SUP 16 Annex 27F Notes on completing REP017 Payments Fraud Report

G

1REP017 Payments Fraud Report These notes contain guidance for payment service providers that are required to complete the Payments Fraud Report in accordance with Regulation 109(4) of the Payment Services Regulations 2017 and SUP 16.13.7D.

What is a fraudulent transaction?

For the purposes of this report, a fraudulent transaction is any payment transaction that the PSP has:

  1. • executed;

    • acquired; or

    • in the case of a PISP, initiated;

and that the PSP deems to have been subject to one of the following fraud types:

(for credit transfers and direct debits)

  1. • Manipulation of the payer to issue a payment order.

    • Issuance of a payment order by the fraudster.

    • Modification of a payment order by the fraudster.

    • Account takeover.

(for credit cards)

  1. • Lost and stolen card fraud.

    • Card Not Received fraud.

    • Counterfeit card fraud.

    • Theft of card details (card not present)

If a payment transaction meets the conditions above it should be recorded as a fraudulent transaction for the purposes of this report irrespective of whether:

  1. • the PSP had primary liability to the user;

    • the fraudulent transaction would be reported as such by another PSP in the same payment chain; or

    • the fraud is committed by the user (first party fraud) or by another person with whom the PSP does not have a contractual relationship (third party fraud).

Fraud types

PSPs should use their discretion when determining the appropriate fraud type for each fraudulent transaction and should choose the fraud type that most closely matches the circumstances of the fraud. We have provided guidance on the fraud types for this purpose.

Credit transfers and direct debits:

Manipulation of the payer to issue a payment order

This would cover fraud where the payer authorises a push payment to a fraudulent payee, also referred to as ‘malicious misdirection’; for example, when a scammer contacts the victim purporting to be from the victim’s bank. The scammer then convinces the victim to transfer money (using a credit transfer) to a different account in order to safeguard it but that account is in fact controlled by the scammer. (See Payment Systems Regulator response to Which? Super-complaint: https://www.psr.org.uk/psr-publications/news-announcements/which-super-complaint-our-response-Dec-2016). Issuance of a payment order by the fraudster

This would cover fraud where the fraudster uses stolen personalised security credentials in order to issue a payment order, either through contacting the victim’s bank or accessing the victim’s online banking service. For example, where a victim’s online banking has been accessed using stolen personal identity details and credit transfers (such as Faster Payment or CHAPS payments) have been made or direct debits set up from the victim’s account to beneficiaries chosen by the fraudster.

Modification of a payment order by the fraudster

This would cover fraud where the fraudster has gained unauthorised access to the victim’s account in order to change the details of existing payment orders or payment instructions. For example, where a victim’s account has been accessed using stolen personalised security credentials in order to modify the beneficiary of the victim’s existing standing orders or direct debits or, for example, where a victim’s account has been accessed by a fraudster and a batch of payment details have been modified so that when payments are executed by the victim, the funds are unintentionally transferred to a beneficiary or beneficiaries chosen by the fraudster rather than the intended beneficiary. (See CIFAS paper, Table 2 Unlawful obtaining or disclosure of personal data: https://www2.cipd.co.uk/NR/rdonlyres/710B0AB0-ED44-4BD7-A527-B9AC29B28343/0/empfraud.pdf)

Credit cards:

Lost and stolen card fraud

This would cover any fraud committed as a result of a lost or stolen card (except where Card non-receipt fraud has occurred). (See FFAUK Fraud Facts 2016 https://www.financialfraudaction.org.uk/fraudfacts16/assets/fraud_the_facts.pdf )

Card non-receipt fraud

This would cover fraud where a payment card is stolen (with or without the details of the PIN also being intercepted) whilst in transit – after the card company sends it out and before the genuine cardholder receives it. The payment card is then used by the fraudster to make transactions. (See FFAUK Fraud Facts 2016 https://www.financialfraudaction.org.uk/fraudfacts16/assets/fraud_the_facts.pdf)

Counterfeit card fraud

This would cover fraud where the fraudster uses a card which has been printed, embossed or encoded so as to purport to be a legitimate card but which is not genuine because the issuer did not authorise the printing, embossing or encoding. (See https://www.financialfraudaction.org.uk/wp-content/uploads/2016/07/Fraud-the-Facts-A5-final.pdf)

Account takeover

This would cover fraud using another person’s credit or debit card account, first by gathering information about the intended victim, then contacting their bank or credit card issuer whilst masquerading as the genuine cardholder. The fraudster will then arrange for funds to be transferred out of the account, or will change the address on the account and ask for new or replacement cards to be sent to the new address. (See https://www.financialfraudaction.org.uk/wp-content/uploads/2016/07/Fraud-the-Facts-A5-final.pdf) Theft of card details (card not present) This would cover fraud where card details have been fraudulently obtained through methods such as unsolicited emails or telephone calls or digital attacks such as malware and data hacks. The card details are then used to undertake fraudulent purchases over the internet, by phone or by mail order. It is also known as ‘card-not-present’ (CNP) fraud. (See https://www.financialfraudaction.org.uk/fraudfacts16/) Data elements

Payments Fraud Report - Table 1

1A

Please select the payment type which has the highest fraud rate by value of fraudulent transactions

Payment types

The payment types available in the dropdown list are payment types provided by UK PSPs. These include different types of credit transfer, direct debit and card payment types.

