump-sum pension payment into an investment scam. These can be very sophisticated. People who are well educated and aware can fall victim to these scams. We know that they originate on social media platforms in many cases. What role does the Central Bank have with regard to the advertisement of an investment vehicle that is not authorised?

One area in respect of which we have been especially proactive is that relating to people holding themselves out in the public domain as being regulated by the Central Bank when they are not. We published 112 warning notices last year. This was up from the previous year. The figure continues to go up year on year. We engage closely with An Garda Síochána around those cases. Insofar as the issue at stake is a firm holding itself out as being regulated by the Central Bank or carrying on activities that are regulated by the Central Bank but without authorisation, we have a clear role to play in terms of identifying that, bringing it to an end, issuing a public warning notice and engaging with An Garda Síochána on it. As I said, we published 112 warning notices last year.

Excuse me. If they were describing themselves as carrying on a service that is regulated by the Central Bank, they would require authorisation to do so. Not all financial or investment activity will necessarily be regulated by the Central Bank. I am sure the Deputy knows this, but for the benefit of the record, certain types of investment activity may not be regulated by the Central Bank. The instrument involved may not be a regulated financial instrument, for example. To be clear, in respect of any actor holding themselves out publicly as carrying on a service that requires Central Bank authorisation, we will look to see that activity brought to an end, we will publish a warning notice on it to the public and we will engage with An Garda Síochána. One of the key trends we see is what we call cloning, that is, cases of firms holding themselves out as if they are regulated entities with the names of existing regulated entities.

We know that these originate on online platforms. We understand that not all investment is regulated. However, at least some of these scams - many of them - would fall under regulated activity. What engagement does the Central Bank have with the social media companies and online platforms on the checks they need to put in place for hosting activity that is not only illegal but needs to be regulated by the Central Bank? What safeguards or checks has the Central Bank in place? We are seeing people lose large amounts of money. There is big money at stake. People's savings are being wiped out. I imagine that the Central Bank should tell those putting up ads for investment products that it is responsible for regulating a large number of those products. What rules does the bank have place to make sure that those investment products are legitimate? What checks are in place to make sure that activity of this sort is regulated by the Central Bank? Has any of that happened? It is too late when the horse has bolted and the damage is done. The Central Bank put up a warning for other people not to fall victim. However, the key has to be prevention. What, if any-----

Our approach to unauthorised provision of services is a proactive supervisory approach of scanning to see what activity is taking place, finding it and bringing it to an end. We do not only do this if someone brings to our attention that they unfortunately have been the victim of a fraud, just to be clear about the modality of how we work. Our focus is on making sure that the unauthorised activity is brought to an end. To be straight with the committee, we do not regulate Internet service providers, media companies or entities other than the firms that we regulate. Responsibility in that regard sits with another agency. We do not have a role in supervising or regulating the systems and controls of online and social media companies. I understand the merits and logic of the Deputy’s point, but our focus lies in ensuring that wherever it is - if it is in a newspaper ad, as it sometimes is, a magazine, a brochure, which it is sometimes is, or if it is online - engaging with whoever is publishing that material to get it taken away. Mostly importantly, however, although it can be difficult online, we try to identify those behind the activity. We engage with An Garda Síochána around that because it is criminal activity.

I do not expect the Central Bank to regulate the social media companies. Nobody is suggesting that. However, the Central Bank has adopted a silo approach to this matter. That needs to change. It is doing exactly what is set down in the context of its job and its role. It is scanning, looking, identifying and all the rest, but there could be a logical step, which would be to acknowledge that what I refer to is happening and so on. It is like the Garda stating that its job is to detect crime and all the rest, but it is also a garda’s job to go to the local supermarket if they thinks it is not safe and talk to the owner about having proper locks, alarms and so on. That happens with community policing. However, it is not happening from the Central Bank’s point of view. I do not hear that there are any conversations with online platforms asking if they have proper, robust procedures because the it knows that there is regulated activity taking place on their platforms that is unlawful. Those conversations should be happening at a high level. I do not think that they are; I have no evidence that they are. I would imagine, given the fact that victims are losing millions of euro, that our governor and the CEOs of some of these should have round-table discussions.

