Under PSD2, all payment services providers, including credit card providers, money remitters and e-money issuers, account information service providers (AISP) and payment initiation service providers (PISP) are required to file reports in relation to confirmed fraudulent activity, known as the REP017 report.
The REP017 report provides the means for firms through Gabriel to provide the FCA with statistical data on fraud related to different means of payment which in turn is aggregated and shared with the European Banking Authority and European Central Bank.
The first submission for REP017 is scheduled for 31st January 2019 covering the period from the 13th January 2018 to 31st December 2018. For this period, the FCA have published an interim REP017 report to be completed.
This blog aims to give a high-level overview of who REP017 applies to, what transactions it captures and how the data on fraudulent transactions need to be categorised.
What transactions should be reported?
Under the current REP017 report for the 2018 period, firms are required to provide information relating to the top three with the highest fraud rate by value across the following payment types;
- BACS direct credit
- BACS single payment
- CHAPS credit transfer
- Faster payments (Including standing orders)
- SEPA credit transfer
- Inter-bank transfer payment
- BACS Direct debits
- Pre-paid card
- Credit card
- Charge card
- Debit card
- Cash card
Once firms have identified the top three payment types with the highest amount of fraud from the list above, firms then must submit the volume and value of total and fraudulent activity.
In addition, firms must identify the top three reasons for the fraudulent activity to have occurred, from the following fraud types;
- Manipulation of the payer to issue a payment order
- Issuance of a payment order by the fraudster
- Modification of a payment order by the fraudster
- Account takeover
- Lost and Stolen card fraud
- Card not Received fraud
- Counterfeit card fraud
- Theft of Card details
For a transaction to be considered fraudulent, it must have been executed, acquired or, where applicable, initiated by the payment service provider, and must fall into one of the following categories;
- an unauthorised payment transaction, including the loss, theft or misappropriation of sensitive payment data or a payment instrument, or;
- payment transactions made because of the payer being manipulated by the fraudster to issue a payment order.
If this criterion is fulfilled, then the payment transaction should be recorded as a fraudulent transaction for the purposes of this report irrespective of whether the PSP had primary liability to the user or if the fraudulent transaction would be reported as such by another PSP in the same payment chain.
As such, the report only considers where a fraudulent activity has occurred, where fraudulent activity has been attempted but stopped or is otherwise not successful, this would not constitute fraud activity for this report.
In summary, this initial REP017 is focused on high level understanding of the fraudulent activity that has occurred within 2018 reporting period. Firms should be proactive in ensuring that they have adequate systems in place to support the capture of this information, to the standards expected in the report.
Following this report, the REP017 reporting requirements will switch to a six-month reporting cycle with an increased level of information required on all fraudulent activity across all payment types applicable to your firm.
If you require any advice or guidance on the completion of REP017, please do not hesitate to contact me, or any of the team at fscom.