Fighting Payment Fraud: Some key considerations for the EU legislator

With the digitalization of commerce there has been an increasing prevalence of payment fraud, as well as a change in the nature payment fraud (see the European Banking Authority’s and European Central Banks’s 2024 Report on Payment Fraud), leading to a new regulatory dilemma to be solved by the EU legislature.

Historically, payment fraud was confined to stealing someone’s bank credentials such as copying the bankcard in a shop (skimming). This resulted in a so-called unauthorised payment transaction in which the transaction was not authorised by the victim himself, but by the fraudster. Nowadays payment fraud concerns social engineering, tricking the victim into approving himself the payment to another account. An example of this type of fraud is sending a WhatsApp message pretending to be someone’s child in urgent need of money. This type of fraud is called authorized push payment fraud (APP), as the victim has himself authorized the payment. Notably, the current EU Payment Services Directive (PSD2) provides that the bank of the victim is liable in case of unauthorised payments, unless the victim acted with gross negligence or fraudulently (PSD2, art. 73 and 74) and the debate in court normally revolves on the question whether the payer was grossly negligent. However, in case of APP fraud, there is no rule in PSD2 allocating liability to the bank. The victim must bear all the consequences himself, unless he can substantiate that (i) the bank had a duty of care based on national private law to monitor his transactions, (ii) should have noted that the transaction was suspicious and (iii) failed to act (see eg. the decision of Amsterdam District Court 9 May 2018 or the UK Supreme Court [2023] UKSC 25). This is a totally different debate in the courts, which consumers hardly ever win.

This difference in treatment has led to a growing feeling of discomfort with legislators (see the European Commission Proposal of 28 June 2023 for the Payment Services Regulation, recital 79 and 80), since an equally gullible victim sometimes does and sometimes does not get compensated depending on the modus-operandi of the fraudster. Inevitably, the mere presence of APP fraud can lead to a lack of trust in digital payments more generally. Therefore, the European Commission (EC) has recently introduced a liability for APPs when the fraudster impersonates the bank as part of PSR (art. 59). Other measures in the proposal to combat APP fraud are requiring the sending bank to check whether the name and number of payee match (confirmation of payee services, see Instant Payments Regulation art. 5c), requiring banks to improve their fraud monitoring systems and enabling banks to share information on bank accounts of which there are suspicions that they are used to commit fraud (PSR, art. 83) and the requirement for banks to educate and alert their customers on fraud risks (PSR, art. 84). The proposal of the EC was welcomed by the EU co-legislators (see the positions of the European Parliament and the Council), although with a suggestion to compensate the victim in a majority of cases. This has led to a vehement debate about which measures to take (see e.g. European Payments Institutions Federation statement). I discuss some key points on this issue below.

First, there is the fundamental question whether the loss should be carried by the banks or by the victims. Some fear that victims may be less cautious, if they know they will get compensated. Besides, the banks may increase the prices for their services to all clients, in order to make good for the additional costs because of fraud. In my view, however, there are strong arguments to allocate liability with the banks. The current difference in treatment of liability between unauthorised payments and APP fraud cannot be explained reasonably. Even though victims may get compensated after all, being defrauded is a traumatic experience and it is not certain beforehand, whether the banks will indeed compensate in such cases. Therefore, I do not fear that customers will become less diligent. Lastly, banks are better placed to fight payment fraud via advanced monitoring mechanisms than the victims themselves.

The second question is whether the bank of the payee should carry liability next to the bank of the payer. A fraudster needs a bank account to receive the embezzled funds on. The UK has chosen for a split liability between these two banks (see for instance, the UK Payment Systems Regulator’s mechanism for APP scams). Within the EU, none of the co-legislators has yet proposed to follow the UK’s lead. My view is that such a split liability has a key advantage that it incentivizes the bank of the payee to combat fraud. It also does justice to the fact that both the bank of the payer and the bank of the payee profit from offering payment services and should therefore also share in the risks that come along with these services. A counterargument would be that the bank which has a closer connection to the victim may be more inclined to compensate the victim, if they know that 50% of the compensation will not come out of their own purse.

Thirdly, the EU co-legislators need to answer the question to what extent the definition of ‘gross negligence’ needs to be harmonised. Currently, a proposal is on the table with the Council to harmonise this definition through a list of criteria for assessing gross negligence. This goes halfway towards harmonisation, as according to the Council this list does not prejudice the discretion of the national courts since the degree and evidence of negligence should generally be evaluated according to national law by the court which has to decide the case at hand. In my view, there is some logic that points towards harmonisation, as it enables banks to perform the same cost benefit analysis across the EU whether to invest more in fraud prevention or whether to accept a higher chance that compensation needs to be paid. On the other hand, I also acknowledge that harmonisation may not be feasible in practice, notwithstanding efforts of the legislators. Evaluating the degree of negligence of the victim is so tied up with the facts of the case, that at the end the court has a significant discretion in weighing the facts and will use their own cultural frames of reference.

The fourth question is to what extent other players in the fraud ecosystem should be involved, notably electronic communications service providers. Typically, a fraudster relies on all kind of other services for their fraudulent operations, notably telephone companies, digital platforms, and/or social networks. The EC has only proposed that these electronic communications service providers have to remove fraudulent activity from their networks and/or deny access to fraudsters, once notified by the bank. The European Parliament however suggests a much larger role in which these other parties need to educate consumers and to have in place fraud prevention and mitigation techniques. However tempting, I am unsure whether I support such an ‘all of society approach’ towards fighting fraud. It requires that these other parties become more involved with the content of what happens on their platforms and fraud prevention may involve proactively banning users, with the risks of false positives and discriminatory algorithms.

The EU co-legislator has a complex dilemma to solve. In this contribution, I have introduced the key problems and provided some suggestions. Perhaps the key message is: a legislator must know its limits. Not all problems, however pressing, can be fully solved.

Prof. Dr. E.J. van Praag is a Professor of Financial Technology and Law at Erasmus University Rotterdam and an attorney-at-law at Kennedy Van der Laan.