That is a fair observation. I will not argue with it. I am describing our supervisory approach to, as the Deputy said, discharging the specific role that we have to discharge, which we look to do as robustly and forthrightly as we possibly can. I mentioned earlier the gap in respect of fraud more generally in terms of engagement by the technology companies into the process. The Deputy's observations on engaging with them around their systems and controls are fair.

With the modules, the committee is trying to hear from all different groups - the Department of Justice, the Department of Finance, the Central Bank, the Garda, the banks and the payments. I think every single person and every one of those groups wants the same thing that we do. We do not have a strategy, which is the problem. The Government does not have an economic crime strategy. The problem is the Central Bank is doing exactly what it is being asked to do, as are banks, but we do not have a joined-up strategy that pools everybody together to co-operate on that. Hopefully, some of the Commission’s proposals will help us along the way with shared databases and so on.

On social media, it is not part of the Commission’s proposal, but in Britain, social medial or online platforms that take paid advertisements also have a responsibility to compensate victims. Does the Central Bank have a view on that?

If I recall correctly from the Commission’s report, it flags this as an area that it will keep an eye on. It said towards the end of the section about its reforms that there could be cases where the companies the Deputy is referring to may be liable as well. The view we have is the one I expressed in the opening statement, which is that we think the whole discussion around liability, especially when we talk about liability as an incentive to change behaviour, needs to involve all of the commercial actors involved, which includes the companies we have been referring to as well as banking and payments firms. That is our policy view.

This is a good time to be having the discussion. We have the Commission proposals. We can now see the shape of the European framework on authorised push-payment fraud and liability specifically, something for which I know the Deputy has advocated strongly. Now is the right time for Ireland to consider our policy view of that. Do we believe the European Commission proposals go far enough? Should they go further? Should we advocate for that at a European level? Should we look at domestic measures etc.? Our policy view is that now is the time to be having that conversation, not just looking at the payment firms at the centre of the payments transactions, but actually looking at all the commercial actors involved, recognising, as I said, the very powerful statistic that 80% of authorised push-payment fraud started its life as an online ad.

The Commission is also proposing the confirmation of pay. I have been raising this matter for over a year now. Britain already has it. I think the Netherlands already has it. It makes sense. It is just a check on the IBAN, so that if someone is sending money to a particular number, it actually is Pearse Doherty, Johnny McGuirk or whoever it is. It seems to be effective. Obviously, the Commission is proposing it. Mr. Kincaid mentioned that in his opening statement. Does he see benefit in that being introduced here prior to the Commission's implementation because the Commission's proposals could take years to implement? Would there be a benefit to implement it domestically in advance of the Commission's regulation taking effect? If so, would that require legislation?

I definitely see a benefit in considering that at this stage. I say considering because it is not a total solution even to authorised push-payment fraud. As everybody will be aware, it is very effective for certain types of push-payment fraud. There has been some commentary publicly in the Netherlands. It depends on how it is introduced and how it is introduced alongside other methods. As the Deputy has mentioned the Commission's proposals and the possibility of implementing things here ahead of time, perhaps Mr. Casey might like to comment.

One step will not solve this; there are a number of layers to it. The Deputy mentioned the urgency of a whole-of-system approach. The industry in Ireland has called for discussion on developing a fraud database. It was very much a feature of the discussion that took place with Banking & Payments Federation Ireland, BPFI. It has been advocated for strongly and the Department of Justice is working on legislation.

There is the whole question of broader consumer awareness of the big challenge that has been presented by authorised push-payment fraud and the role of social engineering. We are all receiving spurious text messages and being bombarded with An Post messages about articles we have not ordered and so. I think Commissioner McGuinness has been talking about the importance of education on this area from a Commission standpoint. It aligns with our national financial literacy strategy which is being developed by colleagues in the Competition and Consumer Protection Commission, CCPC.

