BT-REQ-3972 PSD3 Impacts v6(without crop marks) RL - Flipbook - Page 10
10
HL | PSD3 Impacts
5. Transaction
monitoring and
data sharing
(PSR Arts 83 & 89)
Overview
Unique identifiers that have been reported
twice to the same PSP in connection to fraud
must be shared with the other PSPs.
Such data sharing between PSPs will be
subject to arrangements that define the
details for participation and the requirements
for operational elements, including the use of
dedicated IT platforms.
Data sharing will require a joint DPIA
between PSPs under the GDPR and regarding
engagement with the authorities.
What is changing?
PSPs will be required to implement transaction
monitoring mechanisms to prevent and detect
potentially fraudulent transactions, including fraud
involving payment initiation services (as well as to
support the application/exemption of SCA).
The proposed PSR prescribes the data that may be
used, its retention period (no longer than necessary
and not after termination of the relationship),
the minimum risk-based factors that must be
considered under the monitoring system, and it
requires RTS to be introduced.
For transaction monitoring purposes, PSPs will also
be required to share unique identifiers to prevent
and detect fraud when at least two different PSUs
who are customers of the same PSP have notified
their PSP that a unique identifier of a payee was
used for fraud.
Information-sharing arrangements will define
details for participation and will set out the details
on operational elements, including the use of
dedicated IT platforms.
PSPs must jointly conduct a DPIA under Article 35
of the GDPR and, where applicable, consult with the
supervisory authority as referred to in Article 36 of
the GDPR.
PSPs must notify authorities of their participation/
cessation in the information-sharing arrangements.
The sharing of such data must not lead to the
termination of the customer’s contractual
relationship or affect their future onboarding by
another PSP.
The EP Text seeks to expand the data that firms
will be required to share to include the name,
personal identification number, organisation
number, modus operandi and other
transaction information.
It also proposes that the EBA sets up a
dedicated IT platform to facilitate information
exchange and will permit PSPs to terminate
future relationships of customers with unique
identifiers that have been shared between PSPs
where a thorough fraud investigation by the
relevant authorities concludes that the customer
has participated in fraud.
The Council Text proposes to mandate
transaction monitoring prior to a payment being
made and following receipt of a payment, with
the PSP bearing liability for any loss suffered by
the payer where they fail to do so.
It also broadens the categories of data that should
be monitored by the payer’s PSP to include
device data (e.g. identifiers of the device used to
initiate or authenticate a payment) and sets out
the data that a payee’s PSP is required to monitor.
