With the digitalization of payment services, the nature and prevalence of payment fraud have evolved, presenting new regulatory challenges for the EU legislature. This paper, authored by academics from 5 European countries, examines the liability for APP fraud, where the payment service user (PSU) is tricked into authorizing a payment to another account. Unlike traditional unauthorized transactions, APP fraud involves social engineering tactics, such as impersonation via WhatsApp or fraudulent bank communications.

The current EU Payment Services Directive (PSD2) does not consistently address liability for APP fraud across member states, leading to varied interpretations and legal outcomes. While PSD2 holds payment service providers (PSPs) liable for unauthorized transactions, it lacks provisions for APP fraud, often leaving PSUs to bear the consequences unless national laws impose a duty of care on PSPs.

The European Commission’s proposal for a Payment Services Regulation (PSR) aims to address these gaps by introducing liability for PSPs in cases of APP fraud involving impersonation of the PSP (bank impersonation fraud). This proposal has sparked debate among EU co-legislators, with suggestions to expand liability to other forms of impersonation fraud and to clarify the definition of “authorized” transactions.  The paper advocates for partly harmonizing liability rules across the EU, emphasizing the need for clear definitions and consistent application of liability for APP fraud. It also highlights the importance of balancing fraud prevention measures with the privacy,  autonomy and own responsibility of PSUs. The authors propose extending liability in the PSR only to scenarios where trust in the payment system is exploited (such as bank impersonation fraud), while leaving other types of fraud to national discretion.

Read the entire article here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5241100 or https://dx.doi.org/10.2139/ssrn.5241100.