Technical Notes

A model for allocation of responsibility between Payment Service Provider (PSP) and Payment Services User (PSU) in case of payment fraud scams

In light of the recent rise in complaints received regarding various forms of payment fraud, such as smishing and spoofing scams, the Office of the Arbiter for Financial Services believes it prudent to provide clarity on how responsibility will be allocated between Payment Service Providers (PSPs, or the banks), and Payment Service Users (PSUs, or bank customers) in these unfortunate cases.

The model below outlines the criteria and weightings that will be used to determine if PSU gross negligence can be proven by the PSP, which is required to deny full reimbursement under PSD2 (the Payment Services Directive). The aim is to ensure fairness, consistency, transparency and objectivity to the complaints process for all parties involved. We urge PSPs to study this model closely, as it will shape the Arbiter’s decisions on the numerous fraud scam cases that continue to emerge.

Fair and evidence-based allocation of responsibility is in everyone’s interest. In fact, we would encourage PSPs to adopt this model not only for current and future complaints that they receive, but also to revisit cases from at least the last few months that such PSPs have encountered directly. It is recommended to apply the model also to PSP customers who did not raise a formal complaint with the bank but the latter is aware or should have been aware that its customer is likely to have suffered financial detriment as a result of a scam. Proactive application of this framework and re-evaluating any previous offers made, could pre-empt unnecessary escalation of complaints and build goodwill through reasonable reimbursements where warranted.

At the end, we also outline a number of recommendations that PSPs are encouraged to take to enhance consumer protection and trust when payment services offered by the local banking sector are used.

Some key terms

PSP or Payment Services Provider: This can be a bank or any other financial institutions that offers payment services to customers. This document applies to all those service providers that are licensed by the MFSA, the financial regulator in Malta.

PSU or Payment Services User: This refers to any customer that receives payment services from a PSP.

PSD2 or Payment Services Directive: Directive (EU) 2015/2366 on payment services in the internal market. This Directive is commonly referred to as PSD2 for it follows another directive also issued by the EU on the same subject.

Introduction

PSD2 is meant to safeguard the PSU from having responsibility for payments which are not properly authorised.

PSD2 was transposed into the Laws of Malta and adopted by the Payments Regulator, the Central Bank of Malta, by means of Directive No. 1 – The provision and use of payment services (CBM 01/2018) which states that “This Directive is modelled on the requisites of the Directive (EU) 2015/2366”.  

Preamble 72 of the PSD2 is of particular relevance to the study of allocating responsibility for fraud scam payments which are unauthorised between the PSP and the PSU. This preamble states:

“In order to assess possible negligence or gross negligence on the part of the payment service user, account should be taken of all of the circumstances. The evidence and degree of alleged negligence should generally be evaluated according to national law. However, while the concept of negligence implies a breach of a duty of care, gross negligence should mean more than mere negligence, involving conduct exhibiting a significant degree of carelessness; for example, keeping the credentials used to authorise a payment transaction beside the payment instrument in a format that is open and easily detectable by third parties. Contractual terms and conditions relating to the provision and use of a payment instrument, the effect of which would be to increase the burden of proof on the consumer or to reduce the burden of proof on the issuer should be considered to be null and void. Moreover, in specific situations and in particular where the payment instrument is not present at the point of sale, such as in the case of online payments, it is appropriate that the payment service provider be required to provide evidence of alleged negligence since the payer’s means to do so are very limited in such cases.”

This preamble establishes important principles in considering the said allocation of responsibility:

1. For the PSU to be responsible (s)he should not only be ordinarily negligent; PSU has to be gross negligent.
2. The onus of proof of gross negligence by the PSU falls on the PSP.
3. Any different provision (e.g., that makes PSU responsible for unauthorised payments in the absence of gross negligence) in the terms of business between the parties, shall be null and void.

In terms of preamble 71 of the said PSD2, the PSU shall be responsible for payment of any unauthorised payment transaction only up to a limit of €50, unless the PSU has acted fraudulently or with gross negligence.

Gross negligence is not specifically defined in PSD2, and each case would have its own merits to determine whether the PSU has contributed to the loss through gross negligence.  Most complaints filed with the Arbiter related to fraud payment scams are between PSPs that attribute gross negligence to PSUs, and PSUs denying such gross negligence.

