Ken O'Flynn (Cork North-Central, Independent Ireland Party)
Link to this: Individually | In context

34. To ask the Minister for Finance if he will report on the Central Bank of Ireland’s latest data indicating that fraudsters stole approximately €160 million from Irish consumers and businesses in 2024 through electronic and online payments. [57603/25]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

The Central Bank of Ireland released updated payment fraud statistics for 2024 on the 16th of October. As the deputy correctly points out, during 2024, €160 million in fraudulent payments were recorded by Irish resident PSPs representing a 24.5 per cent increase from €129 million in 2023.

The total volume of fraudulent payments also experienced a significant rise, increasing by 40.7 per cent from 579,000 in 2023 to 815,000 in 2024. The growth is predominantly driven by fraudulent e-money transactions and money remittances by both value and volume of payments.

Online payments accounted for 77.4 per cent of the total fraudulent value in 2024 amounting to €124 million. This represents a 22.9 per cent increase from €100.9 million in 2023. For the most commonly used payment methods like credit transfer and card payments over 86 per cent of the fraudulent payments by value were initiated online in 2024.

The total value of fraudulent electronic payments increased by 22 per cent in 2024 to €127 million, up from €103 million in 2023. The volume of fraudulent electronic payments increased by 15 per cent from 441,000 in 2023 to 509,000 in 2024.

Work is ongoing at the EU level on the Payment Services Regulation which when completed will include measures which aim to tackle the increasing prevalence of impersonation fraud. Payment service providers will be held liable for in cases where the payment service provider was impersonated by a fraudster manipulating a victim into authorising a fraudulent payment. Additionally, there will be a number of measures focused on fraud prevention, including strengthened transaction monitoring and fraud information sharing between key sectors.

At the domestic level, several steps are underway in line with recommendations made by the National Payments Strategy. The BPFI has established a cross sectoral anti-fraud forum with representatives from online platforms, financial services providers, telecommunications services providers and their respective regulators (the Central Bank, ComReg and Coimisiún na Meán) participating. This anti-fraud forum aims to foster cross-sectoral cooperation in fraud prevention through information sharing, coordinated action, and alignment with legislative requirements.

The national payments strategy actioned the Department of Justice, Home Affairs & Migration to work on legislation for a shared fraud database. I am informed by the Department of Justice, Home Affairs & Migration that work on this legislative project is underway.

Ken O'Flynn (Cork North-Central, Independent Ireland Party)
Link to this: Individually | In context

35. To ask the Minister for Finance the steps his Department and the Central Bank are taking to enhance the resilience of Ireland’s payment systems against fraud, including coordination with retail banks, fintech companies, and card issuers. [57604/25]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

My officials are undertaking a number of steps in the effort to fight payment fraud and enhance the resilience of Ireland's payment systems, at both the national and EU level.

Firstly, the Instant Payments Regulation requires the provision of an IBAN/name check, which applies to both instant payments and standard credit transfers and is now in effect. This IBAN/name check function reduces credit transfer fraud by alerting the payer when the name of the account they are sending money to does not match the name they have inputted.

Secondly, negotiations are ongoing in relation to the European Commission's proposed payment services directive, which is known as PSD3, and the payment services regulation, which is known as the PSR. These will jointly replace the second Payment Service Directive, which is usually referred to as PSD2.

Proposals in PSD3/PSR include measures such as enhanced fraud reporting requirements for payment service providers to their regulators, enhanced transaction monitoring and the establishment of a European legal base for payment service providers to share fraud data. The PSR also expands the grounds for reimbursement by PSPs to fraud victims.

The proposed grounds for reimbursement include failure to carry out the IBAN/name check correctly and where the fraud arises from impersonation of the victim's own PSP. A further proposal is to require electronic communications services providers to cooperate with PSPs in relation to PSP impersonation fraud. Currently, the file is in Trilogue negotiation stage under the Danish Council Presidency.

Thirdly, at the domestic level, several steps are underway in line with recommendations made by the National Payments Strategy. The BPFI has established a cross sectoral anti-fraud forum with representatives from online platforms, financial services providers, telecommunications services providers and their respective regulators (the Central Bank, ComReg and Coimisiún na Meán) participating. This anti-fraud forum aims to foster cross-sectoral cooperation in fraud prevention through information sharing, coordinated action, and alignment with legislative requirements.

The national payments strategy actioned the Department of Justice, Home Affairs & Migration to work on legislation for a shared fraud database. I am informed by the Department of Justice, Home Affairs & Migration that work on this legislative project is underway.

Following a formal decision published in April 2024 ComReg is developing an SMS Sender ID Registry (the Registry) to prevent text scams and to protect the SMS channel as a reliable and trustworthy communications channel. From 3 July 2025, SMS with unregistered Sender IDs have been labelled “Likely Scam” to alert the recipient that the SMS may not be legitimate and since 3 October 2025, SMS messages with unregistered SMS Sender IDs will be blocked and those text messages will not reach recipients.

