Opening remarks by Director of Consumer Protection, Colm Kincaid, at Oireachtas Committee on Finance, Public Expenditure and Reform, and Taoiseach

12 July 2023 Speech

Colm Kincaid

Good afternoon Chair and members of the Committee.

I am joined today by colleagues Patrick Casey and Wesley Murphy and we welcome the opportunity to discuss the important issue of authorised push payment fraud with you.

1. The Role of a Safe, Resilient and Efficient Payment System

Over the last number of years, two key trends have shaped the payments landscape for consumers and businesses: speed and innovation. Irish consumers and businesses benefitted significantly from these trends and in particular from our integration into the European Union (EU) payments system under SEPA 1 . Consumers and businesses can now make electronic euro payments to anywhere in the Eurosystem area in a fast, safe and efficient way.

Key to the proper functioning of such a system is trust. Together with the European Central Bank and other Eurosystem national central banks, the Central Bank of Ireland shares a common goal: “to guarantee that people have access to efficient payment solutions that meet their preferences and to ensure that transactions remain safe, underpinning confidence in our currency and the functioning of our economy" 2 .

We are supported in this goal by strong legislative protections for users of EU payment services, in particular through the Payments Services Directive (PSD2). A key feature of PSD2 was to formalise payment security requirements in national law including the application of strong customer authentication (SCA). It also introduced reimbursement for cases of fraud where the payment is not authorised by the consumer (known as an unauthorised payment fraud).

Properly applied, the protections of this regulatory framework should give confidence to consumers and businesses in their day-to day activities. We see this confidence borne out in the increasing extent to which payment activity has migrated to digital means with, for example, the number of card payments more than doubling in the last 5 years 3 .

2. Enhancing EU legislation to address Authorised Push Payment (APP) Fraud

Unfortunately, as we see the benefits of digitalisation and an open European payments system under SEPA, we also see the ongoing emergence of ever more sophisticated frauds. This includes fraudsters utilising social engineering tactics to defraud consumers into authorising the making of a payment from their account (known as an authorised push payment fraud or APP).

As the Committee is no doubt aware, under the EU PSD2 framework, for unauthorised payment fraud, liability rests with the payment service provider to reimburse the consumer. However, the current EU PSD2 legislative framework does not set out liability for authorised push payment fraud. This gap in liability was called out, for example, in the European Banking Authority’s June 2022 report to the European Commission 4 .

The Central Bank welcomes therefore recent European Commission proposals 5 to extend the liability of payment service providers to include the case of authorised push payment fraud:

  • where an IBAN discrepancy is detected but not notified to the payer; and
  • where the fraud involves impersonation of a bank employee.

3. The Central Bank’s regulation of firms under current legislation

In our 2023 Consumer Protection Outlook Report, the Central Bank repeated its expectation of the firms we regulate to:

  • have effective measures to mitigate the risk of fraud;
  • be proactive in identifying and dealing with cases of fraud; and
  • engage effectively with consumers who have been the victims of fraud. This includes taking steps to support victims of APP fraud to retrieve their funds where possible.

There will also be cases of APP fraud where firms should compensate consumers to the extent the consumer’s loss arises from a failure in a payment service provider’s own established systems and controls.

As part of its ongoing review of the Consumer Protection Code, the Central Bank is also considering what policy measures it can introduce within the scope of its specific rule-making powers to contribute to the protection of consumers in a digital environment more generally. The measures under consideration include requirements on the design of digital platforms, firms’ systems and controls and on-line security standards.

4. The need for coordinated action

The sophisticated and multi-dimensional nature of APP fraud requires a co-ordinated approach across industry and with public sector agencies. We are aware of initiatives in other countries such as the “Observatory for the Security of Payment Means” created under French law, which promotes information sharing and consultation between all relevant parties, including consumer representatives, ombudsmen, law enforcement and regulators. We would welcome the opportunity to participate in any future equivalent fora mandated domestically involving all the key private and public sector stakeholders in the payments area.

As well as continuing to develop their own systems, it is also important that payment service providers continue to work together to consider the overall functioning of the system and ensure that their customers’ interests are effectively protected. This could include considering coordinated measures such as the introduction of IBAN checks, while recognising that no one step alone will provide full protection.

It also remains important to continue to raise public awareness of fraud. There is more we can all do as a combined effort to support this domestically. Last year, the Central Bank launched an online public awareness campaign titled “How can I protect myself from financial scams” and this information remains available on our website. We also note the initiatives of industry to raise awareness of fraud and that this topic should also feature in ongoing work at Government level on a national strategy on financial literacy.

5. Reimbursement and Liability

We are clear that firms should take steps to seek to recover funds for consumers, and should compensate consumers to the extent any loss arises from a failure in the firm’s own established systems and controls. We also support the European Commission proposal to expand reimbursement to the cases of APP fraud the Commission has specified.

The question arises, should the law go further up to requiring that consumers be fully reimbursed in all cases of APP fraud? And, if so, who should bear this cost? These are important social policy questions which require careful consideration. Such consideration should include looking at all the actors involved, including social media and other communication mechanisms through which APP fraud is carried out.

This includes any consideration of a voluntary reimbursement arrangement such as that in the United Kingdom. We note the discussions the Committee held with the Banking and Payments Federation Ireland on this aspect. The Central Bank would support any such initiative by industry, while recognising it must be properly calibrated. We believe it would be most effective if pursued as part of a wider engagement on enhancements to prevent fraud where all relevant actors are involved, including those outside the banking and payments sector. This approach could also support the development of the proposed shared fraud database, which would be of benefit to relevant stakeholders to prevent and combat fraud across the financial system.

6. Conclusion

Fraudsters prey on consumer vulnerabilities. Combatting such bad actors will require all parties to act together to protect and preserve the freedoms of the EU payments system which we have worked so hard to build for the benefit of our society. Working together with other regulatory authorities within the EU framework and law enforcement agencies in the State, the Central Bank is playing its part in securing the safety of that payments system. We welcome the European Commission’s proposals to enhance that EU framework and we stand ready to play our part in any future consideration of how to further enhance the framework at EU or national level.

In the meantime, our expectations of the firms we regulate are clear. They must have effective systems in place to identify and prevent fraud and they must support consumers who fall victim to it. This includes APP fraud, where we expect firms (amongst other things) to take steps to trace and recover money lost where this is possible. We also expect firms to take responsibility to compensate consumers to any extent a consumer’s loss has resulted from a failure of the firm’s own established systems and controls.

I thank the Committee members for their attention. I, and my colleagues, are happy to take the members’ questions.

1 Single Euro Payments Area