Customer authentication is another important facet of the systems and controls on the firms' side of things. There are parallels with the IBAN crosscheck. Mr. Kincaid mentioned the implementation of the IBAN crosscheck in the Netherlands. There were some initial teething problems. When at first glance the check did not go through, people would proceed with transactions and ignored the check because they just thought it was down to teething issues and so on. It may be that it is not an instant panacea and certainly would not be on its own. Ultimately, because the bad actors in the system are manipulating victims, it is possible that consumers will proceed even when there is a match with what they have been manipulated to do, or that they will ignore the warning of a mismatch. Notwithstanding that, for instance, the account does not appear to be the name that they anticipated it being, they may well proceed with the transaction. Both those features are flagged by the Commission.

Certainly, the Netherlands case is interesting. With the implementation of IBAN crosscheck, we cannot have that siloed individual entity concept that the Deputy mentioned. We need that thinking across the system because, as with strong customer authentication, SCA, we need to try to get everyone on the same page. There is a co-ordination element to that.

I am interested in the comments the Deputy made about the national financial crime strategy. The Hamilton report commissioned by the Department of Justice in 2020 flagged much of this co-ordination-type discussion on information sharing. We need to accept that we are slow in this area and the system needs to catch up quickly to get to grips with what is happening. Mr Kincaid mentioned the French model. They have developed an observatory for security of payment mechanisms and means under legislation in France. Although I do not believe the social media companies are participants in that forum, nonetheless they have done considerable work and brought much of the thinking forward on that. It is worth looking at their recommendations in this area.

Mr. Casey mentioned the French arrangement. It is interesting to see how they have framed their proposal on IBAN matching. They have asked that the French payment service providers be encouraged to be proactive in exploring the possibility of promptly implementing a pay-confirmation mechanism in line with the European Commission's proposals. They have framed it as something to be explored and they have encouraged them to do so. We would be in the same position.

My colleagues will be picking up on some of that. In discussing authorised push-payment fraud and the level of reimbursement, we do not really have accurate data across the financial system. We rely on the data we get from the BPFI which comes from individual banks which have different strategies. This might be a question for the Central Bank. The three main lenders all have a different approach when reporting fraud to the Garda. Bank of Ireland reports everything. AIB only reports the bits it is liable for. That is crazy and does not make any sense whatsoever. I would ask the Central Bank, as regulator of those banks, to pick up on that and get a common approach. It speaks to what Mr. Casey said; there is no common system and joined-up thinking.

In Britain, the Payment Systems Regulator collects all the data on authorised push-payment frauds and the amount of compensation paid under the voluntary code operated by ten of the main financial institutions. It has accurate data there. Is there a role for the Central Bank to collect those data as opposed to this committee or society in general having to rely on each individual financial institution to provide information to the BPFI which, in fairness, has taken many initiatives on this? For me, the biggest problem is that people are not working together and there are some other frustrations. Should the Central Bank collect and publish the data so that we can see the trends?

As things stand, we operate within a European statistical reporting mechanism on this. Under the payment services directive, PSD, legislation that information is collected, gathered by the Central Bank and passed to the ECB. I believe we can bring more transparency in this area and we will look to do so.

When we say the data, specified data are gathered under the PSD and collated with a taxonomy set out at a European level. One of the challenges of authorised push-payment fraud is that it is a sort of banking, financial industry or common parlance concept that does not necessarily map very specifically into the existing taxonomy at European level. Therefore, it is difficult to distil it down. We have done some work looking at the data and the material from the BPFI, which would give us confidence in what the committee has heard. One of the things I wanted to check before we came here today was if it tallies as best we can with the data we have and I think it does.

That should give confidence to the information, to give credit to Banking and Payments Federation Ireland, BPFI.

We also have our own supervisory engagements with firms, where we can see at a more local level how they are going about reimbursement. They all have detailed policies in place, including for APP fraud. They all have policies in place for whether and when they will provide compensation to a customer, notwithstanding there is no liability at EU level, whether that is because of extenuating circumstances or the vulnerability of the customer. I hope I have been very clear, in our opening statement, that in any case where part of the loss is down to some failure in the firm's own systems of control, be that delay or otherwise, we expect there to be reimbursement. We see that reimbursement occurring.

