Draft regulation on payment services: effective fight against bank fraud requires the continuous cooperation of all parties
As part of the negotiations on the Commission’s proposal for a regulation on payment services, the liability of electronic communications operators and more generally of technical intermediaries, including digital platforms, in the context of bank fraud has been raised in different fora. This is triggered by an increase in fraudulent practices based on impersonation to deceive bank customers using electronic means of communication. For example, one of the growing vectors of bank fraud concerns the theft of telephone numbers (number spoofing). By fraudulently using a number assigned to a bank or payment service provider (bank advisor number or credit card opposition centre), the fraudster lowers the customer’s level of distrust and deceives them to obtain confidential information (access codes, bank card number, etc.).
Electronic communications operators, notably faced with the misunderstanding of fraud victims, are already incentivised to fight such practices and ensure trust in the use of telephone numbers. Several national initiatives, whether voluntary or imposed by law, have been launched in this regard. For example, in France, the Naegelen law, adopted in July 2020 to combat illegal cold calling, requires operators to ensure the authenticity of numbers from the numbering plan established by the national regulatory authority when they are used as caller ID for calls and messages received by their end-user customers.
Despite these efforts, which must continue, fraudsters remain innovators by nature, which means that fraud is rapidly evolving to circumvent any technical obstacles put in place.
This is why attempts to shift the legal and financial liability of such bank fraud cases away from payment service providers to technical intermediaries would not bring any additional result in the effective fight against these fraudulent practices. On the contrary, this would certainly lower the incentive for payment service providers to secure their services through state-of-the-art technologies and endanger the very principles governing the functioning of electronic communications services: electronic communications operators do not have visibility or control over the contents of communications on their networks, hence cannot be held liable for reprehensible acts committed using their networks. Overall, this would conflict with provisions of existing EU law applying to electronic communication operators (such as European Electronic Communications Code or ePrivacy and net neutrality) and platforms (such as the Digital Services Act).
But this does not imply that nothing can be done: cooperation at EU level among all parties involved in the fight against bank fraud (including operators, digital service providers, payment service providers, banks, customers’ associations, telecom regulators, and banking supervisors) could be strengthened and structured to identify and qualify trends in bank frauds, promote best practices in technical remediation, seek interoperability in telephone number authentication systems, and better inform customers for them to make better decisions when using payment services.
Remedying new forms of bank fraud requires a collective effort from the digital and the banking sector – the EU should not miss the opportunity to make it happen. It should ensure the Payment Services Regulation remains proportionate and incentivise efficient cooperation between the banking sector and the electronic communications sector, while duly considering the roles of each player in the value chain and without transfer of liability.
Romain Bonenfant
EuroISPA Board Member
Managing Director, Fédération Française des Télécoms