Mr. Colm Kincaid:

I am joined today by my colleagues, Mr. Patrick Casey and Mr. Wesley Murphy. We welcome the opportunity to discuss the important issue of authorised push payment fraud with the committee.

Over the last number of years, two key trends have shaped the payments landscape for consumers and businesses in Ireland. Those are speed and innovation. Irish consumers and businesses benefited significantly from these trends and, in particular, from our integration into the European Union payments system under the single euro payments area, SEPA. Consumers and businesses can now make electronic euro payments to anywhere in the euro system in a fast, safe and efficient way.

Key to the proper functioning of such a system is trust. Together with the European Central Bank and other euro system national central banks, the Central Bank of Ireland shares a common goal, namely, "to guarantee that people have access to efficient payment solutions that meet their preferences and to ensure that transactions remain safe, underpinning confidence in our currency and the functioning of our economy". We are supported in this goal by strong legislative protections for users of payment services within the European Union, in particular through the payments services directive, PSD2. A key feature of PSD2 was to formalise payment security requirements in national law, including the application of strong customer authentication, SCA. It also introduced reimbursement for cases of fraud where the payment is not authorised by the consumer, known as an unauthorised payment fraud. Properly applied, the protections of this regulatory framework should give confidence to consumers and businesses in their day-to-day activities. We see this confidence borne out in the increasing extent to which payment activity has migrated to digital means with, for example, the number of card payments more than doubling in the past five years.

Unfortunately, as we see the benefits of digitalisation and an open payments system within the European Union, we also see the ongoing emergence of ever more sophisticated frauds. This includes fraudsters utilising social engineering tactics to defraud consumers into authorising the making of a payment from their account, known as an authorised push payment fraud or APP.

As the committee is no doubt aware, under the European framework for unauthorised payment fraud, liability rests with the payment service provider to reimburse the consumer.

However, the current EU legislative framework does not set out liability for authorised push payment, APP, fraud. This gap in liability was called out, for example, in the European Banking Authority’s June 2022 report to the European Commission. The Central Bank therefore welcomes the recent European Commission proposals to extend the liability of payment service providers to include the case of APP fraud where an IBAN discrepancy is detected but not notified to the payer and where the fraud involves impersonation of a bank employee.

In our Consumer Protection Outlook Report 2023, the Central Bank repeated its expectation of the firms we regulate to have effective measures to mitigate the risk of fraud, be proactive in identifying and dealing with cases of fraud and engage effectively with consumers who have been the victims of fraud. This includes taking steps to support victims of APP fraud to retrieve their funds where possible. There will also be cases of APP fraud where firms should compensate consumers to the extent that the consumer’s loss arises from a failure in a payment service provider’s own established systems and controls. As part of its ongoing review of the Consumer Protection Code 2012, the Central Bank is also considering what policy measures it can introduce within the scope of its specific rule-making powers to contribute to the protection of consumers in a digital environment more generally. The measures under consideration include requirements on the design of digital platforms, firms’ systems and controls and online security standards.

The sophisticated and multidimensional nature of APP fraud requires a co-ordinated approach across industry and with public sector agencies. We are aware of initiatives in other countries such as the Observatory for the Security of Payment Means created under French law, which promotes information sharing and consultation between all relevant parties, including consumer representatives, ombudsmen, law enforcement and regulators. We would welcome the opportunity to participate in any future equivalent forums that are mandated domestically, involving all the key private and public sector stakeholders in the payments area. As well as continuing to develop their own systems, it is also important that payment service providers continue to work together to consider the overall functioning of the system and ensure their customers’ interests are effectively protected. This could include considering co-ordinated measures such as the introduction of IBAN checks, while recognising that no one step alone will provide full protection. It also remains important to continue to raise public awareness of fraud. There is more we can all do as a combined effort to support this domestically. Last year, the Central Bank launched an online public awareness campaign and this information remains available on our website. We also note the initiatives of industry to raise awareness of fraud and we believe this topic should also feature in ongoing work at Government level on a national strategy on financial literacy.

On reimbursement and liability, we are clear that firms should take steps to seek to recover funds for consumers and should compensate consumers to the extent that any loss arises from a failure in the firm’s own established systems and controls. We also support the European Commission proposal to expand reimbursement to the cases of APP fraud the Commission has specified. The question of whether the law should go further nevertheless arises, possibly up to requiring that consumers be fully reimbursed in all cases of APP fraud. If so, who should bear this cost? These are important social policy questions that require careful consideration. Such consideration should include looking at all the actors involved, including social media and other communication mechanisms through which APP fraud is carried out. This includes any consideration of a voluntary reimbursement arrangement such as that in the United Kingdom. We note the discussions the committee held with the Banking and Payments Federation Ireland on this aspect. The Central Bank would support any such initiative by industry, while recognising it must be properly calibrated. We believe it would be most effective if pursued as part of a wider engagement on enhancements to prevent fraud where all relevant actors are involved, including those outside the banking and payments sector. This approach could also support the development of the proposed shared fraud database, which would be of benefit to relevant stakeholders to prevent and combat fraud across the financial system.

Fraudsters prey on consumer vulnerabilities. Combating such bad actors will require all parties to act together to protect and preserve the freedoms of the EU payments system which we have worked so hard to build for the benefit of our society. Working together with other regulatory authorities within the EU framework and law enforcement agencies in the State, the Central Bank is playing its part in securing the safety of that payments system. We welcome the European Commission’s proposals to enhance that EU framework and stand ready to play our part in any future consideration of how to further enhance the framework at EU or national level. In the meantime, our expectations of the firms we regulate are clear. They must have effective systems in place to identify and prevent fraud and they must support consumers who fall victim to it. This includes APP fraud, where we expect firms to, among other things, take steps to trace and recover money lost where this is possible. We also expect firms to take responsibility to compensate consumers to any extent that a consumer’s loss has resulted from a failure of the firm’s own established systems and controls. I thank committee members for their attention. I and my colleagues are happy to take their questions.