Close Menu
Thursday, March 13
Advertisement
Financial Crime

EU/EEA Payment Fraud – The Good the Bad and the Ugly

Emmanuel UdoyeBy Updated:No Comments10 Mins Read

Two Reports have been published recently on Payment Fraud across the EU/EEA with data for 29 countries from the ECB & EBA. They provide key insights and also can be used to compare where EU/EEA countries are compared with some other important third countries, like Australia, the UK & USA. 

They also help provide estimates as to which countries can be considered payment fraud hotspots and to suggest what action can be taken to improve the response including mandatory fraud information sharing. 

Both these reports show the importance of identifying, collecting, analysing and reporting on relevant data for probably the most common and over the last decade the fastest growing financial crime, which allows for evidence led judgements and necessary targeted recommendations and actions from policy makers and for those in the private sector tackling payment fraud.

1. Report on Payment Fraud by ECB & EBA – 2024

In a 1st August, 2024 Report on Payment Fraud published by the European Central Bank (ECB) and European Banking Authority (EBA), data from 2022 and 1H2023 has been assessed and makes very interesting reading covering 29 EEA countries.  For 2022 payment fraud was reported at €4.3 billion (US$4.7 billion) and €2 billion (US$2.2 billion) for 1H 2023, with an overall “stable” rating given, with some improvements (losses falling for account payments and slightly increasing from cards. 

For 1H 2023 data from the report reveals as follows:

  • Of the €2 billion in losses almost 90% come from payments from accounts (€1.131 billion or 57%) and by payments from cards (€633 million or 32%), with the remaining 11% by payments via direct debits, cash withdrawals and by e money.
  • 10.1 million payment fraud transactions generated the €2 billion in losses, mostly from payments from cards (7.31 million fraudulent card transactions or 70%), followed by 15% from direct debits (albeit footnotes indicates overinflated data to be corrected) and 6% from accounts, followed by e money and cash withdrawals. These translate into volumes of fraudulent transactions at 150 per million in volume for payments from cards, followed by 140 from direct debits, 120 from e money, 50 from cash withdrawals and 30 from accounts.
  • The highest fraud rates were for payments from cards at 0.031% for value and volume rates for cards at 0.015%, followed by e money (value 0.022% and volume 0.012%). These translate into losses of €310 per €1 million in value for payments from cards, followed by €220 from e money, €80 from cash withdrawals, €20 from direct debits and €10 from accounts.
  • Of the approximately €2billion in losses, customers bore the majority of the losses representing €1.35 billion or 68% of the total losses. Losses absorbed were distributed 45% for users and 51% for providers from card payments and cash withdrawals, whereas users bore more than 80% of the losses from payments from accounts. Loss values, rates and distribution of liability for losses varies considerably across the EU Member States which may be a result of the different levels of implementation of security requirements and the lack of common liability frameworks.
  • Whilst most payments were domestic most card payment fraud by value – 71%, were cross border with 28% paid outside the EEA. Also a large part of account payment fraud (43%) were paid out cross border. Interestingly, whilst the value amounts of fraudulent payments made from EEA cards was €633 million, the amount received from fraud payments from cards into the EEA was higher at €826 million.
  • Whilst there is no overall ranking of countries as to overall fraud loss rates, there is available country by country information provided which, albeit new and of varying data quality (see more in Notes below) can be used to highlight differences, that may be of interest. Whilst absolute numbers are included these are not as useful as large countries are obviously going to experience more fraud losses than smaller countries. The data tries to account for this by providing relative comparisons by losses as against payment values and volumes. Countries that have highest fraud losses by value relative to others are: For fraud from payments from accounts: Malta, followed by Greece, Lithuania, Bulgaria, then Slovenia, Estonia, Latvia & Belgium; and For fraud from card payments: Iceland, followed by France, Luxembourg, Lithuania, & then Malta, Hungary & Belgium.

AND by taking the available country data on loss values and by applying these values to GDP size and population size, we can see further significant differences. for example:

  • Whilst France has by far the largest absolute loss amounts, followed by the Netherlands, Germany, Belgium & Spain, when considered as far as GDP is concerned, it is Liechtenstein followed by Luxembourg, Lithuania, the Netherlands & Iceland and by losses by population, it is Liechtenstein, Luxembourg,, the Netherlands, Iceland, Ireland & Lithuania with the highest levels.

Comparing these 29 EU/EEA countries to a few third countries such as Australia, the UK & the USA, all 3 of these would join a cumulative top 5 for absolute amounts with the USA top followed by the UK, France, Australia & Germany, AND the UK and Australia would be included in a combined top 5 for payment fraud losses compared to GDP, AND Australia would be included in a combined top 5 for payment fraud losses compared to population size.

