Mr. John Palmer:

My name is John Palmer and I am responsible for EU banking and payments policy in the banking division of the Department of Finance. I am accompanied by Sorcha Keogh, who is responsible for payments policy in my area.

Recent years have seen an increase in the incidence of financial fraud and scams. The rise in this form of crime is a serious concern and the Department is actively working on this issue, including consultation with stakeholders, to develop policy solutions. The statistics on fraud provided to the committee by Banking and Payments Federation Ireland, BPFI, and the Department of Justice highlight the problem, although the information from the latter, the provisional crime statistics for 2022, show a welcome decline in technology-based fraud.

The policy governing payments services is set by the European Union and currently we operate under the second payment services directive, generally referred to as PSD2, which was transposed by SI 6 of 2018, the European Union (Payment Services) Regulations 2018.

Tackling fraud in payment services was a key objective of PSD2 and it introduced a key measure to prevent fraud in the form of strong customer authentication, usually referred to as SCA. PSD2 also set out strict security requirements for protection of consumers’ financial data. PSD2 enhanced customer protection through a focus on authorisation, including a requirement for consent to execute a payment transaction, and requirements for the payment service provider, PSP, to provide proof that the payment transaction was authenticated, recorded, and entered in accounts. It provided that for unauthorised transactions, the payer must be immediately refunded the amount of the transaction, subject to a maximum loss to the payer of €50 resulting from the use of a lost or stolen payment instrument, except where the payer is unaware of the loss or theft. Once users have notified a PSP that their payment instrument has been compromised, payers are not required to cover further losses.

A payer is also entitled to a refund from the PSP of an authorised payment transaction which was initiated by or through a payee and which has already been executed, if the authorisation did not specify the exact amount of the payment transaction when the authorisation was made and the amount exceeded the amount the payer could reasonably have expected.

Under PSD2, where a payment order is executed in accordance with a unique identifier, the IBAN as we all know it, the payment order is deemed to have been executed correctly where payment is made to the payee specified by the unique identifier. Where the unique identifier provided by a payer is not the unique identifier of the person to whom payment was intended to be made, the payment service provider is not liable for non-execution or defective execution of the payment transaction. In these circumstances, both the payee and the payer’s PSPs must make reasonable efforts to recover the funds involved and communicate all relevant information.

PSD2 is a maximum harmonisation directive, which means that the transposing regulation cannot go beyond the provisions of the directive. However, elsewhere in Europe and in the UK, some voluntary schemes exist to provide for refunds in the case of authorised push payment fraud, the subject we are discussing here. While there is currently no statutory reimbursement requirement in the UK for APP scams, some UK PSPs have signed up to a voluntary contingent reimbursement model code that sets a framework for how liability should be apportioned when a scam occurs.

The UK is progressing legislation, the Financial Services and Markets Bill, which revokes retained EU law relating to financial services, including PSD2, and amends the Payment Services Regulations 2017, which was the UK's transposition of PSD2. The amendment changes the liability of a PSP in cases where the payment order is executed subsequent to fraud or dishonesty and allows for the UK's Payment Systems Regulator to develop a mandatory scheme for reimbursement for APP frauds.

A key requirement in PSD2 was that the European Commission review the directive and, if appropriate, deliver a legislative proposal, by January 2021. For various reasons that was delayed but the review and accompanying legislative proposals were published today at 12 noon. We are aware from consultations carried out by the European Commission that the issue of APP fraud would be considered. Based on a brief examination of the proposals, the Commission is proposing expanding refunds for authorised payment frauds but not introducing full liability in all circumstances.

Finally, the retail banking review, which was published last November, recommended that the Department of Finance should lead on the preparation of a new national payments strategy to be completed in 2024. Work has commenced and the terms of reference will include a requirement that analysis should be done at national level on fraud in payments and see if the problems can be mitigated.

I am happy to address any specific questions that the committee may have or provide further details.