The data to be reported quarterly would be less detailed than what PSPs would be required to submit annually, according to the EBA's proposals. Small PSPs would only face an annual reporting duty.
The draft guidelines (60-page / 709KB PDF) specify what PSPs need to do to comply with high-level fraud reporting requirements set out in the revised EU Payment Services Directive (PSD2). PSD2 requires that PSPs report "statistical data on fraud relating to different means of payment" to national regulators at least annually. The regulators are obliged to share the data with the EBA and European Central Bank (ECB) in "an aggregated form".
The EBA has proposed that three types of fraud cases should be reported. These include "unauthorised payment transactions made, including as a result of the loss, theft or misappropriation of sensitive payment data or a payment instrument, whether detectable or not to the payer prior to a payment and whether or not caused by gross negligence of the payer or executed in the absence of consent by the payer".
In addition, cases where payment transactions have been "made and authorised by the payer that acted dishonestly or by misrepresentation, whether or not with intent to make a gain for himself or another, and that denies having authorised the payment transaction" would also have to be reported, as would "payment transactions made as a result of the payer being manipulated".
Only where fraudulent payments have been initiated and executed would they need to be accounted for in PSPs' disclosures. Cases of attempted fraud that fails will not need to be reported by the PSPs, the EBA said.
Under the plans, both gross and net fraud will need to be reported. The gross figure relates to the value of funds defrauded and the net fraud figure will account for cases where at least some of the losses have been recovered by the PSPs, including under insurance schemes.
Account information service providers will be exempt from the reporting requirements to avoid potential "double counting" of fraud cases, the EBA said. This is because PSPs are likely to record those instances themselves, it said.
Separate fraud data will need to be compiled for each of the payment services or instruments that PSPs operate. This includes e-money, money remittance and payment initiation services, as well as in respect of credit transfers, direct debit services, payment cards issuance and payment cards acquiring.
The EBA has also proposed that the data will need to be broken down into various categories. In many cases the breakdown will need to record the method of authentication used, the reason why the authentication mechanism was chosen, and the type of fraud perpetuated.
In addition, PSPs will be obliged to detail both the volume and value of fraudulent transactions recorded specific to each country within the European Economic Area (EEA) and, in aggregate form for non-EEA transactions where at least one part of the transaction is performed in the EEA.
The EBA said its proposed guidelines are designed to ensure the reporting requirements are "implemented consistently" across the EU. At the moment payment fraud data is "difficult to obtain, not reliable, and not comparable across member states", and this makes it difficult to build "an accurate picture of payment fraud in the EU, including the understanding of its size, components and development over time", it said.
"The guidelines proposed … are aimed at ensuring that comparable and reliable payment fraud data are reported to competent authorities across the EU and the EEA, which, in turn, will then send the aggregated data to the EBA and ECB," the EBA said. "This will contribute to assessing the effectiveness of applicable legal and regulatory requirements aimed at reducing payment fraud, identifying fraud trends and potential risks across the EU and the EEA, assessing and comparing fraud data between different payment instruments, and inform any future regulatory and/or supervisory change or action."
"The collection of fraud data should also enable payment service providers to better assess security incidents or emerging fraud trends and threats," it said.
The consultation is open until 3 November. The guidelines, when finalised, will apply from 13 January 2018, the same date by which PSD2 must take effect in national laws across the EU.