Credit transfers:

BACS Direct Credit

BACS single payment

CHAPS credit transfer

Faster Payments (including standing orders)

SEPA credit transfer

Inter-bank transfer (On-Us) payment

International SWIFT payment

Direct debits:

BACS Direct Debits

SEPA Direct debit

Cards:

Pre-paid Card

Credit Card

Charge card

Debit card/cash card

If the PSP provides three or fewer than three payment types it should complete the report in respect of each of those payment types.

Calculating the value of fraudulent transactions

In order to complete this report, PSPs should, throughout the reporting period, record for each payment type: the number and value of payment transactions and the number and value of payment transactions that are categorised as fraudulent transactions. PSPs should use this data to determine which payment type has the highest fraud rate.

PSPs should convert values for non-sterling transactions into sterling using the average ECB reference exchange rate for the applicable reporting period, where available. In other instances PSPs should use the average of the applicable daily spot rate on the Bank of England’s Statistical Interactive Database for the applicable reporting period.

‘Highest fraud rate’ means the highest total value of fraudulent transactions.

If the PSP executes more than one payment transaction in respect of the same funds (for example placing and transferring the same funds), the PSP should record this transaction and the corresponding value once only.

1B-1E

Volume and value of payment transactions and fraudulent transactions P

SPs should report the following information in respect of the payment type selected at 1A:

• Total transaction volume (i.e. the number of transactions) for payment type (000s)

• Total transaction value for payment type (£ millions)

• Fraudulent transaction volume (i.e. the number of transactions) for payment type (000s)

• Fraudulent transaction value for payment type (£ millions)

Figures should be entered in units of thousands (for volume) or millions (for value). If the figure is less than one thousand or one million, you should enter the figure as a decimal fraction: e.g. if the total fraudulent transaction value is £23,000 this should be entered as 0.023.

1F

Volume of fraudulent transactions initiated through PISP using payment type

PSPs that only provide payment initiation services (i.e. those that do not come into possession of user funds) do not need to answer this question. All other PSPs should enter the number of fraudulent transactions that were initiated by a third party PISP using the payment type selected at 1A. If there were none, PSPs should enter ‘0’.

1G

Please select the three fraud types attributed to the highest value of fraudulent transactions for the payment type

The PSP should select the three fraud types (from the drop down list given in the form) that cause the most fraud for the payment type selected at 1A. The three fraud types should be those with the three highest total values of fraudulent transactions.

1H

Fraudulent transaction value

For each of the fraud types selected at 1G, the PSP should enter the value of fraudulent transactions for that fraud type. This will allow us to understand the proportion of the total fraud transaction value (entered as 1F) that is attributable to that particular fraud type.

2A and 3A

Please select the payment type which has the second and third highest fraud rate by value of fraudulent transactions

The second and third highest fraud rate should be calculated as set out above in relation to 1A.

If the PSP provides three or fewer than three payment types in the reporting period, it should complete the report only in respect of each of those payment types. For example, if the PSP provides two payment types, it should complete sections 1A to H and 2A to H only.

2B-H

PSPs should answer questions 2B to H and 3B to H as set out above in respect of the payment types entered at 2A and 3A (where applicable).

3B-H

Table 2 - Fraud relating to account information services

This section should be answered by PSPs that provide account information services (AISPs). Registered account information service providers (i.e. PSPs that do not provide any other type of payment service) do not need to answer the questions in Table 1.

4A

Please indicate the number of incidents of fraud

This should be the total number of incidents of fraud that the AISP has recorded. If there are no incidents of fraud, please enter ‘0’ (there is no need to complete the rest of Table 2).

4B

Total value of fraud

Where known, the AISP should report the value of any fraudulent transactions that were executed or initiated (by a third party PSP) as a result of the fraud committed against the AIS user or the AISP.

In all other circumstances the AISP should provide an estimation of the loss to the persons defrauded. In this context ‘persons’ would include the user of the AIS service, any other PSP (such as a credit institution that operated the payment account that the AISP accessed) or the AISP itself. ‘Loss’ would include loss of funds incurred as a result of fraudulent transactions or loss incurred as an indirect result of the fraud; for example by having to reissue new payment instruments or fix breached security systems.

If the fraudulent incident(s) did not result in any financial loss, the AISP should still report the incident, enter ‘0’ at 4B and explain the type of fraud at 4C.

AISPs should convert values for non-sterling transactions into sterling using the average ECB reference exchange rate for the applicable reporting period, where available. In other instances AISPs should use the average of the applicable daily spot rate on the Bank of England’s Statistical Interactive Database for the applicable reporting period.

4C

Description of fraud

In this section we would expect AISPs to describe the type of fraud that has resulted in the highest total value of fraud (unless the AISP is reporting fraudulent incidents that did not result in any financial losses, as above). The AISP should also explain how the losses were incurred (on the basis that the AISP does not come into possession of the payment transaction funds and is not responsible for the execution of payment transactions).