PSD2 Fraud Reporting in the UK
EU Directive 2015/2366, known as the Payment Services Directive 2 (hereinafter PSD2) in Article 96(6) requires payment service providers (PSPs) in the EU to provide statistical data on fraud to their national regulatory authority. The European Banking Authority further provides guidelines in relation to the reporting requirements of PSPs (EBA Guidelines on fraud reporting under the PSD2 ( as amended in 2020).
The following article will detail the requirements of PSD2 Fraud Reporting in the UK according to the UK laws (PSRs 2017 Regulation 109(4)) and regulatory guidelines (16 Annex 27ED (REP017 Payments Fraud Report), SUP 16 Annex 27F (Notes on completing REP017 Payments Fraud Report)).
What is a fraudulent transaction?
A fraudulent transaction as the per the FCA Handbook is any payment transaction that the PSP has executed, acquired, or initiated and that the PSP considers falling into either unauthorised payment transactions resulting from loss, theft or misappropriation of sensitive payment data, or into payment transactions carried out as a result of manipulation by the fraudster.
Who should report and what should be reported for PSD2 Fraud Report in the UK?
In the UK, PSPs are required to collect and submit data not only on the volume and value of all payment transactions but also on the volume and value of fraudulent transactions. The data must be collated in order to identify the parties that were affected and remedy any issues should they arise.
PSPs should only report payment transactions that have already been executed so as to prevent fraudulent transactions that have already been blocked from being included in the report, thereby ensuring more accurate information. It is important to note that the PSP should not report fraudulent transactions that have been committed by the payment service user.
This data, filled out on the REP017, is reported through Gabriel to the Financial Conduct Authority (FCA). PSPs that need to complete the REP017 consist of credit card providers, money remitters and e-money issuers (EMIs), account information service providers, payment institutions (PIs), and payment initiation service providers.
By way of the PSD2-mandated fraud reporting, the FCA can understand whether PSPs have in place appropriate controls and systems for adequately protecting users against fraud and financial crime and to understand the security risks faced by the industry.
Which types of fraud are covered?
REP017 covers fraudulent transactions in relation to:
- credit transfers, i.e. issuance of a payment order by the fraudster, modification of a payment order and manipulation of the payer by the fraudster;
- Direct debits, i.e. unauthorised payment transactions, and manipulation of the payer to consent to direct debit by the fraudster;
- Debit and Credit Cards, i.e. issuance of a payment order by a fraudster from a lost, stolen, counterfeit or not received card;
- Cash withdrawals, any unauthorised withdrawals at ATMs, bank counters and through retailers by the fraudster;
- E-money transactions;
- Money remittance and payment initiation services.
It is the FCA that then shares the aggregated reported data from the firms with the European Central Bank and the European Banking Authority. The EBA has published guidelines as to how Member States should implement the PSD2 fraud reporting requirements. As per these guidelines, PSPs can also report “zero” in case there were no transactions or fraudulent transactions taking place for the completed reporting period.
How often should PSPs carry out PSD2 Fraud Reporting?
Small PIs, registered account information service providers and small EMIs have to report once per year. Nevertheless, these PSPs have to provide separate Payment Fraud Reports in respect of every half a year. On the other hand, other PSPs have to report every six months.
How can PSP Lab help you?
Besides the purely informational purpose of the PSD2 Fraud Reporting regime, these requirements for PSPs also serve the role of assessing the internal/external controls and systems PSPs have in place for detecting fraud. PSP Lab can assist you in drafting a robust Statistical Data Policy that makes the process of collecting the data and aggregating it for the purpose of reporting much easier and straightforward. We can guarantee that our rich experience in the Fintech consulting realm will be of help to your intention to provide payment services or maintain your status as an EMI or PI. As such, should you have any queries, please do not hesitate to contact us.