The preamble in PSD2 gives only one example of gross negligence (where the device and the authenticating codes are kept together and negligently made available to fraudsters), but fraud has become much more sophisticated than was the case when PSD2 was promulgated. Determining the presence or absence of gross negligence has become much more challenging as the circumstances of each scam tend to follow the same pattern but differ in important peculiarities.

The Arbiter strongly maintains that the choice between ordinary negligence and gross negligence is not binary.  It is not the case that ordinary negligence means no responsibility whatsoever for the PSU whereas gross negligence means 100% responsibility. Between ordinary negligence and gross negligence there exist a spread of different shades of grey where it would be necessary to allocate responsibility between the PSU and PSP depending on the particular circumstances of each case. The Arbiter would suggest in fact that cases of zero responsibility or full responsibility to either party should be the exception rather than the rule. Preamble 73 of the PSD2 gives a strong nod to the concept of allocation of responsibility between the parties depending on whether the PSU is a consumer or a non-consumer (i.e. a business client).  Such concept of allocation of responsibility should apply also in other aspects of the particular transaction.

It is important that PSPs understand that there is a difference between authentication and authorisation of payments.  The general approach taken by PSPs is that once a payment is authenticated than it is automatically authorised through the gross negligence of the PSU.  This is not the case, and one needs to keep separate the concepts of authentication and authorisation.

The first general consent when signing up for a new service is not enough to authorize a payment transaction.  The consent of the PSU is required every time a payment transaction is executed.  Thus, it is clear that the PSU must express consent not only to the master contract agreed with the PSP but also at every single payment given to the PSP.  Many PSPs outline in the terms and conditions of their framework contract that consent is provided when strong customer authentication (SCA) is applied.

SCA is an authentication process that validates the identity of the PSU or of the payment service.   More specifically, the SCA indicates whether the use of the payment instrument is authorised. SCA is based on the use of at least two elements of the following three categories:

• Knowledge, being something only the PSU knows (such as PIN or password);
• Possession, being something only the PSU possesses (such as a credit card or a registered device); u
• Inherence, being something which the PSU is (such as the use of fingerprint or voice recognition).

Given the control systems operated by Banks through two factor authentication (except for small payments below €50) it seems a given that payments can only be affected after being properly authenticated. However, the journey from authentication to authorisation, in case of fraud payments, requires proof by the PSP that the PSU has been grossly negligent in making available to the fraudsters the payment access credentials given by the PSP as part of their terms of business relationship.  The Arbiter maintains there is no automaticity that once a fraud payment is authenticated then it is also authorised by the PSU.  In fact, there may be evident circumstances when the degree of gross negligence by the PSU is diminished, if not totally eliminated. One has to bear in mind the provisions of preamble 71 of PSD2 which states that “there should be no liability where the payer (PSU) is not in a position to become aware of the loss, theft or misappropriation of the payment instrument”.  Fraudsters are indeed getting more sophisticated in making their devious schemes hard to distinguish from innocent reality.

This raises issues on how the Arbiter is to determine the allocation of responsibility between the PSP and the PSU.  In order to avoid, or at least reduce, the perception of subjectivity and inconsistency in the awards for compensation in cases of payments fraud, the Arbiter wishes to publish a model explaining the criteria, and their respective weightings, used in determining the allocation of responsibility between the PSP and the PSU.

For this purpose the Arbiter will be adopting the following model for allocation of responsibility between the PSP and the PSU in case of fraud payments scams complaints.

The Model

This model will have general application but Arbiter will be at liberty to depart from it in specific cases which require particular appreciation. However, the Arbiter will justify such departures from the model with proper explanations in his decisions, where applicable.

Notes to the table above

Note 1: Often scammers use tactics of smishing which enable them to illegally pose as genuine communications from the PSP using their normal channel of communications including SMS, emails and phone. Even though the PSP may have no technical control to prohibit such illegalities, the PSU cannot be totally faulted for assuming it is a genuine communication. A lot depends on the effectiveness of the general educational and warnings dissemination adopted by PSP to warn their customers to beware such schemes with clear explanation of what and what not to do in the circumstances.

Note 2: Sometimes PSU go beyond simple disclosure of their security credentials, and even actively participate by going along filling payment details which should raise their awareness to the fraudulent nature of the scheme. In such case the PSU will carry a higher dose of gross negligence.

Note 3: Special circumstances could include cases where customer is having other dealings going on with the PSP which make the fraudulent request for re-authentication less suspicious.

