Payment fraud is evolving, with Authorised Push Payment (APP) fraud becoming a significant threat, costing around EUR 1.13 billion in the first half of 2023 in the EU. This type of fraud occurs when victims are deceived into authorising fraudulent transactions.
Current regulations like PSD2 protect consumers from unauthorised transactions, but APP fraud victims bear all costs. To address this, the European Commission’s Payment Service Regulation (PSR) proposal (June 2023) introduced a shift in liability where Payment Service Providers (PSPs) would have to reimburse victims of impersonation fraud. In April 2023, the European Parliament proposed to extend the liability to electronic communication service providers (ECSPs) and online platforms if they failed to remove the fraudulent content after being notified by the PSP. No thorough impact assessment of the proposed shared liability regime has been conducted by European institutions.
The present study assesses the potential implications of a shared liability regime and alternative voluntary solutions to reduce payment fraud. The study is based on publicly available evidence and interviews with different sets of stakeholders from online platforms, to telecommunication operators and payment service providers.
Overall, we find that the effects of the proposed shared liability are not substantiated and require further analysis and evidence. The effects are ambiguous and warrant closer examination to ensure that – if shared liability were to be introduced – providers have the right incentives to reduce fraud while minimising unintended consequences.
Our key findings are summarised in the following:
While there may, in certain circumstances, be economic rationales to share liability among different actors in the digital payment ecosystem, the effects of the proposed regime are ambiguous and benefit from an assessment against plausible alternative solutions. Regulators and policymakers would therefore benefit from taking a broader look at ways to help companies and consumers fight fraud through more effective coordination, collaboration and experimentation to reduce fraud. Notably:
1. The digital ecosystem would benefit from a harmonised interpretation and guidance to the existing legal framework, in particular the GDPR and ePrivacy Directive, to remove legal risks for “Good Samaritan” further cooperation.
2. Telecom operators and online platforms would benefit from clear recommendations and guidance by policymakers on how to cooperate and share information. Moreover, public authorities and law enforcement should take a more active role in these initiatives.
3. Public authorities should support, within the existing regulations, “co- regulation” initiatives such as codes of conduct to allow providers from different sectors to establish best practices at the EU level. This allows providers to adapt their mechanisms of fraud prevention more flexibly to respond to constantly evolving fraud tactics.
4. Supporting user education and empowerment against fraudsters. In the type of fraud discussed in this study, the users are deceived and duped to be the initiators of the fraudulent payment. It is therefore important to support continuously public and private actors to invest in educational campaigns of sensitisation to inform consumers on how to recognise and report fraud.
The study is commissioned by Computer and Communications Industry Association (CCIA).
Download