PSD2 Review: Insights from the EBA Discussion Paper

The Second Payment Services Directive (PSD2) is the current set of guidelines that regulates payment services across the European Union and the European Economic Area. This directive is being regularly updated to suit the evolving technology and confront the emerging fraud methods. It is also continuously monitored to ensure its effectiveness.

The results of the most recent inspection became available on January 17, 2022. The European Banking Authority (EBA) shared a Discussion Paper with the public that sheds light on its preliminary observations of selected payment fraud data under the PSD2. Read ahead for the key takeaways from this document.

Analysis Overview

The payment fraud data covered by the EBA in this analysis was reported by the industry and aggregated by national authorities throughout the years 2019 and 2020.

The observations listed in the Discussion Paper are based on the preliminary patterns that were noticed when analyzing three payment instrument categories:

• Credit transfers
• Card-based payments
• Cash withdrawals

However, it’s important to note that some of those patterns are still inconclusive and require additional assessment from market stakeholders.

Thus, the Discussion Paper also contains questions that should be answered before April 19, 2022, in support of the research performed by the EBA, the European Central Bank (ECB), and national authorities. The responses received will help interpret the collected payment fraud data and further improve PSD2.

Key PSD2 Performance Trends Outlined in the Discussion Paper

According to the Discussion Paper, the current PSD2 performance trends are:

• The payment security regulations are demonstrating the desired effect.
• The share of fraud occurrences in the overall payment volume and value is substantially lower in transactions using the Strong Customer Authentication (SCA) compared to those conducted without it.
• Payment fraud is three times higher in cross-border transactions with the participating parties located outside the EEA than in those conducted within this area, regardless of the payment instruments used.
• Debit and credit cards remain to be the most used payment instruments and are subject to the highest fraud rates yet the lowest average fraud amounts registered.

These key takeaways lead to important conclusions that will become milestones in the improvement of payment security guidelines.

Conclusions Deriving from the EBA Discussion Paper

While the observations collected in the EBA Discussion paper are preliminary, it’s already possible to understand and forecast the direction of the payment security efforts in the foreseeable future:

One-Leg-Out Transactions

Further attention is most likely to be given to improving the security of cross-border transactions - payments with counterparts outside the EEA.

Non-Remote Card Payments

According to the findings, a lower fraud rate in transactions within the EEA has a correlation with the implementation of SCA, so, if confirmed to be effective, its presence is likely to be strengthened.

Remote Credit Transfers

As opposed to the previous observation, the fraud rate for SCA-authenticated payments in remote credit transfers is higher than in those without it. This topic will be further investigated, but the Discussion Paper points out some of the possible reasons for these figures:

• The low-value payments exempted from SCA are inherently less vulnerable to payment fraud than the transactions subject to it.
• Spoofing, which implies authorized push payments and transactions initiated by the account holders after being phished by fraudsters.

As indicated in the Discussion Paper, in such cases, SCA is not a sufficient fraud prevention measure. This draws up a perspective of reviewing this type of authentication or introducing additional security measures.

Payment Service Users

According to the information provided in the EBA Discussion Paper, in the second half of 2020, PSUs bore 68 percent of fraud losses from fraudulent credit transfers.

This pattern is conflicting with Article 73 of the PSD2, which states that payment service providers should be primarily liable for unauthorized transactions unless the user was caught on fraudulent activity. Besides, the share of the losses borne by the PSUs varies from one EEA country to another.

The Discussion Paper states that such distinctions may be driven by the fact that the PSD2 has been transposed differently across the EU Member States. This makes it possible to suppose that the Third Payment Services Directive (PSD3) would result in the European legislative initiative being applied directly at a national level, avoiding transposition, and taking the form of a Payment Services Regulation (PSR1).

PSD2 Evolution - What to Expect?

The EBA Discussion Paper has raised important questions regarding the evolution of the PSD2 regulations. Due to the fact that there is a large amount of data to be processed, a lot of stakeholder opinions to be collected, and a variety of payment industry factors to be taken into account, it is yet unclear what exactly the future of the Payment Services Directive will be.

However, with the help of the key trends listed above and by following the updates released by official entities, merchants and PSPs can stay aware of the current situation in the payment industry and be prepared for any upcoming changes.