Question ID
2018_4032
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
18
Type of submitter
Other
Subject matter
Criteria for the application of the transaction risk analysis (TRA) exemption – Fraud rate calculation methodology for the application of the TRA exemption
Question

Should ‘friendly’ frauds be included in the “total value of unauthorised or fraudulent remote transactions” considered for the calculation of the fraud rates for the application of the TRA exemption?

Background on the question

Under the Transaction Risk Analysis (TRA) exemption, PSPs may bypass SCA for remote transactions provided risk analysis is applied and the PSP’s fraud rates and transaction amounts are under certain thresholds (Article 18 of the RTS).

The formula to calculate the PSP’s fraud rate for the application of the TRA exemption is total value of unauthorized and fraudulent remote card transactions divided by the total value of all remote card transactions. 

The EBA draft Guidelines on Fraud Reporting under Article 96(6) PSD2 of August 2017 include in the definition of fraudulent transactions:

"[A]ll instances of payment fraud that occur in the payment market, including not only unauthorized payment transactions but also transactions where the payer was manipulated, or where the payer acted fraudulently” (paragraph 16, page 10). 

In its Opinion of June 13, 2018 on the implementation of the RTS, however, the EBA states that unauthorized transactions and “fraudulent transactions resulting from the manipulation of the payer” must be included in the calculation of fraud rates (point 46, page 10).  Thus, in its Opinion the EBA does not require that transactions “where the payer acted fraudulently”, i.e., ‘friendly’ frauds, are to be included in the calculation of fraud rates.

We therefore believe that ‘friendly’ frauds are excluded from the calculation of fraud rates.

If ‘friendly’ frauds were to be included, PSPs would be penalized for conducts that cannot be avoided through the use of SCA and that ultimately fall outside their control.

Submission date
Final publishing date
Final answer

Subject to the conditions set out in Article 18 of the Commission Delegated Regulation (EU) 2018/389, the Payment Service Provider (PSP) may choose not to apply strong customer authentication to remote electronic payments identified as posing a low fraud risk. One of the conditions, as set out in Article 18(2)(a) requires the fraud rate to be calculated in accordance with Article 19 of the Delegated Regulation, where Article 19(1) prescribes that ‘the overall fraud rate for each type of transaction shall be calculated as the total value of unauthorised or fraudulent transactions’.

The EBA clarified in paragraph 46 of the EBA Opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 [RTS on Strong customer authentication and secure communication] that fraudulent transactions include those resulting from the manipulation of the payer. Based on the question submitted, ‘friendly fraud’ is understood as fraud where the genuine payment instrument holder claims a fraud that has taken place on their payment instrument although they knowingly used their own payment instrument for the reported transactions. Such ‘friendly fraud’, also called ‘first party fraud’ shall not be included in the calculation of the fraud rate detailed in Article 19 of this Delegated Regulation.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.