On 17 January 2022, the European Banking Authority (EBA) issued a Discussion Paper setting out its preliminary observations on selected payment fraud data under the revised Payment Services Directive (PSD2), as reported by the industry during 2019 and 2020. The EBA sets out in the Discussion Paper its main findings related to three payment instruments: credit transfers, card-based payments and cash withdrawals. The preliminary patterns suggest that the regulatory requirements developed in relation to payment security are having the desired effect. In almost all instances, the share of fraudulent payments in the total payment volume and value is significantly lower for transactions that are authenticated with strong customer authentication (SCA) than those that are not.

Among other things the Discussion Paper notes:

  • In relation to the various types of fraud that have been reported, the issuance of a payment order by the fraudster is the most common fraud type for cards payment and cash withdrawals. This accounts for more than 90% of the volume and value of the fraudulent card transactions (reported by both issuers and acquirers) and cash withdrawals. This is so for all the types of payment, i.e. transactions authenticated with SCA and those authenticated without SCA as well as remote and non-remote transactions. By contrast, the modification of a payment order by the fraudster is a very infrequent fraud type, irrespective of the payment instrument.
  • Regarding remote card payments reported by issuers, the theft of card details is the most common event and represent 75% of the value of the fraudulent SCA payments and 60% of the value of the fraudulent non-SCA payments in H2 2020. This can be explained by fraud arising from social engineering such as phishing. In these instances, the authentication with SCA may not be effective in preventing such type of fraud.
  • For non-remote card payments reported by issuers, the lost or stolen cards are the most common fraudulent event and represent 45% of the value of the fraudulent payments authenticated with SCA and 46% of the value of payments that are not authenticated with SCA.
  • Counterfeit cards represent about 20% of the volume and value of the fraudulent non-remote payments (both authenticated with and without SCA).
  • Regarding cash withdrawals, the payments done via a lost and stolen cards are the main fraud type and represent 70% of the total volume of fraudulent cash withdrawals in H2 2020.

The deadline for comments on the Discussion Paper is 19 April 2022.