For more details see the Chart below. This is available HERE: EEA Payment Fraud Metrics pbd

Notes on Chart above:

  1. The EU/EEA data comes from Table 1 in Chapter 7 (Absolute and Relative levels of Payment fraud in value H1 2023, value in €) in the first report above. 
  2. As this is the first report of its kind, the quality of data reported to the EBA/ECB is of concern to these bodies and will be expected to improve as the EBA/ECB work with National Authorities to enhance the data quality for future editions of the report, including, where possible to retrospective corrections of data that the EBA/ECB have already received. This data should therefore be considered in this context.
  3. However the data in Tables 1 & 2 (see below) has been provided by the EBA/ECB to accommodate the interests of stakeholders to show some country specific insights into payments fraud.
  4. In the chart above the available loss data by absolute value from Table 1 is mapped to each Country’s GDP and Population size to generate additional comparative metrics.
  5. Additional data has been sourced for Australia, the UK & the USA to provide additional comparative data to measure EU/EEA countries with third countries where this data is available. Only specific reported payment loss data is included for these purposes and not overall reported fraud loss figures.
  6. As can be sen from Tables 1 & 2 below country fraud loss rates in values and volumes are correlated against the value and volume of payments including payment types.

See: Payment Fraud Report by EBA/ECB 2024, HERE

Whilst this report doesn’t make recommendations for action, a report published by the EBA in April 2024 focussed on assessing available payment fraud data (as seen now from the above released data) and offered an assessment of this data but if not more important what could be done to respond. 

2. EBA Opinion on new types of payment fraud and possible mitigants 2024

The EBA  “Opinion” on what could be done to improve things, was published on the 29th April 2024 focussing on “new types of payment fraud and possible mitigants” assessing 2022 fraud date available at the end of 2023.

A key point made by the EBA was that the mandatory application of Strong Customer Authentication (SCA) had been successful in preventing fraud based on the stealing of customer credentials, “but that fraudsters have managed to adapt their techniques, giving risk to fraud types of a more complex nature, in particular leveraging on social engineering” in other words switching from so called unauthorised to authorised frauds through the use of manipulation. 

The EBA also highlight particular use by fraudsters of:

  • instant payments to move illicit proceeds without delay
  • cross border payments to put funds beyond country action, and 
  • payments that are not subject to SCA

Manipulation frauds (so called authorisation frauds) include impersonation scams BEC/CEO scams, using social engineering, and frauds that combine technology and manipulation such as phishing or malware and social engineering and account takeover through access to second factor information with stolen credentials.

The EBA welcomed existing underway actions including mandatory IBAN/name checks and enhanced transaction monitoring and educational initiatives to raise awareness and noted the work at the EU level to consider how telco and internet service providers, social media companies etc should also be made responsible for tackling fraud. this is an urgent task that needs addressing as far too many payment frauds are facilitated by telco and technology / social media companies.

Over and above this the EBA make 5 specific additional recommendations.

1 – Reinforce security requirements for payment service providers including real time transaction monitoring and or screening for potentially fraudulent transactions. The EBA also recommend sharing fraud related information (see 5 below for more details). 

2 – PSPs to put in place a fraud risk management framework on top of mandatory security requirements.

3 – The need for amended liability rules recognising non authorised and authorised as well as clarification of the term “gross negligence” to clarify loss responsibilities.

4 – Strengthening and harmonising “supervision” of fraud management leveraging fraud data to assess rates and anomalies and to compare and contrast and to drive improved anti fraud frameworks in the regulated sectors.

5 – Establishing a single EU wide platform for information sharing to prevent and detect potentially fraudulent payment transactions with appropriate security requirements. The recommendation is that PSPs would maintain and run the platform which would be available to all PSPs. Security protocols would be expected including using homomorphic encryption and requiring a list of contact points at all PSPs. The EBA believes that:

  • all PSPs be required to “share fraud related data”, including of the payee and related information on the suspected fraudsters with each other.
  • For high risk transaction even instant payment (potentially fraudulent) a PSP should be able to refuse to execute the transaction with proper notification to the customer and then should investigate the case.

Final Remarks

As stated above, both these reports show the importance of identifying, collecting, analysing and reporting on relevant data for probably the most common and over the last decade the fastest growing financial crime. Despite the questions over data quality which will improve with the next data sets as countries establish more effective reporting requirements, this data nevertheless allows for evidence led judgements and necessary targeted recommendations and actions from policy makers and for those in the private sector tackling payment fraud.

Whilst the second report above by the EBA pre dates the first report above by the ECB and the EBA, the recommendations in the second report remain ones that should be actively considered- These recommendations target areas where more work is needed but they are still broad brush and EU/EEA policy makers should consult the anti fraud ecosystem to finalise appropriate proposals, which take into account their knowledge and experiences too. 

These reports, commentary and recommendations are likely to have real relevance also to third countries tackling payment frauds also.

Credit: thefinancialcrimenews.com

Share.

Related Posts

Add A Comment
Leave A Reply