top of page

European Banking Authority Urges Fair Treatment for Customers in Fraudulent Payment Cases

In response to the rising incidence of payment fraud, the European Banking Authority (EBA) has issued an opinion calling for fair treatment of customers who fall victim to scams involving two-factor authentication payments. While the EBA's opinion is not legally binding, it informs the European Commission's Supranational Risk Assessment, influencing policies at the EU level.

European Banking Authority Urges Fair Treatment for Customers in Fraudulent Payment Cases

The EBA emphasized the need for clarity in liability rules within the Payment Services Regulation, which governs retail payments across the EU. It noted a concerning trend where instant payments experience higher fraud rates compared to traditional credit transfers, with a significant portion of fraud losses being borne by customers.

According to the EBA, in 2022, customers bore 79% of the losses from credit transfer fraud, amounting to €1.2 billion. This imbalance in liability is attributed to the increasing prevalence of payment fraud in the form of manipulation of the payer. Furthermore, the EBA highlighted a concerning practice among payment companies in several EU member states, where transactions authenticated via Strong Customer Authentication (SCA) are considered authorized, even in cases of social engineering fraud.

To address these issues, the EBA recommended amendments to the EU's liability rules to protect customers who are deceived into making fraudulent payments. Among the proposed measures are:

  1. Rejection of SCA as Sole Proof of Authorization: The use of SCA should not be sufficient to prove that a payment transaction was authorized by the payer or that the payer acted fraudulently.

  2. Denial of Fraudulent Transactions: Payer-initiated transactions denied by the payer, even if authenticated by SCA, should not be considered authorized if initiated by a fraudster.

  3. Awareness of Mismatched Transactions: Transactions denied by the payer due to a mismatch between the IBAN and the beneficiary's name should not be considered authorized.


Additionally, the EBA stressed the responsibility of payment service providers (PSPs) to provide adequate customer assistance regarding security. PSPs should be held liable for fraud if they fail to fulfill their obligations in this regard, including promptly addressing customer inquiries and suspicions of fraud.

The organization also outlined expectations for customer service standards, emphasizing the provision of assistance for security concerns and timely follow-up on reported anomalies or suspected fraud. This service should be available during the operating hours of the relevant payment service.

As the prevalence of payment fraud continues to pose challenges in the digital banking landscape, the EBA's recommendations aim to safeguard the interests of consumers and promote accountability among payment service providers.



bottom of page