The Tug-Of-War In The European Parliament: The Fight For The Payment-Related Fraud Liability

The drafting of the Payment Services Regulation (PSR) is no doubt the important field of the fight for the payment-related fraud liability. It will remain one at least until the PSR will be finally passed and published in the Official Journal.

Contrary to the EU legislators' and regulators' notorius concept, majority of the frauds do not originate at the Payment Service Providers (PSP) and PSP may be considered influential in the case of only part of these scams. There are the "electronic communications service providers" which are often much more in control of the space where the scams originate.

?

The Preamble’s Promise

Currently, the final text of the PSR (as approved by the EP at its final session) retains the important promise of shifting scams liabilities more “where they belong”.

?

In the recital (80) of the preamble to the Payment Service Regulation as approved by the European Parliament on the 23rd April 2024, we can find an important supplement of the context of scams targeted at payment service users, esp. consumers. This supplement of the context adds “electronic communications service providers should be obliged to cooperate with payment service providers” to the overall picture of the “scam infrastructure” (as every event or a fact needs an essential environment or “infrastructure” to happen). It also promises the “joint responsibility” of the ““electronic communications service providers” in case of non-cooperation with PSPs regarding scams:

(80)

“Payment service providers have more means than consumers to put an end to cases of ‘spoofing’, through adequate prevention and robust technical safeguards developed with electronic communications services providers such as mobile network operators, internet platforms etc. Those electronic communications service providers should be obliged to cooperate with payment service providers in the fight against fraud. If they fail to do so, they should be held jointly responsible in the event of fraud. Cases of bank employee impersonation fraud affect the good repute of the bank, of the banking sector as a whole and may cause significant financial damages to Union consumers, affecting their trust in electronic payments and in the banking system. A good-faith consumer who has been the victim of such ‘spoofing’ fraud where fraudsters pretend to be employees of a customer’s payment service provider and misuse the payment service provider’s name, mail address or telephone number should therefore be entitled to a refund of the full amount of the fraudulent payment transaction from the payment service provider, unless the payer has acted fraudulently or with ‘gross negligence’. As soon as the consumer becomes aware that he or she has been a victim of that type of spoofing fraud, the consumer should without undue delay report the incident to the police, preferably via online complaint procedures, where made available by the police, and to his or her payment service provider, providing every necessary supporting evidence”.

?

By ?spoofing” there are meant ?cases where fraudsters pretend to be employees of a customer’s payment service provider, or of a relevant entity which could reasonably be linked to a trusted source of the customer, such as a central bank or government authority, and misuse the payment service provider’s name, e-mail address or telephone number to gain the customers’ trust and trick them into carrying-out some actions, are unfortunately becoming more widespread in the Union.” (recital (79)).

It is further developed as “new types of ‘spoofing’ or ‘impersonation’ fraud” that are blurring the difference that existed in Directive (EU) 2015/2366 between nauthoriz and nauthorized transactions” (recital (79)). Then, the corollaries of this “blurring” are further drawn.

?

There are still 3 other important PSR preamble's recitals related to the subject:

(81)

Given their obligations to safeguard the security of their services in accordance with Directive 2002/58/EC of the European Parliament and of the Council24, electronic communications services providers have the capacity to contribute to the collective fight against ‘spoofing’ fraud. Therefore, and without prejudice to the obligations laid down in national law implementing that Directive, electronic communications services providers should also, where relevant, have liability and cooperate with payment service providers with a view to preventing further occurrences of that type of fraud, including by acting promptly to ensure that appropriate organizational and technical measures are in place to safeguard the security and confidentiality of communications in accordance with Directive 2002/58/EC. Any claim for fraud against other providers, such as electronic communications services providers or online platforms, for financial damage caused in the context of this type of fraud should be made in accordance with this Regulation.

?

(81a)

Online platforms can also contribute to increasing instances of fraud. Therefore, and without prejudice to their obligations under Regulation (EU) 2022/2065 of the European Parliament and of the Council (Digital Services Act), they should be held liable where fraud has arisen as a direct result of fraudsters using their platform to defraud consumers, if they were informed about fraudulent content on their platform that and did not remove it.

?

(82)

To assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, while the concept of negligence implies a breach of a duty of care, ‘gross negligence’ should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, making a payment to a fraudster without having any reasonable grounds for believing that the payee to whom the payment was intended is legitimate, keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties, persuading a bank to lift a block placed after a fraud alert acting on guidance from an unfamiliar third party, or giving an unblocked smartphone to a third party.

