Ms Gráinne McEvoy:

The Senator has raised an important point. We have certainly acknowledged that we have seen an increase in this practice. I have a great deal of sympathy for those consumers who have been impacted by phishing attacks and alerts. This happens, however, in an environment outside of the regulatory parameters. We have, though, issued warnings for consumers on our consumer hub and bringing to their attention the likelihood of the format that such attacks can take. I refer to informing customers to not click on links which they do not recognise, and all those kinds of things. That is in the area of trying to enhance consumers' awareness of, and educate them about, the risks contained within those kinds of email attacks.

At a broader level, a European directive entitled the payment services directive, EU 2015/2366 PSD2 is in play. It has existed since 2015 and has since been amended. The premise of that directive and the background behind it is to increase security in respect of transactions online and to minimise, as far as possible, fraud or other types of attacks which may arise. We have worked closely with our industry in recent years to ensure that it is fully au faitwith the requirements of PSD2 and that those companies concerned have updated their IT systems and channels of interaction with consumers to ensure compliance with the requirements of the direct, particularly in the area of strong customer authentication.

That aspect is increasingly common and, as a consumer himself, the Senator will probably have experienced situations, when seeking to complete a transaction online, where an additional code might have been required, or a security question may have needed to be answered, or, depending on the technology, a fingerprint might be required. All those enhancements seek to strengthen how consumers interact with online transactions and to minimise, insofar as is possible, the risks of fraud or attacks. It is fair to say in many cases, however, that legislation, regulation and the industry were probably a step or two behind the attackers. That does not mean, however, that we should not do all we can to ensure that the interests of consumers are best protected.