Under PSD2, payment services providers across the EU are required to provide statistical data on fraud to their respective competent authority.
In the UK, relevant firms are required to collect and submit data on the volume and value of all payment transactions, as well as the volume and value of fraudulent transactions, and provide this to the FCA through Gabriel using the REP017 report; this information is in turn aggregated and shared with the European Banking Authority and the European Central Bank.
Back in January, we released a blog to provide an overview of the FCA’s interim REP017 report to cover the reporting period between 13 January to 31 December 2018. However, since then, the FCA has released an updated and much expanded REP017 report (with most PSPs being switched to a bi-annual reporting period).
As with our last one, this blog aims to give a high-level overview of who REP017 applies to, what transactions it captures and how the data on fraudulent transactions need to be categorised; we will also detail the key changes in approach since then.
Who does REP017 apply to and when should we report?
As before, all payment services providers – including credit card providers, money remitters and e-money issuers, account information service providers (AISPs) and payment initiation service providers (PISPs) – are required to file reports in relation to confirmed fraudulent activity.
Small payment institutions, account information service providers and small electronic money institutions are required to report annually – albeit, in respect of the two halves of the reporting year – whilst all other PSPs must report every six months.
The most recent reporting period relates to the time between 1st January to 30th June 2019, with the second reporting period covering the time between 1st July and 31st December 2019; the reports themselves must be submitted to the FCA within two months of the end of each reporting period, so the submission deadline for the first reporting period has been set at no later than 31st August 2019.
What should we report?
PSPs are required to collect and submit data on the volume and value of all payment transactions, as well as the volume and value of fraudulent transactions; this is a significant change from the interim REP017 report which required that PSPs confirm the three payment types with the highest fraud rate, before breaking each down to provide data on volume, value and the top three fraud types for each payment type.
REP017 requires PSPs to report on the following payment types:
- Credit transfers;
- Direct debits;
- Card payments (except cards with an e-money function only);
- Card payments acquired (except cards with an e-money function only);
- Cash withdrawals;
- Electronic money payment transactions;
- Money remittances; and
- Payment transactions initiated by PISPs.
The above is then broken down into potential fraud types; this ranges from the issuance of a payment order by a fraudster to the manipulation of the payer by a fraudster to issue a payment order for credit transfers, to unauthorised payment transactions for direct debits and lost/stolen card fraud for debit and credit cards.
Whilst there is guidance on each of the fraud types referred to within REP017 in the FCA Handbook (SUP 16 Annex 27F), it is ultimately up to each PSP to determine the appropriate fraud type for each transaction.
At its most basic level, however, a fraudulent transaction is any payment transaction that the PSP has executed, acquired or, in the case of a PISP, initiated, that fulfils the following criteria:
- an unauthorised payment transaction made, including as a result of the loss, theft or misappropriation of sensitive payment data or a payment instrument, whether detectable or not to the payer prior to a payment and whether or not caused by gross negligence of the payer or executed in the absence of consent by the payer (‘unauthorised payment transactions’); and
- payment transactions made as a result of the payer being manipulated by the fraudster to issue a payment order, or to give the instruction to do so to the payment service provider, in good faith, to a payment account it believes belongs to a legitimate payee (‘manipulation of the payer’) http://blog.fscom.co.uk/authorised-push-payments-and-the-voluntary-code.
Firstly, PSPs should only report payment transactions that have been executed (including those which have been initiated by a PISP). As such, prevented fraudulent transactions, that have been blocked before they are executed (due to suspected fraud), should not be included in REP017.
Also, the payer’s PSP should generally only submit data relating to its issuing (or initiating) capacity and first-party fraud – i.e. fraud committed by the payment service user – should not be reported.
Where there is more than one acquiring payment service provider involved, the provider that has the contractual relationship with the payer should report; notable exceptions to this are card payments, which should be reported by the payer’s PSP and the payee’s PSP, as well as direct debit transactions, which should be reported by the payee’s PSP.
Furthermore, per the finalised EBA Guidelines, a PSP can report “zero” where there were no transactions or fraudulent transactions taking place for a particular indicator in the reporting period established. Where a PSP cannot report data for a specific field because that it is not applicable PSP, this should be reported as ‘N/A’.
If you require any advice or guidance on the completion of the updated and expanded REP017, then please do not hesitate to contact me, or any of the team, at fscom.