The revised Payment Services Directive (2015/2366/EU or PSD2) was transposed into Irish law, with effect from 13 January 2018, by the European Union (Payment Services) Regulation 2018 (S.I. No.6 of 2018, hereafter referred to as the PSRs). The PSRs set out the industry requirements concerning liabilities for unauthorised payment transactions and the applicable security requirements to help protect consumers against payment fraud.
As set out in Part 1 of the PSRs, all payment service providers (PSPs) are required to adhere to the requirements set out in the EBA’s Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (RTS on SCA & CSC). PSPs must apply strong customer authentication (SCA) when a payer: (i) accesses payment accounts online, (ii) initiates an electronic payment, or (iii) carries out any action through a remote channel.
SCA is defined in PSD2 as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”. The overall purpose of SCA is to make payments safer and more secure.
SCA has mitigated the threat of social engineering fraud to some extent, through the use of the transaction monitoring mechanisms set out in Article 2 of the RTS on SCA&CSC. This allows PSPs to better identify unauthorised and fraudulent transactions due to unusual patterns, however, the risks of authorised push payment fraud are not fully mitigated by SCA.
During the recent PSD2 review, the European Commission issued a call for advice to the EBA and the matter of authorised push payment fraud/social engineering was addressed. The EBA in their response outlined that they have “identified the increased risk of social engineering fraud as an area where further improvements in the legal framework are needed to address the increase of fraudulent transactions, in particular authorised push payment fraud where fraudsters use social engineering scams (i.e. phishing) in combination with more sophisticated online attacks”.
I have been informed by the Central Bank of Ireland that it fully recognises the need to better address the issue of authorised push payment fraud in the legal framework and will continue to actively engage on this matter through the European legislative process.
