Pearse Doherty (Donegal, Sinn Fein)
Link to this: Individually | In context | Oireachtas source

248. To ask the Minister for Finance further to Parliamentary Question No. 234 of 28 February 2023, if the introduction of provisions to require reimbursement from payment service providers to victims of authorised push payment fraud domestically would contravene the revised Payment Service Directive (PSD2), given the response provided to the question did not clarify the issue. [11308/23]

Michael McGrath (Cork South Central, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

As I outlined in my reply to Parliamentary Question No. 234 of 28 February 2023, PSD2 is a maximum harmonisation directive and this means that Member States may not introduce new provisions beyond those laid down in the Directive when transposing it. In addition, it follows that such provisions elsewhere should not contravene PSD2.

I also outlined that PSD2 did not directly deal with the issue of authorised push payment fraud.

However, the introduction of domestic legislation requiring reimbursement from payment service providers to victims of authorised push payment fraud could lead to unintended consequences and introduce impediments into the payment system, causing roadblocks for ordinary users. While preventing fraud is a priority, it is important that any action taken to solve this issue must be considered within the wider European context given the complexities of the issue.

An additional complication is that fraud of the nature described by the Deputy does not fall easily under any one heading: there is no one categorisation of push payment fraud.

While the requirement for strong customer authentication (SCA) prevents some types of fraud, push payment fraud is usually a fraud that involves a level of social engineering where victims are manipulated into making real-time payments to fraudsters. The fraudster may trick the victim into believing that they are bank employees, employees of other businesses, a friend etc. These type of frauds are called cyber-enabled frauds.

The European Commission are currently undertaking a review of PSD2, which is expected to cover a wide variety of areas related to the Directive, including the issue of authorised push payment fraud.

As part of its review, the European Commission issued a call for advice to the European Banking Authority (EBA) and the matter of authorised push payment fraud/social engineering was addressed. The EBA in their response outlined that they have “identified the increased risk of social engineering fraud as an area where further improvements in the legal framework are needed to address the increase of fraudulent transactions, in particular authorised push payment fraud where fraudsters use social engineering scams (i.e. phishing) in combination with more sophisticated online attacks”.

In their response, the EBA proposes that the any revised PSD2 should introduce a combination of measures that could have a positive effect and further mitigate these types of risks. The measures could include

- The introduction of specific requirements in the Directive on educational and awareness programs for applicable risks;

- Incentivising payment service providers (PSPs) to invest in more efficient transaction monitoring mechanisms by covering payment transactions that have been authorised by the payer under manipulation of the fraudster within the scope of unauthorised payment transactions; and

- Facilitating the exchange of information between PSPs in relation to known cases of fraud, specific fraudsters and accounts used to carry out fraud.

Officials from my Department have been engaging with the Commission’s review on areas of Irish interest, including the prevention of fraud. It is likely that when the review is complete the Commission will bring forward a proposal for a new Directive (PSD3).