?

The Half-Empty Promise

?

However, sadly, the a/m declarations of the preamble do not pursue the proper consequences in the very text of the Regulation.

?

Although we can read - in the art. 59 (Impersonation fraud) - that:

“5. Where informed by a payment service provider of the occurrence of the type of fraud as referred to in paragraph 1, electronic communications services providers shall cooperate closely with payment service providers and act swiftly to ensure that appropriate organizational and technical measures are in place to safeguard the security and confidentiality of communications in accordance with Directive 2002/58/EC, including with regard to calling line identification and electronic mail address. If the electronic communications service providers do not remove the fraudulent or illegal content, after being informed of its occurence, they shall refund the payment service provider the full amount of the fraudulent authorised payment transaction under the condition that the consumer has, without any delay, reported the fraud to the police and notified its payment service provider”

?

this is, unfortunately, the only clear liability consequence for the “electronic communications services providers” and it only assumes that they must be completely inactive in response to the information received (from other parties) on fraudulent or illegal content which they are actually hosting.

No active screening, no antifraud monitoring nor antifraud protection program is required and the lack of it does not qualify for any clear liability of the electronic communications service provider (towards the payment service user or the victim’s payment service provider, which would have to refund the user for the scam originated by the scammer hosted by the “electronic communications services provider”).

?

There are following statements in the art. 59, which – however – do not define clear liability of the non-payment services providers:

“5a. Electronic communications service providers shall have in place all necessary educational measures, including alerts to their customers via all appropriate means and media when new forms of online scams emerge, taking into account the needs of their most vulnerable groups of customers. Electronic communications service providers shall give their customers clear indications as to how to identify fraudulent attempts and warn them as to the necessary actions and precautions to be taken to avoid falling victim to fraudulent actions targeting them. Electronic communications service providers shall inform their customers of the procedure for reporting fraudulent actions and how to rapidly obtain fraud-related information.

5b. All providers involved in the fraud chain shall act swiftly to ensure that the appropriate organisational and technical measures are in place to safeguard the security of payments users when making transactions. Payment service providers, electronic communications service providers and digital platform service providers shall have in place fraud prevention and mitigation techniques to fight fraud in all its configurations, including non-authorised and authorised push payment fraud.

5c. By ... [12 months from the date of entry in force of this Regulation], the EBA shall issue technical guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 regarding the concept of gross negligence in the context of this Regulation and respecting the national legal frameworks on that matter”.

?

As it was nicely phrased by Ron Brackin: “laws without enforced consequences are merely suggestions”.

?

The Hope Gone

?

In the current version of the PSR we cannot find anymore the previous Amendment 1a to art. 59 of the PSR, which was present in the EP’s first reading:

“1a. In order to avoid fraud within their purview, electronic communications service providers and payment service providers shall ensure that all required technological safeguards, particularly those pertaining to the security of the communication between payment service providers and payment service users, are in place. Those technological safeguards shall be provided free of charge.

Electronic communications providers shall have in place at least the following technical safeguards in order to prevent fraudulent activities:

(a) verifying the legitimacy of all calls and messages that are routed through telecommunication networks;

(b) preventing the use of a specific telephone number in violation of its attribution, authorisation, or allocation;

(c) preventing the creation of fraudulent websites and preventing internet search engines from displaying those websites in their list of results;

(d) storing proof of IT and identity verification measures, in particular in the event of sim swap, to justify their due diligence.

If electronic communications service providers fail to establish the technical safeguards set out in the first subparagraph, they shall be financially liable towards the payer’s payment service provider for the amount that the payment service provider has refunded to the payment service user”.

?

This very final sentence (the promise stated in the preamble), unfortunately, has disappeared from the final text of the Regulation.

?

The PSPs Last Stand?

?

However, the legislative process has not ended yet. If anti-scam regulations are to be really efficient, they need to address the proper “locus” of the scam, not just to shift the liability where it may belong but not where the problem originates.

If PSR will not address the problem properly, the PSPs will have to exploit all of the DSA’s opportunities to fight the frauds originating in the ?realm which only “electronic communications service providers” may properly control.

?

?

Grzegorz Hansen

12 May 2024

The above publication contains its author’s private opinions only.