As already mentioned in our previous e-Alert of 16 January 20191, payment service providers must provide, at least on an annual basis, statistical data on fraud relating to different means of payment, to the Luxembourg regulator of the financial sector, the Commission de surveillance du secteur financier (the CSSF) which in turn provides the European Banking Authority (EBA) and the European Central Bank (ECB) with such data in an aggregated form, pursuant to Article 105-2 of the Luxembourg act of 10 November 2009 on payment services, as amended (the Payment Services Act 2009).
By a circular 19/712 of 14 March 2019 (the Circular 19/712), the CSSF formally endorsed the Guidelines of the EBA on reporting requirements for fraud data under Article 96(6) of the Directive (EU) 2015/2366 (PSD2) (EBA/GL/2018/05).
The Circular 19/712 provides details on the types of payment transactions as well as the fraudulent payment transactions to be reported, the reporting frequency and timelines and the format of the reporting.
1. Which actors are concerned?
The obligation applies to payment service providers (as defined in article 1 (37) of the Payment Services Act 2009), including among others:
payment institutions (except account information service providers since they cannot initiate payment transactions);
credit institutions providing payment services; and
the Entreprise des Postes et Télécommunications
(together, the Entities).
Both Luxembourg-based Entities and Luxembourg branches of EEA Entities are subject to this reporting obligation towards the CSSF. Conversely, EEA branches of Luxembourg Entities may have to report to the competent authority of their host Member State, separately from the fraud data reporting made by their head office towards the CSSF.
2. What is the new obligation?
As mentioned above, an Entity must report fraud data related to different means of payment to the CSSF for statistical purposes.
The CSSF shall in turn share aggregated data with the EBA and the ECB.
3. Which data must be reported?
For the same period of time, fraud data reporting must include information on total payment transactions and total fraudulent payment transactions (regardless of whether the amount of a fraudulent payment transaction has been recovered), in accordance with the breakdown set out in Annex 2 of the Guidelines. Reporting must include fraud data for transactions that are domestic, cross border within the EEA and cross-border outside the EEA. Reporting for an Entity must include fraud data of all its agents (if any).
Entities must only report statistical fraud data for payment transactions that have been initiated and executed (including, as the case may be, acquired). Payment transactions that have not been executed and have not resulted in a transfer of funds in accordance with PSD2 provisions (for instance, because they have been detected as fraudulent before execution) shall not be reported.
For fraud data reporting purposes, fraudulent payment transactions encompass:
unauthorised payment transactions made, including as a result of the loss, theft or misappropriation of sensitive payment data or a payment instrument, whether detectable or not to the payer prior to a payment and whether or not caused by gross negligence of the payer or executed in the absence of consent by the payer (‘unauthorised payment transactions’); and
payment transactions made as a result of the payer being manipulated by the fraudster to issue a payment order, or to give the instruction to do so to the payment service provider, in good-faith, to a payment account it believes belongs to a legitimate payee (‘manipulation of the payer’).
An Entity must report the statistical fraud data in terms of both volume (i.e. number of transactions or fraudulent transactions) and value (i.e. amount of transactions or fraudulent transactions). For Luxembourg, values must be reported in euro currency (after conversion if necessary). The reporting must also include information on the losses suffered by an Entity, its payment service users or others due to fraudulent payment transactions, reflecting the actual impact of fraud on a cash flow basis.
Annex 1 of the Guidelines further details the general identification data that any Entity must provide in addition to the above.
4. When should the reporting be made?
An Entity must report the fraud data every six months. Hence, the reporting periods are set as follows:
1 January – 30 June;
1 July – 31 December.
Fraud data must be reported to the CSSF within three months after the end of the above reporting periods.
It is important to note that fraud data reporting needs to be provided to the CSSF even if no fraud occurred during the relevant reporting period.
If an Entity discovers information requiring adjustments to a past fraud data reporting, it shall make a rectifying reporting during the reporting period immediately following the discovery of that new information by submitting revised fraud data reporting tables.
5. Format and technical requirements for the reporting
The fraud data reporting tables are provided in Annex 2 of the Guidelines.
Applicable technical requirements for sending the fraud data reporting will be published by the CSSF on its website at a later stage.
6. Impact on the internal procedures of an Entity
The Entities must ensure that they have in place and maintain effective operational and security policies to comply with the above obligations. In particular, the various responsibilities for the identification of fraud cases, compiling of relevant data and reporting to the CSSF as well as applicable processes must be precisely defined.
7. Entry into force
The Circular 19/712 will be applicable as of 1 January 2020.