.svg)
Members of the European Parliament (MEPs) have made amendments to the Payment Services Regulation (PSR), which focus strongly on fraud liability.
Progress has been made on the PSR legislative file, as MEPs have submitted their suggestions on how the European Commission’s proposal could be improved.
Among the issues that feature strongly is fraud liability.
This is a topic that is set to be overhauled as part of the legislation, with the commission’s text having shifted liability away from payment service users (PSUs) and onto payment service providers (PSPs).
For example, PSPs will have very few situations whereby they can refuse to refund customers once the PSR is in place, echoing the liability rules that are being introduced by the Payment Systems Regulator in the UK.
MEPs have built on this, as first evident in rapporteur Marek Belka’s draft report, which called for social media firms to be held financially liable.
MEPs divided on liability
However, there appears to be a difference in opinion between political groupings.
For example, Ondřej Kovařík, who is also rapporteur for the Payment Services Directive (PSD3) file, has added in a new clause stating that online platforms can also contribute to increasing instances of fraud, and therefore, and without prejudice to their obligations under the Digital Services Act, they should be held liable “where fraud has arisen as a direct result of fraudsters using their platform to defraud consumers”.
However, Eugen Jurzyca, an MEP hailing from the European Conservatives and Reformists Group (ECR), has amended the text to say that “electronic communications services providers cannot be held liable for payment fraud committed by the third party”, which should mean that social media and telecommunications firms would not be held responsible.
José Manuel García-Margallo y Marfil, a Spanish MEP, has meanwhile shifted the burden even further away from the customer.
In the commission’s text, PSUs who have already received a refund from PSPs after having fallen victim of bank employee impersonation fraud would be able to be refused a refund. However, the centre-right parliamentarian has removed this example.
Jurzyca has also added new examples of gross negligence, shoring up the commission text by saying “unsafe manipulation with security codes, debit card or a device used to provide the access to banking, persuading the bank to lift the blockade placed after a fraud alert acting on guidance from an unfamiliar third party, transferring money to foreign accounts under suspicious circumstances or opening one or more crypto wallets acting on guidance from an unfamiliar third party” should render a customer unable to access a refund.
Kovařík, who sits with the centrist Renew faction of the Parliament, has further added a clause calling for the European Banking Authority (EBA) to issue guidelines on how PSPs should define gross negligence.
Additionally, Lídia Pereira, a Portuguese MEP, has suggested extending the commission’s ten-day rule on making a decision on whether to refund a PSU or not to 20 days.
Bolstering SCA
Strong customer authentication (SCA) rules have also been addressed in the MEPs' amendments.
Kovařík has added an amendment that states “it is appropriate that the application of SCA be risk-based and outcome-focused” and, in turn, SCA compliance requirements should provide sufficient flexibility for innovation within the payments sector, including in the development of new SCA solutions.
The Czech lawmaker has also added an amendment that says, in the context of business to business (B2B) or business to government (B2G) payments, SCA should be appropriate to the risk level of such transactions, taking into account already existing controls and checks that exist among these operators.
“In order to reduce administrative burden, SCA should not be required for every transaction in these scenarios, and should be adapted to a risk-based approach,” Kovařík’s amendment says.
Belka and colleagues in the centre-left parliamentary grouping, Paul Tang and René Repasi, meanwhile, have said that clear definitions of merchant initiated transactions (MITs) and of mail orders or telephone orders (MOTOs) should be introduced by the EBA, because they are absent from the PSR and PSD3 texts.
Jurzyca has further removed a provision in the PSR that says the “regulatory approach to MITs and direct debits, both being transactions initiated by the payee, should be aligned and benefit from the same consumer protection measures, including refunds”.
As with the PSD3 file that Vixio also reported on this week, lawmakers will now need to come to a compromise on the text to prepare their position for triologues with the European Council.