Note 4: PSPs are obliged to have effective monitoring systems of payments to protect their PSUs from payments frauds. Commission Delegated regulation (EU) 2018/389 of 27 November 2017 establishes regulatory technical standards for strong customer authentication and common and secure open standards of communication supplementing Directive (EU) 2015/2366.   

It states in article 2(1) that:

“Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorized and fraudulent payment transactions … those mechanisms shall be based on the analyses of payment transactions taking into account elements which are typical of the payment service in the circumstances of a normal use of the personalised security credentials.”

Article 2(2) states that the following risk-based factors have to be included in the transaction monitoring mechanisms:

• Lists of compromised or stolen authentication elements;
• The amount of each payment transaction;
• Known fraud scenarios in the provision of payment services;
• Signs of malware infection in any sessions of the authentication procedures;
• In case the access device or the software is provided by the payment service provider, a log of the use of the access or the software provided to the payment service user and the abnormal use of the access device or the software.

It was clarified that the obligation for monitoring payments mechanisms need not be ‘real time risk monitoring’ and is usually carried out ‘after’ the execution of the payment transaction. How much after has not been defined but obviously for any real value of such mechanisms the space between real time payment and effective monitoring must not be long after.

Further article 68(2) of PSD2 authorises a PSP to block payments:

“If agreed in the framework contract, the payment service provider may reserve the right to block the payment instrument for objectively justified reasons relating to the security of the payment instrument, the suspicion of unauthorised or fraudulent use of the payment instrument or, in the case of a payment instrument with a credit line, a significantly increased risk that the payer may be unable to fulfil its liability to pay.”

If PSU never made such online payment in the 12 months before the fraud event, or if the payment is of a value untypical of ordinary experience of the PSU, consideration is given to increasing allocation to PSP for failure to adopt effective payments monitoring mechanisms.

Practical applications of the model

PSU receives an SMS on the normal channel used by the PSP to communicate with him/her informing him/her to press a link in order to validate their account.  Although the PSP regularly informs through general and social media that PSU should only communicate with bank through their APP or internet banking access and should never click on links sent via email or SMS, the PSU through negligence falls for it and presses the link which seems to give him access to the normal PSP web pages that raise no suspicion of the fraud.

The fraudsters, knowing they have the PSU on hook, convinces him/her to disclose their credentials and proceed to effect payment to their own IBAN account in, say, Lithuania, changing its terms to instant/priority payment, and putting a fake beneficiary name with a Malta address (SEPA system is guided only by IBAN number and make no dynamic linking to beneficiary name).

Moments after the PSU receives notification from the PSP that a payment was made from his/her account which the PSU believes he/she has not authorised, and for the first time he/she realise that he/she has been scammed.

Immediate report to the PSP is too late to stop the payment which was affected immediately, and a recall request proves unsuccessful.

In such a case in the first instance the loss gets allocated 50:50.

If there is evidence that that the PSU actually participated in the transactions by executing instructions from the fraudsters beyond disclosure of the two-factor authentication (e.g. filling the amount and last digits of beneficiary account through information obtained from the App) than the gross negligence shifts by 30% from the PSP to the PSU to become 20:80.

This is a test which takes into account the robustness of the PSPs payment security systems.   Robust systems should withstand fraudulent attempts to authorise specific payments transaction, unless the PSU negligently co-operates with the fraudster beyond disclosure of security credentials and negligently co-operates with the fraudster to authorise the specific payment.    If systems are not robust enough and permit a fraudster to penetrate them and authorise even without the active participation of the PSU at the level of transaction payment authority, then the PSP has to bear responsibility.

If there is evidence that PSP had in the previous three months sent direct communication (not only communication through website of general/social media) to PSU to beware such fraud schemes, then the gross negligence shifts by a further 20% from PSP to PSU.  This emphasises the importance of using direct warning channels to PSUs when the PSP gets sensitive to fraud schemes being laid out to trap PSUs. In such a case the allocation would become 0:100.

If the direct communication would have been made more than three months before but in the last six months, then the shift will be 10% so the allocation would be 10:90.  If the communication would have been older than six months no shift will be executed, and responsibility stays 20:80 always assuming active participation in the fraud transaction through gross negligence. Failing active participation (i.e. if PSU only fails by exposing the secret credentials) than the responsibility would remain 50:50 if the direct notification is older than six months.

