Pearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

237. To ask the Minister for Finance if he will provide an overview of legislative or consumer protection code provisions with respect to chargebacks, authorised push payment fraud and fraud regarding card payments; and if he will make a statement on the matter. [61722/22]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context | Oireachtas source

Directive 2015/2366/EU on payment services (or “PSD2”) was transposed into Irish law, with effect from 13 January 2018, by the European Union (Payment Services) Regulations, 2018 (S.I. No.6 of 2018, hereafter referred to as the PSRs). The PSRs set out the industry requirements concerning liabilities for unauthorised payment transactions and the applicable security requirements to help protect consumers against fraud.

Regulation 97 of the PSRs sets out the payment service provider’s (PSP) liability for unauthorised payment transactions and provides that where a payment transaction is not authorised, the payer’s payment service provider (PSP) shall—

(a) refund the payer the amount of the unauthorised payment transaction immediately, and in any event not later than the end of the business day immediately following the date that the payer’s payment service provider notes or is notified of the transaction, except where the payer’s payment service provider has reasonable grounds for suspecting fraud and communicates those grounds to the relevant national authority in writing,

(b) where applicable, restore the debited payment account to the state in which it would have been had the unauthorised payment transaction not taken place, and

(c) ensure that the credit value date for the payer’s payment account shall be no later than the date the amount was debited.

Regulation 98 of the PSRs then sets out the payer’s liability for unauthorised payment transactions and provides that a payer shall bear the losses relating to any unauthorised payment transactions, up to a maximum of €50, resulting from the use of a lost or stolen payment instrument or from the misappropriation of a payment instrument. However, the PSRs set out further in Regulation 98(2) a range of instances where the payer will not be liable for any losses, e.g. where the loss, theft or misappropriation of a payment instrument was not detectable to the payer prior to a payment.

Regulation 100 of the PSRs sets out the requirements for refunds for payment transactions initiated by or through a payee, e.g. recurring card payment transactions, such as a Netflix subscription. Regulation 101 of the PSRs then sets out the requirements for payers to request refunds for payment transactions initiated by or through a payee and provides that a payer may request a refund under Regulation 100 up to 8 weeks from the date on which the funds concerned were debited.

As set out in in Part 1, Preliminary, Regulation 1, Citation and Commencement (3) of the PSRs, all PSPs are required to adhere to the requirements set out in the EBA’s Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication ("RTS on SCA&CSC). PSP’s must apply strong customer authentication (SCA) when a payer: (i) accesses payment accounts online, (ii) initiates an electronic payment, or (iii) carries out any action through a remote channel.

SCA is defined in PSD2 as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”. The overall purpose of SCA is to make payments safer and more secure.

During the ongoing PSD2 review, the European Commission (EC) issued a call for advice to the European Banking Authority (EBA) and the matter of authorised push payments/social engineering was addressed. The EBA in their response outlined that they have “identified the increased risk of social engineering fraud as an area where further improvements in the legal framework are needed to address the increase of fraudulent transactions, in particular authorised push payment fraud where fraudsters use social engineering scams (i.e. phishing) in combination with more sophisticated online attacks”.

SCA has mitigated the threat of social engineering fraud to some extent, e.g. through the use of the transaction monitoring mechanisms set out in Article 2 of the RTS on SCA&CSC. This allows PSPs to better identify unauthorised and fraudulent transactions due to unusual patterns, however, the risks are not fully mitigated by SCA and the EBA has outlined this in their response to the EC’s call for advice during the PSD2 Review.

In their response, the EBA proposes that the any revised PSD2 should introduce a combination of measures that could have a positive effect and further mitigate these types of risks. The measures could include introducing specific requirements in the Directive on educational and awareness programs for applicable risks; incentivising PSPs to invest in more efficient transaction monitoring mechanisms by covering payment transactions that have been authorized by the payer under manipulation of the fraudster within the scope of unauthorized payment transactions; and facilitating the exchange of information between PSPs in relation to known cases of fraud, specific fraudsters and accounts used to carry out fraud.