Free trial

Preparing for PSD3: Proposed changes to SCA and APP fraud prevention

Security
Frederik Mennes,
Preparing for PSD3: Proposed changes to SCA and APP fraud prevention

Banks and financial service institutions are continually bombarded with new types of banking and payment fraud, ranging from phishing scams and wire transfer fraud to ​authorized push payment (APP) fraud. Though PSD2 created a solid framework, the European Union is revisiting and adapting the directive to more effectively combat increasing banking scams. The result is the proposal of a new regulation on payment services (PSR), also referred to as PSD3.

In our latest white paper, PSD3: Current status of SCA and authorised push payment fraud prevention requirements, we discuss the current state of this regulatory overhaul, focusing on upcoming proposed legislative changes in two key areas: strong customer authentication (SCA) for ​digital banking and payments, and the prevention of APP fraud.

Strong customer authentication (SCA)

Officially implemented with PSD2 in 2019, SCA methods were created to keep online payment users safe from fraudsters by requiring users to provide at least two factors to verify their identity during a transaction. To simplify and improve the SCA process, the new PSR regulations propose the following:

  • An updated definition of SCA. The two factors used to verify identity during SCA do not need to belong to different authentication categories, as long as they are independent of each other. This allows users to create an SCA mechanism from two inherence elements (e.g., fingerprint, facial recognition scan), for example. It is still required that the SCA mechanism generates dynamic authentication codes, however, so it is unlikely that SCA mechanisms constructed from two knowledge elements will be permitted.
  • New accessibility requirements for SCA mechanisms. Payment service providers (PSPs) will be required to support various forms of SCA mechanisms in order to cater to the specific situation and needs of all their users. This includes ensuring that all users can perform SCA, including “persons with disabilities, older persons, persons with low digital skills, and those who do not have access to digital channels or a smartphone.” For example, if a user doesn’t have a phone that can receive or access a one-time passcode, whether through text or on the web, PSPs can provide them with a hardware token that generates one-time passcodes instead, allowing the user to verify their identity.
  • New requirements for PSPs to support various authentication methods. PSPs must support a variety of authentication methods, such as hardware tokens and smart cards, and provide SCA mechanisms free of charge. Currently, it is not uncommon for PSPs to have a mobile-only approach or to charge for their SCA mechanisms, so this change ensures that PSPs are supporting their entire customer base.

Authorised push payment (APP) fraud prevention

Our digital world has made it easy for malicious individuals to impersonate people we know or trust, like banks or government agencies. Fraudsters use this trust to manipulate their victims into authorizing payments to a fraudulent account, known as APP fraud. In recent years, the volume of APP fraud has increased by about 10% each year, making it one of the most concerning types of digital payment fraud.

To help PSPs combat APP fraud, the PSR provides a list of countermeasures.

APP fraud countermeasures

  • IBAN/name matching service: When transferring funds to another individual, the PSP of the person paying can request the PSP of the recipient to verify whether that person’s name and international bank account number (IBAN) match to combat social engineering-based fraud. A similar service called “confirmation of payee” exists in countries like the Netherlands and the United Kingdom​.
  • Liability for fraud: When fraud is committed, the entity liable to the victim depends on the conditions in which the fraud occurred. In some circumstances, the PSP is liable for fraud committed against their customer, while in others, the PSP can shift the liability to providers of electronic communications or digital services. As such, all providers involved in the fraud chain are required to put organizational and technical measures in place to prevent and mitigate payment fraud.
  • Transaction monitoring: According to PSD2, PSPs are required to have transaction monitoring mechanisms in place to support the implementation of SCA and its exemptions. They also need to be able to detect and prevent potentially fraudulent payment transactions. With the updates in PSD3 (PSR), PSPs also have the right to block payments from going through if they have strong evidence that a fraudulent transaction is occurring.
  • Fraud data sharing: Abiding by the General Data Protection Regulation (GDPR), PSPs are legally allowed to share fraud-related information with other PSPs about individuals who have received a payment believed to be fraudulent. This includes sharing personal identifiers (names, personal ID numbers, organization numbers), the fraudster’s preferred method of operating, and other transaction information. By sharing this type of information, PSPs are alerted to potential fraud scams and can take proactive steps to ensure they are protecting their customers.
  • User education: PSPs are obligated to increase awareness of payment fraud among their customers and staff. This includes giving customers information on how to clearly identify fraud attempts, how to avoid falling victim to fraud attempts, and where to report fraudulent actions and obtain additional fraud-related information.

A thorough review process

The European Parliament voted to adopt this version of the PSR regulation on April 23, 2024. Next, the European Council will review the regulation and then trilogue negotiations—informal three-party meetings on legislative proposals—will occur between representatives of the Directorate-General for Financial Services (DG FISMA) of the European Commission, Parliament, and Council. This process is expected to conclude in the first half of 2025.

The PSD2 legislation helped the European financial institutions curb account takeover (ATO) fraud by introducing a pan-European requirement to deploy SCA. In turn, the upcoming PSD3/PSR legislation aims to tackle APP fraud, which is now a much bigger concern than ATO fraud. In the coming years we will see whether the countermeasures proposed in PSD3 suffice.

PSD3: Current status of SCA and authorised push payment fraud prevention requirements
White paper

PSD3: Current status of SCA and authorised push payment fraud prevention requirements

For a more in-depth look and comparison to the changes Parliament made to the original PSR draft from the Commission, download our white paper.

Download now
Frederik Mennes
Frederik Mennes

Frederik Mennes is Director of Product Management & Business Strategy at OneSpan. In this role, he is responsible for defining and implementing OneSpan’s business strategy for specific industry verticals, and to determine how OneSpan responds to security and regulatory market trends. Previously, Frederik led OneSpan's Security Competence Center, where he was responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity

Contents
Share