Proposed European payments regulation aims to crack down on online fraud. Who should pay?
The caller ID on the messaging app displayed the name of a bank, requesting a transfer of money to pay for a purchase. Once the money was sent, the messenger and the funds were gone. Known as spoofing, impersonation fraud, or approval push payment fraud, this scam involves hackers masking their identity as a trusted source to trick consumers by stealing their credentials.
European policymakers are determined to tackle this identity theft threat: in the new Payment Services Regulation, MEPs have argued that messaging services such as WhatsApp, digital platforms such as Facebook, and marketplaces such as Amazon and eBay can be held liable for fraud that occurs on their platforms, just like banks and other payment service providers.
Online payment fraud is a real and emerging global problem. Total losses are expected to reach $362 billion between 2024 and 2028. Transatlantic allies are divided on how to tackle the problem: the US leans on technology, particularly artificial intelligence, while the European Union pushes for regulation. But despite the general perception that strict EU rules stifle innovation and handicap market fragmentation, the payments sector highlights how it can help.
In previous versions of the European Payments Regulation, the EU introduced dual authentication, requiring users to present two forms of identification to make a transaction. Buyers couldn't just present their credit card online; they had to “verify” their purchase by pulling out a card reader and entering a detailed code sent to them by their bank.
Online retailers protested. When forced to authenticate a second time, a large proportion of buyers abandoned their purchases. Retailers argued that the second check was unnecessary. They argued that automated fraud checks, which use algorithms to detect risky transactions, were just as effective. They pointed to the experience of the US, where fraud levels in online purchases are comparable to those in the EU, as evidence.
Stay up to date
Sign up to receive regular emails and keep up to date on CEPA activities.
Proponents argued that far from stifling innovation in Europe, these strong rules would bring welcome legal certainty. They would force companies to invent new ways to minimize friction, and indeed spawned apps that make the process easier on mobile phones with dual authentication. Most European banks now offer facial recognition on their mobile phone apps to provide a second layer of authentication. The use of biometric authentication, such as fingerprints, iris scans and facial recognition, is expected to grow 47 percent over the next five years, providing a secure way to verify your identity online.
Fraud levels have fallen, demonstrating the benefits of these regulations. Banks and payment service providers agreed that the path forward requires continued innovation in strong anti-fraud measures. New European regulations propose that banks refund the full amount of fraud to consumers. The UK has already legislated a similar refund model. Singapore also has an advanced model, and other regions are considering similar measures.
EU regulators have provided the necessary flexibility where necessary. Financial market authorities in European countries have set up regulatory sandboxes to allow fintech companies to innovate without being tied down by regulatory hurdles. As of October 2023, there are 14 regulatory sandboxes in 12 European countries.
It's no exaggeration to say that Europe leads the world in financial innovation. The European fintech market is worth an estimated $3.6 billion, twice as much as any other tech sector on the continent. Online banks such as Revolut and N26, and payment providers such as Ayden are growing rapidly.
A new European payment regulation is currently being negotiated in Brussels. Large US technology companies and messaging apps are working to reduce their liability risks. They argue that banks should be held liable, not them. In case of identity and impersonation fraud, the fraudulent transactions occur on the bank service portal, not on the platform. Therefore, the banks themselves must either tighten their security measures or pay the price.
Banks, naturally, are opposed to this: they have no control over the entry points fraudsters use to reach consumers (phone, messaging apps, online ads, the dark web, etc.). Shouldn't communications network operators, messaging and other digital platforms also have a duty to prevent fraudsters from reaching consumers? And should they be held liable when fraudsters fail?
The legislative process in Brussels is long and cumbersome. It may take another year or more before a decision is made. A compromise is expected. Telecommunications operators, messaging services and other online platforms will be forced to cooperate with banks and other payment service providers to combat identity theft. Since EU regulations often become global standards, this new division of responsibilities could be the next example of the much-touted Brussels Effect.
Padraig Nolan is the Chief Executive Officer of ETPPA, the EU's leading Fintech Association, and is also an Advisory Board member of the Lisbon-based Europe Startup Nations Alliance. Padraig holds a Bachelor's degree in Law and Economics (University of Galway) and a Master's degree in European Law (University of Utrecht).
Bandwidth is CEPA's online journal dedicated to promoting transatlantic cooperation on technology policy. All opinions are those of the authors and do not necessarily represent the position or views of the institutions they represent or of the Centre for European Policy Analysis.
Read more about bandwidth
CEPA's online journal dedicated to promoting transatlantic cooperation on technology policy.
read more
Source link
