Analysis One of the European Union's top legal advisors is trying to change how banks treat cybercrime victims – meaning they could enjoy greater financial protections sooner than expected.
In a recently published legal opinion, Advocate General Athanasios Rantos urged lawmakers to alter their interpretation of the Second Payment Services Directive (PSD2), which would require banks to reimburse victims of financial fraud before proving wrongdoing.
Crucial to this is the treatment of gross negligence under PSD2. Should Rantos's opinion be adopted, victims of crimes such as bank impersonation scams would be reimbursed immediately, regardless of whether, under EU law, their money was lost through their own gross negligence.
Under the current PSD2, banks hold the power. If a victim of online fraud reports the crime to their bank, the institution then undergoes a review of the case to decide whether they should be reimbursed.
The current model can often leave victims in an uncertain and potentially perilous financial position until the bank determines whether or not to repay them.
Banks often use the gross negligence defense to delay reimbursement. Rantos's opinion, which is not yet legally binding, looks to flip this on its head, forcing banks to pay victims immediately, regardless of whether gross negligence led to the fraud's success, and then reclaim the money after the case is reviewed.
Under the EU's payment processing regulations, gross negligence can be argued in cases where victims are tricked into handing attackers a one-time passcode or their login details, which the criminal then uses to enrich themselves by making unauthorized payments.
The Advocate General provided a fictional example [PDF] of a case in which the victim would benefit from a legislative tweak.
For example, a customer of a bank in the EU is phished by a criminal who listed an item for sale on an online marketplace. They agree to purchase the item, and the criminal sends the victim a link that leads to a web page imitating the victim's bank.
Convinced the web page is legitimate and not under the attacker's control, the unwitting victim enters their bank details to approve a transaction, but the attacker steals those credentials and uses them to make a payment from the victim's account.
The victim reports the scam to their bank, but it claims gross negligence led to the fraudulent transaction (not spotting that the web page was a phishing site). The bank refuses to issue an immediate refund, forcing the victim to pursue a recovery through the courts, likely while in a position of limited resources due to the attacker's theft.
Rantos's opinion would require the bank to cough up money to the victim immediately and allow it to reclaim the funds if gross negligence is proven later, providing the victim greater financial security in the short term.
Jonathan Frost, director of global advisory for EMEA at cyber and fraud detection biz BioCatch, said: "The Advocate General's opinion indicates a major shift in the liability for fraud in European payments. If the Court concurs, banks may have to promptly reimburse customers for unauthorized transactions and then pursue negligence claims. This shifts the initial financial risk to banks, heightening the need to detect account takeover and credential compromise before processing payments."
"This reflects a key principle of the Revised Payment Services Directive (PSD2): customers should be promptly refunded for unauthorized payments, unless the bank can clearly prove fraud or gross negligence. UK banks already reimburse about 98 percent of unauthorized fraud losses, whereas European banks have often refused to reimburse customers unless they pursue legal action."
The overhaul to PSD2's interpretation, per Rantos's opinion, will almost certainly come soon in the form of the updated PSD3 and brand-new Payment Services Regulation (PSR).
Unlike with PSD2, this specific scenario is explicitly codified in both the proposed new regulations, as they are currently worded.
However, a protracted legislative process could mean the protections are not formally introduced and enforced for some time, despite first being proposed in 2024, which is why the Advocate General wants it fast-tracked as part of a reinterpretation of PSD2.
PSD3/PSR will bring a bunch of changes to the EU's payments regulations. Aside from the more finance-related parts, payment services providers (PSPs) will need to implement more robust Strong Customer Authentication (SCA) – one of the more influential changes lawmakers hope will curb the rising number of financial fraud cases. If PSPs fail to implement SCA properly, regulators could prosecute them.
Merchants also have a role to play. They will need to share more data with the PSPs, which can then make better-informed decisions about whether to approve or deny transactions. User locations, session data, device IP addresses, and more will work to provide PSPs with a clearer picture of who exactly authorized the payment: the genuine cardholder or a malicious third party.
SCA is already a requirement under the existing PSD2, although PSD3 will bring improvements, with the PSR enforcing them. Given that the PSR is a regulation and not a directive - which requires member states to transpose requirements into domestic law, another lengthy process - the EU can immediately enforce it across all member states.
The types of data that inform SCA will remain largely unchanged, but PSD3 will more clearly define liability in cases of failure.
SCA under PSD2 is also usually enforced through means only accessible via smartphone, and PSD3/PSR will force PSPs to broaden these methods of authentication, offering greater protection to those without access to a smartphone, for example, or those with disabilities. ®
Source: The register