I agree with the Deputy. Part of the challenge has been that we have very detailed data - the last publication around payments activity was for the 2021 period - we gather as part of a European system that is fed into the ECB, which is the authority that owns and gather those data, but it can be quite challenging to move from the cells in that data collection into a topic such as APP fraud at a national level. As part of being in a European system, we also want to see, and are very keen to understand in the context of this debate, the extent to which fraud activity in Ireland involves cross-border activity. We believe that may be one of the key distinctions between, for example, Ireland and the UK. As the Deputy knows, the UK arrangement only applies to intra-UK arrangements. It is quite critical for us to get a handle on the extent to which authorised push payment fraud occurs cross-border, because that could change the policy consideration of what the next steps for Ireland might be.

I welcome our witnesses. I will follow on from one of Deputy Doherty's questions regarding the time-lag. If customers thought a scam was going on at a weekend, for example, when all business is not the same as during the working week, and a payment is made where they are told it will be credited to their account in four or five working days, would it not be more beneficial to customers if it was immediately credited to their accounts - this has been referred to already - so it can be instantly seen that there is a response? Otherwise, a customer might be tempted to believe that somebody had intercepted the payment and it was being held somewhere else. Is that true?

To be clear, the instant payments mechanism Deputy Doherty referred to is a very particular mechanism used by some firms around Europe and not others. I mentioned the position in Ireland. The time it takes for a payment to go through is not a reflection on the safety of the payment. I am very confident that we have worked very hard in this State and in the EU on a very safe payments mechanism. The Deputy's question was around the risk of interception, if I understood it correctly. That risk should be no greater with the payment mechanisms we are talking about compared with other payment mechanisms.

I thank the Deputy for the question. I will build on what Mr. Kincaid said. It will be all the more challenging when the instant payment mechanism comes in to stop a fraudulent situation from occurring because payments will be moving all the quicker. That will be a real challenge as regards instant payments, hence the importance of tackling this issue upfront with a whole-of-system approach. As things stand with credit transfers, when a separate payment is made domestically, it settles the evening of the following day, giving more time to initiate retrieval of the funds in a fraudulent situation. That is very significant. It goes to the Deputy's point about having that bit of a gap to realise after the payment has gone. There is at least a chance of responding, particularly in the working week. That has been a feature of the recovery levels within firms.

The broader issue is that of balance between convenience to the consumer, the reduced execution times people want, which were spoken about, and the importance of that from a consumer benefit perspective, versus the resilience, safety and security of the payments system, which we referenced, and wanting to deliver on that at the same time. Both those challenges are difficult. The pick-up in figures in the UK for authorised payment fraud has been substantial because the UK introduced its equivalent of instant payments, known as faster payments, at an earlier point in the cycle than we have. Such fraud is a much more prevalent problem in the UK.

The other challenge to highlight is all of this is taking place when technology is changing very quickly, particularly in respect of mobile phones. Social engineering is having such an influence in people's lives, especially since the Covid period. That can be seen in the nature of how fraud is taking place. It used to be unauthorised payment fraud but authorised payment fraud is becoming much more of a feature because of the influence of fraudsters.

I know that. To assuage my conscience - I have a conscience sometimes - I would like to be sure, if it is not in my account or in the account of the person to whom I made the payment, whose account it is in. It used to be a clearing house, once upon a time, although I am not sure it was in that account either. Who has the use of that money? It is not accounted for in either place. It has gone from my account. The receiving account does not get it for four days. If there is a bank holiday in the meantime, it would be more in working days.

Within the corresponding banks involved in the transaction, and we also have non-bank payment service providers, such as payment institutions and e-money institutions, depending a little on the specific commercial arrangements those banks have, it will be held within the corresponding banking system that the customer's bank is using to transfer that money to another entity. That is where that money is held within the system.

It is not much use talking about it now but in the old system, if you walked into a bank with €10,000 or €20,000, or cheques or assorted moneys and so on, lodged it and looked at the account afterwards, it was three or four days before it was credited to your account. Mr. Kincaid has answered my question. In the meantime, the bank had use of it.