If the fraudulent transaction happens at a time when the PSU is having dealings or negotiation with PSP on some other service which makes the fraudulent request for authentication less suspicious, this will be considered with a shift of responsibility of 20%. It may also include circumstances where PSU is making unusual use of payments, e.g. whilst travelling, which makes the fraudulent request for re-authentication less suspicious.

A further 20% similar shift will occur if PSU has never affected similar genuine online transfers in the previous 12 months, or the payment amount is way out of line of the normal account experience of the PSU, given that bank’s monitoring system should be made sensitive to such abnormal events and seek validation directly from PSU before proceeding with payment.

Practical example 1

Ms AB was hit by a scam SMS while she was travelling overseas. She panicked at the prospect of her card being blocked as it was her only means to fund expenditure during her travel and she pressed the link in the SMS. The fraudster skilfully but deceptively recovered her authenticating credentials and after some 30 minutes she received an SMS from the PSP confirming payment of €4000 to a foreign IBAN account. It was then that she realised that she had been scammed and contacted the bank to block her account and to effect a recall.

As the payment was made on a priority basis by the scammer, recall proves unsuccessful even though it was promptly executed by the PSP.

The PSP refuses to refund arguing that Ms AB was grossly negligent when she pressed the link on an SMS which the bank had regular warned against, on social and general media.  Ms AB had made payments online in the previous 12 months but had not actively assisted the fraudster beyond negligent disclosure of her secret credentials. She had not received any direct communication of warnings about such fraud schemes from the PSP in the previous 3 or 6 months.

What portion of the blame should be carried by Ms AB?

Portion due to pressing the SMS link: 50%

Add active assistance in the fraud transaction: 0%

Add on if in receipt of direct warnings in the last 3/6 months: 0%

Clawback special circumstance**:   0%

Clawback no online payments previous 12 months:  0%

Total allocation of responsibility 50% with 50% for the PSP.

** This case assumes normal travel In Europe and no significant unusual use of the account while travelling before the fraud event – so no special circumstance applies.

Practical example 2

Same as above but Ms. AB had received direct warning 2 months before.

Portion due to pressing the SMS link: 50%

Active assistance in the fraud transaction: 0%

Add on re receipt of direct warnings in the last 3 months: 20%

Clawback special circumstance: 0%

Clawback online payments previous 12 months: 0%

Total allocation of responsibility 70% with 30% for the PSP.

Practical example 3

Same as example 1 above but Ms AB, had actively assisted in the fraud by inputting data in the payment order in addition to disclosure of her secret credentials, and had received direct warning 1 month before but never made online payment in the last 12 months.

Portion due to pressing the SMS link: 50%

Add on active assistance in the fraud transaction: 30%

Add on re receipt of direct warnings in the last month: 20%

Clawback special circumstance: 0%

Clawback online payments previous 12 months: (20)%

Total allocation of responsibility 80% with 20% for the PSP.

The Arbiter emphasises that these are examples for illustration of how the model would work in general, but always reserving the right to depart from the model if particular circumstances of a complaint so warrants, with proper explanation for such departure from the model in the case decision.

Further recommendations for PSPs to enhance their PSU protection against fraud payments scams

The Arbiter wishes to make these recommendations which should be seriously considered by PSPs:

1. Removal or reduction of standard tariff charges for recalls in case of fraud payments especially where less than 100% gross negligence applies.
2. More effective and frequent educational campaigns warning of fraud payments scams both on general and social media, but particularly using direct channels of communication with PSUs.
3. Application of this model for effecting refunds to fraud payment cases which were not complained to the OAFS but were reported to (and refused by) PSP.
4. Fixing lower online transaction limits than the overall daily limits.  The Arbiter is sensitive that it is technologically challenging for PSPs to fix daily and transaction payment limits to suit each and every customer circumstance. However, it should be quite doable for PSPs to apply lower limits for retail customers than for business customers, and for the transaction limit to be lower than the daily limit which covers more than one transaction in a single day.
5. Adopting more sensitive transaction monitoring systems sensitive to unusual transactions which ought to be confirmed directly with PSU before affecting transaction.
6. Introducing stricter verification processes for changes in contact details or registering new devices (possibly including a physical visit to a branch or phone verification).  Notification of such contact changes should also be sent to old contact numbers/email addresses.
7. Limiting Apps meant to generate authentication codes to only one device.