Since the EU introduced its Revised Payment Services Directive (PSD2) in 2018, Authorised Push Payment fraud (APP) has grown into the continent’s most prevalent form of financial crime. This explosive growth surprised few of us in the industry, but regulators likely didn’t expect one major consequence of that explosion: a shift in liability from banks to their customers.
Under PSD2, there is no customer reimbursement mandate for authorised payments. The directive only covers unauthorised Account Take Over (ATO) fraud. PSD3, scheduled to take effect in 2026, aims to make banks liable for reimbursement in bank impersonation scams but no other form of APP. The EBA is working to formalise the differences between unauthorised and authorised frauds and show how hybrid attacks – like the use of Remote Access Trojans from the customer machine alongside social engineering – might end up in the customer’s favour.
The financial impact of APP
Strong Customer Authentication (SCA) mandated by PSD2 is a double-edged sword. Brought in to reduce the overall losses across all digital channels it has benefited remote card purchases more than anywhere else. In the UK initial research by Nationwide showed SCA helped to prevent 2,000 cases of fraud each month. It also found that more than two-thirds of customers are happy to enter a passcode or manually approve a payment, even though some transactions might take a little longer, as long it makes their purchase journey more secure.
Although SCA has effectively put a stop to one type of fraud (ATO), it’s also led to a rise in social engineering attacks, ironically causing European banks to refund defrauded customers less frequently. A 2024 opinion paper by the European Banking Authority (EBA) found that most EU digital fraud losses are now borne by the customer.
By posing as a legitimate business or government body, cybercriminals committing APP fraud manipulate their victims into making payments or sharing personal details. APP circumvents SCA because the victims are tricked into voluntarily transferring away their money. In the UK alone, APP now impacts around 200,000 consumers each year, costing the economy around £459.7 million in 2023 (with over 60% reimbursement across industry2). The EBA estimates the EEA losses at around €1.2B with as little as 21% reimbursement, and that figure only includes those cases reported to banks. Whether customers are classified as Grossly Negligent or attack MO’s misclassified as authorised rather than unauthorised is a moot point, SCA has become a raw deal for many European victims. There exist inconsistencies across countries and between individual banks as to how victims are treated.
PSD3’s need for improvement
In some ways, SCA leaves consumers less safe from fraud than they were before PSD2, exposing them to the increasing number and frequency of APP scams – any losses from which their banks and governments hold them personally liable. While the European Parliament reviews the proposed PSD3 directive, more must be added in amendments to better protect fraud victims. If this fails to happen, we’ll soon start discussing the need for PSD4.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataToday, European nations are facing enough fraud to consider it a (trans)national security threat. Holding victims accountable is neither correct nor ethical, especially when there exists another way to protect consumers from scams without introducing more friction into the customer journey or placing more liability on their shoulders.
Proactively detecting and flagging fraud
Many organisations view their customers as the weakest link in their fraud-prevention defences. But it doesn’t have to be this way. In fact, customers, their idiosyncrasies, their digital habits and the ways they bank can instead form the basis of new, watertight digital protections.
Behavioural biometric intelligence analyses a user’s digital behaviour to distinguish whether an online banking session is legitimate or fraudulent. It can monitor patterns in mouse activity, keystroke movement, touchscreen behaviour, device orientation, user hesitation, disjointed typing, and much more.
A major advantage of behavioural intelligence is its ability to operate passively in the background. It silently monitors thousands of parameters, such as how a person holds their phone or how they scroll and toggle between fields, minimising friction in the user experience and storing this information for the user’s next session.
Once the user logs on again, the technology can compare their behaviour with previous data (validation not authentication) and, if it’s significantly different and matches known patterns of criminal activity, flag the session as potentially fraudulent.
Crafting a seamless and secure digital experience
Behavioural intelligence also offers protection against so-called “voluntary” APP fraud. It looks at several factors to recognise APP scams in real-time, such as:
- The overall length of the session: Typically, fraudulent payment sessions last longer and exhibit aimless mouse movements, indicating the customer is waiting for further instructions from an imposter over the phone.
- Segmented typing: How a person enters an account number themselves (versus someone reading it to them) makes a huge difference to the typing cadence.
- Hesitation: Customers being scammed often show signs of hesitation, even if the well-rehearsed fraudster is skilled in coercion and reassurance. Long pauses before performing simple actions are telling signs of fraud.
- Device displacement: Continuous movement of the phone suggests the user is picking it up to receive instructions and placing it back down to carry out the directed actions.
Ultimately, behaviour tells all. It’s the only thing fraudsters and the increasingly sophisticated artificial intelligence tools at their disposal cannot mimic. The introduction of behavioural intelligence is a powerful tool for combating advanced threats, while also fostering innovation and growth. Most pressingly, it could soften concerns around PSD2 and PSD3’s shortcomings while regulators iron out their next moves, replacing friction and fraud with a world of trust and ease. English speaking countries who experienced APP fraud first have been the pioneers to deploy and are now seeing fraud levels decline with displacement elsewhere.
Iain Swaine is Director EMEA, Global Advisory at BioCatch