That is right. I agree with Mr. Kincaid that is how it works but that is not how it should work. With modern technology and everything else, it would be a major convenience to the person making and receiving the payment if there could be an immediate response. Mr. Kincaid said that system and its safeguards are more difficult to operate.

I would be happier with a system that showed the time from the exit from account A until receipt in account B, whether it was ten minutes, 20 minutes or half an hour. Knowing that period is important in detecting fraud.

I agree with the Deputy. I mentioned speed and innovation. In this regard, we are seeing settlement times come down and payments become faster through the technology being used now. As the Deputy said, several firms around Europe have introduced instant payments. Speed carries the risk of fraud. If my memory serves me correctly, in excess of 90%, and maybe as much as 97%, of the authorised push payment fraud in the UK is through its faster payments system, because fraudsters prey on that. We are constantly working to make the systems faster and more convenient but also trying to build in the protections to ensure the fraudsters who seek to capitalise on our doing so cannot do so. On the Deputy’s point on making payments more swift and convenient for people, we want to see the payments system deliver increasingly for people in this regard over time.

I am glad to see that coming about. It could not come quickly enough.

I used to be able to operate the online banking system very well and knew where everything was. I am finding it difficult as time goes on. More obstacles are put in the way. You have to have a telephone, for example. If you have two accounts, you have to have a second telephone to receive the approval message from the bank, depending on which bank it is. I refer to making a payment from your own account to some other bank by way of credit transfer or other means. I hope it will be possible to make life less complicated. Carrying out a transaction late on a Friday night, when everyone is tired, is not the same as doing so on a Monday morning or any other morning, when the person making the payment is not so tired. In this business, there is a big difference between 6 a.m. and 11 p.m., 12 midnight or 1 o’clock the following morning. I welcome the speedier system.

How does the instant payment system make it easier for the fraudster unless he or she has access to the system already and is lying in wait to trap payments on their way?

The issue with authorised push payment fraud is that it is not a case of the fraudster intervening within the transaction to steal the money as it is in transit; it is a question of the fraudster manipulating the victim to convince them to make a payment to him on a false pretence, either by pretending to be someone he is not or by convincing the victim to make a payment for goods that will never be provided, for example. We very much expect firms in Ireland to trace the money once it has gone through. They all have policies for doing this. What fraudsters prefer about the instant payments mechanism is that the money is moved much more quickly through the system, meaning they can layer it very quickly through a series of transactions.

I want to return to the economic crime strategy. We were looking at the French model but I am sure there are others. Who should lead the strategy here? It seems many things are being done but we need somebody to bring everything together to have a co-ordinated plan, as outlined in the Hamilton report. I am referring to the interagency co-ordination, collaboration and a clear cross-Government financial crime strategy. Does Mr. Kincaid envisage the Department of Finance leading it?

I would be slow in giving jobs to others but the Central Bank will certainly play its role. To go back to what I said about where we are in the process right now, we have a set of proposals from the European Commission. We now have to have a policy discussion on what system we want in Ireland, on all aspects of the front and all the pertinent points Members made over the course of this discussion. There is a policy element to this that speaks of the Government being involved. There are definitely things the Central Bank and other regulators can do in executing. We have a very strong working relationship with ComReg, for example. I take on board the feedback from Deputy Doherty on engagement with social media companies. When it comes to policy, issues like compensation and the question of whether we should have a regime different from that of the EU, it speaks of some level of Government involvement. I cannot say which Department would organise that or how the Government would do so.

We have a retail payments forum ourselves. We can lead an element of it, but it is different once one goes beyond the entities we regulate, including the social media companies, and the sorts of policy questions we have before us. For example, I have referred to the recommendation by the French Observatory for the Security of Payment Means on IBAN matching and so forth. The committee has quite rightly raised a policy question as to whether we should go that far.

I think there is merit to having an approach even broader than the one in France. We certainly can engage with, and lead the engagement we have with, the payments sector but I believe it would be better to have broader engagement involving other sectors and agencies. The Central Bank would play its part in that.