The Central Bank of Ireland is taking a number of actions to protect consumers against the increase in payment fraud. The Central Bank expects regulated firms to act in the best interests of their customers at all times. As per the Central Bank’s Regulatory & Supervisory Outlook Report, firms must have effective measures to mitigate the risk of fraud or scams and be proactive in identifying and dealing with cases of fraud or scams, including engaging effectively with consumers affected.

It is the responsibility of firms to design and use effective systems to protect their customers including against payment fraud. Central Bank expectations in this area include that firms:

• take steps to trace and recover money defrauded without undue delay, when the firm identifies or is made aware of a suspected fraud case;
• compensate customers to any extent a customer’s loss results from a failure of the firm’s own established systems and controls;
• review existing fraud prevention systems to see what further enhancements could be made to identify and prevent consumers falling victim to fraud, including authorised push payment fraud;
• be clear and transparent to customers about how the firm investigates suspected fraudulent transactions and what the firm’s refund policies are in respect of remediating / refunding fraudulent transactions, including on websites; and
• provide effective reporting and assistance to An Garda Síochána.

Ken O'Flynn (Cork North-Central, Independent Ireland Party)
Link to this: Individually | In context

36. To ask the Minister for Finance if he will consider mandating stronger customer-authentication and fraud-reimbursement obligations similar to those introduced in the United Kingdom under the Payment Systems Regulator’s Contingent Reimbursement Model Code. [57605/25]

Paschal Donohoe (Dublin Central, Fine Gael)
Link to this: Individually | In context

The UK’s contingent reimbursement model came into effect in October 2024. The mandatory reimbursement rule in the UK requires financial institutions to reimburse victims of authorised push payment (APP) fraud for UK payments made via Faster Payments or CHAPS payment systems. APP Victims can be reimbursed up to £85,000. The costs for these reimbursements are shared equally between the sending and receiving Payment Service Providers (PSPs).

Payment Service Providers (PSPs) authorised in Ireland and PSPs that operate in Ireland under authorisations in other EU States are subject to the requirements of the Directive 2015/2366/EU on payment services (PSD2). PSD2 is a maximum harmonisation Directive hence Member States shall not maintain or introduce provisions other than those laid down in this directive.

PSPs must apply Strong Customer Authentication (SCA) when a payer: (i) accesses payment accounts online, (ii) initiates an electronic payment, or (iii) carries out any action through a remote channel. PSPs are liable for losses resulting from unauthorised payment fraud but liability for fraud where the payment is authorised via SCA is not provided for.

PSD2 will be repealed and replaced by the proposed Payment Services Regulation (PSR) and its accompanying Payment Services Directive (PSD3), which together aim to increase harmonisation in the area of European payments regulation, including in the areas of authorisation and fighting payment fraud. Both files are currently in Trilogue negotiation under the Danish Council Presidency.

Fighting and addressing fraud is a key element of the draft PSR proposed by the European Commission. This includes strengthening existing strong customer authentication (SCA) measures and the extension of Payment Service Provider (PSP) liability to cases in which the victim is manipulated into authorising a fraudulent payment by a fraudster impersonating their PSP. As well as incorrect application of the matching verification service (IBAN check), and failure to support the application of SCA.

The shifting of liability for such cases onto PSPs aims to incentivise PSPs to develop better solutions to mitigate instances of impersonation / authorised push payment (APP) fraud. This is a departure from the current Payment Services Directive (PSD2), under which PSPs are liable only for losses which are the result of unauthorised transactions.

Liability for impersonation fraud is being considered in the context of ongoing PSR negotiations.

When agreed, PSD3 and the PSR will build on the foundation of PSD2 and further harmonise the European payment services market. It will be important to have a harmonised, pan-European response to fraud to avoid loopholes and protect consumers across the European Union.

This is also a cross-sectoral issue and will need to be addressed through a number of initiatives, including financial literacy programmes, engagement from social media and tech companies, and cooperation between industry and regulators in order to protect and inform consumers.

In Ireland currently several steps to combat fraud are underway, in line with recommendations made by the National Payments Strategy. The BPFI has established a cross sectoral anti-fraud forum with representatives from online platforms, financial services providers, telecommunications services providers and their respective regulators (the Central Bank, ComReg and Coimisiún na Meán) participating. This anti-fraud forum aims to foster cross-sectoral cooperation in fraud prevention through information sharing, coordinated action, and alignment with legislative requirements.

The National Payments Strategy also actioned the Department of Justice, Home Affairs & Migration to work on legislation for a shared fraud database. I am informed by the Department of Justice, Home Affairs & Migration that work on this legislative project is underway.