Counter Fraud Measures
Ensuring the security of payments is at the core of PSD2. Participants are obliged to ensure that they have an established framework to manage their operational and security risks”. Participants must also be mindful of the interplay with other statutory obligations, such as ensuring the security and protection of personal data, including financial data, in accordance with data privacy laws.
The minimisation of fraud risk within the Open Banking Ecosystem is considered of fundamental importance by the Open Banking Implementation Entity to ensure the protection of customers and the security of transactions.
Recommendations are based on the regulatory guidance together with EBA/FCA guidance on monitoring and reporting requirements.
EBA has recently published Guidelines on ICT and security risk management which will repeal and replace the current EBA Guidelines on the security measures for operational and security risks of payment services under PSD2 which come into force on 30 June 2020.
Counter Fraud Strategy & Operations
- Create a counter fraud strategy focused on three areas:
- Fraud Prevention: including code of conduct, policies and controls, awareness training, risk assessment and management plans.
- Fraud Detection: including fraud detection tools and fraud reporting processes.
- Fraud Response: including investigation processes, data, management information and reporting, legal action and dispute resolution.
- The strategy should also detail other controls and policies that link to the counter fraud strategy – such as ISO27001 information security controls, internal audit function and the enterprise risk management function.
- Recruit specialist counter fraud operations staff.
- Ensure data collected contains appropriate fraud indicators.
- Implement a counter fraud engine to prevent and detect fraud.
- Detail and maintain strong counter fraud policies and processes.
- Ensure ID & V practices.
- Identify, evaluate, monitor and measure fraud levels and report at board level.
- Share information and intelligence with financial services peers.
Regulatory Consequences: High fraud levels could lead to regulatory investigations, enforcement action, fines and / or revocation of your regulatory permissions.
Identify Your Greatest Threats: Fraud is closely linked to poor cyber security and poor people and process information security.
Fraud Monitoring & Reporting
- PSD2 requires all PSPs to provide statistical data on fraud to their competent authority, i.e. the FCA in the UK.
- All PSPs (including PISPs and AISPs) must report fraud to the FCA using form REP017 (Payments Fraud Report).
- This should be completed online using the Gabriel online fraud reporting template which can be found at: https://www.fca.org.uk/publication/forms/rep017-payments-fraud-report.xlsx
- Reporting is on a semi annual basis for PISPs and an annual basis for AISPs.
- For AISPs , reporting is limited to:
1. Number of incidents of fraud.
2. Total value of fraud.
3. Description of fraud.
4. See FCA Handbook Sup16 Annex 27f, Table 2.
- PISPs are required to report the following:
- Volume and value of all fraudulent transactions.
- Payment type.
- Fraud type.
- Method of authentication.
- Geographical location.
- See FCA Handbook Sup16 Annex 27f, Table 1.
- For more information: https://www.handbook.fca.org.uk/handbook/SUP/16/Annex27F.pdf
Regulatory Consequences: Regular fraud reporting is required by both the FCA and EBA.
Identify Your Greatest Threats: Review and assess the EBA fraud reporting requirements and align your monitoring system to prevent accidental misreporting.