We have been very involved in the discussions and work of the European Banking Authority. It made a series of recommendations for the Commission and had an input into its work. The Commission has digested them and they are now featured in its policy proposals. We have been very active in the policy discussion and have very strong engagement with Banking & Payments Federation Ireland, the firms we regulate and the State agencies. Now that we have the policy proposals at EU level, there is a wider policy discussion to be had within the State as to what we want our approach to be. Regarding our ambition for where we go from here, we can of course continue to do the work we are doing under our particular remit, and we will. We have a retail payments forum ourselves but that is within the remit we have.

Is there a wider remit for the Central Bank?

As this evolves, will the Central Bank continue to do what it is doing or is there something wider it can do, given the resources?

When we look at the topic of authorised push payment fraud in particular, given the strong presence of electronic communications and online activity in it, one is swimming up-current if one does not try to deal with that. The Central Bank will play its role and will always deliver any statutory function assigned to it. However, it is important that we also look at the other commercial actors that are involved.

First, in relation to AI, one of the things we have seen the firms we regulate do is put investment programmes in place to try to improve their systems and processes to deal with the challenges of AI, such as the increased sophistication of fraud and so on. As I said, we now see a need to have a wider policy discussion. The various arms of the Government have been engaged on the issue. The Department of Finance has been engaged through its work and will be engaged through the negotiation process at a European Union level. Having a strong and well thought-through economic crime policy in this area is critical, especially as regards authorised push payment fraud, given the particular nature of it. Until we have a more joined-up approach across all the agencies and clarity of policy around some of these issues, it will be difficult to co-ordinate. As Deputy Doherty stated, all the actors want to co-ordinate. I will give an example in the area of compensation we have been discussing. It is a question of reallocating cost in society. We see that as something that needs a legislative input. How to do it is a legislative consideration.

The Deputy mentioned it. As with all technologies, there are benefits and risks or pluses and minuses. Reading on the topic of push payment, APP, fraud, it is clear that machine learning and artificial intelligence have an important role to play. They could be a powerful tool on the prevention side, in detection of patterns of behaviour. The things that would be time-consuming for a human to trace could be detected in a much faster way by machines that have learned. They could spot patterns. That is the hope. Equally, we have the issue of bad actors getting their hands on AI and machine learning, in time, and using ever more sophisticated frauds against consumers and preying on consumer vulnerabilities and behaviours, as we have seen with APP fraud, which is a terrible development.

Does the Central Bank have capacity to use AI in a positive way? As Mr. Casey said, it will take some of the work out, but personnel are needed to do the human side, once the information is available. That is why we need a co-ordinated strategy. When we have the fuller and quicker information, what do we do with it and how do we ensure we use it in a co-ordinated way to protect consumers?

AI is a tool for regulators and supervisors. We deal with fraud emerging day on day and regulation needs to look to the future to ensure it evolves as fraud evolves. Mr. Kincaid mentioned earlier the importance of firms being proactive in evolving their systems and controls to meet the fraud risks of tomorrow and keeping up with it.

On that, Mr. Casey correctly stated that the Central Bank has repeated its expectations of the firms it regulates as regards effective measures to mitigate the risk of fraud. They must be proactive in identifying and dealing with cases of fraud and engaging effectively with consumers. How does the Central Bank measure that? If firms do not do so, are there sanctions? What measurement does the Central Bank use to ensure it is done?

I will ask Mr. Murphy to speak about that in a moment. Mr. Casey has the relevant policy and Mr. Murphy has the task of supervising what the Deputy is asking about. One of the reasons we take the approach of setting specific expectations is that we want to see firms being proactive and responsive, as Mr. Casey said. We do not see minimum compliance with the basic requirements of the legislation as being all that is required of the firms. I ask Mr. Murphy to speak about setting those expectations and what we are seeing in the firms as regards their investment.

