BT-REQ-3972 PSD3 Impacts v6(without crop marks) RL - Flipbook - Page 25
25
HL | PSD3 Impacts
What is the impact?
The EP Text on impersonation fraud and the
deadline for making a claim to an ASPSP will
increase considerably the liability which ASPSPs
are exposed to.
Corporate banks will not be unaffected by these
changes and will need to implement confirmation
of payee services.
The corporate opt-out at least enables such banks
to reduce the time period in which a customer can
make a claim. However, this will need to be agreed
with existing customers.
Other liability changes
(PSR Arts 58 – 69)
The proposed PSR introduces liability for technical
service providers and payment system operators
for failure to provide the services they are under
contract for regarding support of SCA that results in
loss to a payee, a payee’s PSP or a payer.
It also introduces obligations on electronic
communication service providers to co-operate
closely with PSPs and act swiftly to ensure
that appropriate organisational and technical
measures are in place to safeguard the security and
confidentiality of communications in accordance
with the ePrivacy Directive, including with regard
to calling line identification and electronic
mail address.
The EP Text goes further in trying to bring tech
companies within reach by:
requiring electronic communications services
providers to be subject to similar customer
education/customer/alert/notice requirements
as PSPs in relation to online scams;
imposing fraud prevention obligations across
the entire fraud chain in relation to having
appropriate organisational and technical
measures in place to safeguard the security
of payments users when carrying out
transactions; and
providing that PSPs, electronic
communications services providers and
digital platform service providers will have
in place fraud prevention and mitigation
techniques to fight all fraud types
(unauthorised and authorised push payment
fraud). In either case, it isn’t clear how such
liability could be imposed on parties not
authorised under PSD3. The Council Text
acknowledges this difficulty, proposing
that the Commission and European Board
of Digital Services encourage and facilitate
the creation of a voluntary code of conduct
to foster cross sectoral co-operation.
Despite this, it also requires electronic
communication service providers to:
have in place measures to ensure effective
co-operation with PSPs, having regard to
the technical characteristics of each
of their services;
establish dedicated communication
channels with PSPs, or participate in a
system for effective communication, or
in an information sharing mechanism, to
allow for faster and more effective sharing
of any information that could be useful in
the prevention and detection of fraud; and
take all reasonable organisational and
technical measures to detect and prevent
fraud within their sphere of competence,
in accordance with applicable Union and
national law.
We expect that both ASPSPs and tech platforms
will want to engage to come up with an industry
approach to addressing this issue – the former to
ensure they are not solely on the hook for frauds
that emerge and are disseminated through social
media, the latter to ensure the resulting regime is
both constructive and workable for them.
Should the Council Text’s proposal for a new
“fraud prevention platform” be accepted, this will
be a helpful point of reference for them to do so
(see “Platform for Fraud Prevention”)