It is a case of setting the expectations first and being clear about them. Fraud is a key risk which applies across all firms. It is a risk to the system, to the firms as regards their resilience and to consumers. We do a sectoral risk assessment. We look at the key risks. We look at ourselves and how we try to measure and size the risks. We communicate this to the firms along with our expectations described by Mr. Kincaid. We expect firms to have effective measures in place to deal with the risks. To answer the question directly, we engage with the firms and ask them how they have done it. We carry out thematic reviews looking across firms, across different sectors we regulate or at an individual firm. We might do a targeted inspection. Across fraud it has taken some time to implement the frameworks for the payment services directive. Much of it has come from the EU. Firms have been implementing it, largely based on our guidance and what we measure. They have put in place fraud teams that deal with fraud generally and are trained to deal with APP fraud, which is the issue we are talking about. We look at each case on a case-by-case basis, engage with An Garda Síochána and recall the payments. Some of the measures of success are the quantitative factors we look at, such as the number of complaints made by consumers directly to the Central Bank and those that come in through the ombudsman when he takes decisions. We see the system as working if there are minimal complaints. We see reduced fraud measures through the data Deputy Doherty mentioned earlier, which the Banking and Payments Federation of Ireland published. We are seeing reduced instances of fraud which means that the measures the banks are taking are effective to some extent. As the Deputy said, they are not-----

There are different elements of uniformity. We are responsible for supervising elements that are set out in regulations. We supervise implementation of the regulatory framework.

In this instance, a key one is the payment services directive and the payment services regulations and reporting requirements around that. A lot of the work we have been doing with the banks and the other payment institutions over the past few years involves seeking that consistency because it takes time. It is an iterative process involving how firms are measuring and monitoring it. We go out with guidance to the firms.

In terms of the reporting to An Garda Síochána, it has appeared before this committee. An Garda Síochána needs to be comfortable it is receiving notices of all instances of fraud, be it by the consumer or the bank. We expect the bank to inform An Garda Síochána if the consumer has not done so.

It is something we have been looking at. Reporting to An Garda Síochána is one element. There are other inconsistencies in terms of reporting on websites being transparent on what the firms are reporting to consumers. There is not a lot of transparency there so there are other elements we are engaging with the firms on in terms of better consistency. That is something we are aware of and are working with the firms on.

Our supervisory approach is to constantly target areas where we think improvements can be made. All across industries and practices on any given issue, there will be areas where we want to see improvements. Reporting and the manner of reporting are matters we will take up with An Garda Síochána. We will, to some extent, take its lead because the important thing is that the information gets to An Garda Síochána. If An Garda Síochána is happy with a particular form of reporting and is satisfied it is getting the information it needs, we do not have a particularly strong view about it is done. It is not provided for. The justice legislation is a bit loose on how some of the modalities of this work so that is an area we have targeted. There are others. We are always facing that challenge.

When the Deputy talks about consistency, we would like to see consistency but we would like to consistency in best practice. Sometimes it takes time for best practice to be found. What we sometimes find is that we need to understand the position on the ground, which is what Mr. Murphy's team spent time doing, because you want to understand what the best approach is and then get consistency around that. We sometimes find that enforced consistency becomes the lowest common denominator. We would have seen the interventions by the Central Bank on the supervisory side to get firms the necessary investment in their technology and fault prevention mechanisms. Some firms have done more than others. They are taking different approaches and have different forms of alerts for consumers. One could step in say that we want them all doing the same thing all the time but sometimes there is a benefit in firms taking differentiated approaches. Reporting to An Garda Síochána may not a good example of it. What we want to see is that firms have a strong and plausible answer for us as to how they are meeting the expectations we have set in the standard we require them to work to. Mr. Murphy and his team will hold them to that sort of peer analysis. I hope that paints the picture.

It is the Central Bank's responsibility to ensure they do fulfil those expectations. We talk about AI but we do not have a shared fraud database to combat fraud. Britain has the shared fraud database while the Netherlands has the Transaction Monitoring Netherlands initiative, which maps the networks of the linked fraudulent accounts. Has the Central Bank had contact with the Department of Justice on the development of the shared information database between the payment system providers and the State agencies?

No. The straight answer is that we have not had contact with the Department of Justice. We have been monitoring discussions with interest. There was a discussion with this committee involving the banking and payments industry, which is a strong advocate of the introduction of the mandate so it can share information. We recognise the legal constraints until that legislation is in place. My understanding is that it is forthcoming. It has been in the offing for a period of time. That is the crucial missing gap in the framework domestically to enable Ireland's equivalent of a shared fraud database. Clearly it is very important that people are able to share information, particularly financial institutions and service providers, regarding the bad actors they have come across in the system and the challenge connected with the type of APP frauds and the different types we have seen.

We want to see progress made. Our primary interface with Departments is with the Department of Finance. That is our day-to-day engagement. On occasion, we engage proactively with other Departments. As Mr. Casey outlined, work by the Department of Justice is under way. We want to see that work progress but it is under way. In our work through the European Banking Authority, we have been part of making the recommendations to the Commission, which now include recommendations for reform at EU level to enable clarity around the ability to share fraud-related information under the GDPR. The Deputy's question concerned proactivity and how we are expressing our views. We have engagements with the Department of Finance and have been engaged at European level through the European Banking Authority.

It is very important that the Central Bank engages with the Department of Justice as well at an early stage. I am not telling Mr. Kincaid how to do his job but because the Department of Justice will have a key role in this, it is very important that the either the Central Bank engages with the Department or the Department engages with the Central Bank.

The witnesses said the Central Bank has good communications and a good relationship with ComReg. Never a day goes by without getting a text message, for example, asking you to send money to your kids or a text saying your friend is a spot of bother. What is ComReg doing to stop those text messages? At one time, it used to be a text message from a foreign country but now those messages are coming via 087, 086, 089 or 083 numbers.

I am not equipped to speak authoritatively about ComReg's activity. I know it has been proactive and has had some success around some of those matters in engaging with the entities with which it engages. We engage with it where there is a crossover with us. We have a good working relationship with it. In terms of speaking to its activity in the context of its remit, I know it has taken steps and has some successes. It has a challenging task on its hands. I do not know if it would be right for me to try to give the Deputy a summary of what it has done in terms of its work programme.

I engaged with ComReg a number of months ago on this topic. Based on my understanding at the time, ComReg traced phone calls of a fraudulent nature and was able to block those through the telephone companies and engagement with payment service providers. Text messages were more challenging because they can come through a chain from a foreign country. The text can still present as being an Irish text. From a technological perspective, the blocking of that has proved to be more challenging because of the chain and the capacity to block its source and the break in the chain.

A number of months ago, we were involved with putting ComReg in touch with a number of the retail banks to try to look at that matter, which has proven to be a challenge.

Yes, because obviously you get the text and then you have to take the money from the bank or whatever to send it on. That is probably more for ComReg as to how it is capturing it, the data that are available around that, how many they have blocked and how many are still in existence.

Where the Central Bank has reported patterns of fraud to An Garda Síochána, does the bank follow through to see how many prosecutions have been successful?

When we make a report to An Garda Síochána, obviously that is passing the matter of criminal investigation to them. The force has its own challenges on resourcing prioritisation it must go through. We work with An Garda Síochána to support any criminal investigation or prosecution activity it follows through on. This is perhaps a little bit off the topic of authorised push payment fraud specifically, but we have, for example, in the area of market abuse and other types of activity we are concerned about, made our staff available to An Garda Síochána to assist it in its investigation to try to follow through. We have had some successes, which are now in the public domain, in relation to criminal convictions.

I am trying to find examples that are in public domain to speak to. It may not be generally recognised, but the US CFTC has also called out the Central Bank of Ireland, specifically and publicly, for assistance we gave it on international securities fraud. In the area of the likes of unlicensed activity, particularly for unauthorised activity by what used to be called licensed moneylenders, now high-cost credit providers, we would provide, and have provided on a number of occasions, evidence in court to try to substantiate a Garda investigation.

I do not have a statistical follow-through for the Deputy because it can take a long time for the Garda to go through it. We are also very conscious that the Garda, using its particular skills and powers, will often achieve results that may not necessarily appear on a prosecution statistic. Our primary focus is making sure the activity - the harm - is brought to an end. After that, we work with An Garda Síochána and take its lead as to what it needs from us to pursue any criminal investigation, including making our own staff and resources available to it, if need be, to help it with some of the pressures it can face in this regard.