Agefi Luxembourg - février 2025

Février 2025 19 AGEFI Luxembourg Economie / Banques I n one of its latest reports (1) , the European Banking Authority (EBA) has highlighted a surge in impersonation fraud and so- phisticated online and social scams, often leveraging new pay- ment methods such as instant payments. As instant payments become widely available, the EBA reports that, back in 2022, fraud rates for ins- tant credit transfers were on average 10 times hi- gher than for regular cre- dit transfers. With the rise of social media and advan- ced scamming techniques, banks are increasingly confronted with a type of fraud called Au- thorized Push Payments (APP). Limitations of current market anti-fraud practices Today, most fraud prevention mechanisms are built on the assumption that a fraudster would take over the account or payment instrument (e.g., credit card, online banking) of a client. Thus, cur- rent practices focus on identifying whether the person initiating a transaction is indeed the cus- tomer of the bank. To do so, Payment Service Providers (PSPs) often check the location of the payer, the digital signature of the device used, and the amount and pattern of initiated transactions to detect potential fraud. WithAPP scams, the difficulty lies in the fact that the payer is tricked into initiating a payment to the wrong beneficiary. In this model, it is the actual client performing the payment, reducing the effec- tiveness of current detection mechanisms. When combined with the 10-second speed of instant payments transactions, it creates a perfect environ- ment for fraudsters to thrive. In response, EUauthorities have launched a series of regulatory initiatives aimed at bolstering the se- curity of payment systems and at strengthening the protection of EU payment users. Regulatory initiatives for enhancing security The new Instant Payments Regulation (IPR), which went into effect last January, introduced two critical measures to combat payment fraud. The first is the obligation for PSPs to perform daily sanctions screening of all customer ac- counts against EU sanctions. This measure is de- signed to potentially block all suspicious accounts even before any transaction can be ini- tiated from/to these accounts, reducing the risk of fraudulent activities. While this practice was not entirely new to the market, PSPs still have to upgrade their monitor- ing systems to allow daily screening, including weekends, and to put in place operational mea- sures and safeguards to take necessary actions over weekends and bank holidays. Although this mechanismwas supposed to replace transaction monitoring for instant payments and allow faster processing, PSPs must comply with more than just EU sanctions, and it remains a market prac- tice to perform transaction screening for other purposes (such as checking US sanctions lists or preventing fraud). In addition, the IPR introduced the concept of Verification of Payee (VOP), often called the “IBAN-Name check” service. This concept, which already existed in certain local markets like the Netherlands, and the UK under the name of Confirmation of Payee, is designed to prevent fraud by ensuring that funds are trans- ferred to the intended recipient. This new mandatory (and free to use) service will apply to all credit transfers by 9 October 2025. PSPs are required to offer to retail and corporate clients a mechanism that verifies the coherence be- tween the payee’s IBAN and name. If the details do not match, the PSP must inform the customer, indicating whether the details are “not a match” or a “close match.” This measure aims to reduce the risk of social engineering and fraudulent transactions by providing an addi- tional layer of verification before funds are transferred. However, many banks are concerned that the Oc- tober deadline may be too tight. For instance, third parties looking to provide routing and/or verification mechanisms for the VOP “scheme” (a set of rules and guidelines for implementa- tion), have noted that the scheme was only re- cently published on the European Payments Council’s website. This limited time- frame poses challenges for compliance with the requirements. Selecting and implementing a third-party solution is a time-consuming process that neces- sitates thorough due diligence, as well as functional and technical testing. It is crucial to identify a solution provider that offers a seamless integration experience – often through APIs – and can be easily em- bedded into payment channels. This ap- proach is essential for creating a distinctive customer experience and gaining a competi- tive edge in the market. Alignment with the wider EU regulatory framework In addition to these two new requirements, EU regulators are also driving the update of the sec- ond Payment Services Directive (PSD2) and are about to adopt, probably by the end of 2025, a new EU Regulation that will apply across the EEA as the new Payment Services Regulation (PSR). The final text is not yet voted on, but the current draft and various consultations emphasize the qualifi- cation of payment fraud and the protection of EU customers suffering from it. The PSR expands on the concept of fraud, partic- ularly focusing on cases of impersonation. It intro- duces measures to address gross negligence and expand on the obligation to put in place strong transaction monitoring systems. PSPs will also be required to run training and awareness campaigns on fraud trends and risks, targeting both cus- tomers and employees. These campaigns aim to educate stakeholders on the latest fraud tactics and provide practical advice on how to avoid falling victim to scams. By raising awareness and improving knowledge of fraud prevention tech- niques, the regulation aims to empower customers to protect themselves against fraud. Complementary to spreading awareness, the EU recognizes that sophisticated preventionmeasures also need to be taken, and will introduce a new concept of Fraud Data Sharing for this purpose. The PSR establishes a legal basis for PSPs and Electronic Communication Service Providers (ECSPs) (e.g., mobile operators, broadband com- panies, etc.) to start sharing information related to fraud cases. This includes details such as names, phone numbers, email addresses, and modus operandi, which will be shared on a platform set up by the European BankingAuthority, compliant with personal data protection rules. This collabo- rative approach aims to enhance fraud detection and prevention by enabling PSPs and ECSPs to pool their resources and share intelligence on emerging threats. The regulation also outlines the responsibilities of each party in the event of a data breach or fraud incident, ensuring accountability across the payment ecosystem. The call to action for businesses Over the next few years, the regulatory initiatives outlined above will have significant operational and technological impacts on both back- and front-end systems for PSPs. While some of these measures can be implemented quickly, such as training, customer education, and awareness cam- paigns, others, such as the verification of payee mechanismor advanced transaction and behavior monitoring tools, will involve greater complexity and resource allocation to deploy – and should therefore be anticipated. All these initiatives will only be effective if the entire payment ecosystem plays its part and if its players take strong mea- sures to develop new solutions and increase col- laboration by proactively reporting fraud cases and fraud data to their peers. While machine learning is alreadywidely used in transaction analysis andmonitoring, the use of ar- tificial intelligence will help PSPs fight back against increasingly complex fraud techniques where fraudsters useAI-generated voices, pictures of identification documents, and even video. By identifying patterns and anomalies, these tech- nologies enhance fraud detection capabilities and facilitate faster responses to emerging threats. In parallel, cross-sector collaboration between PSPs and ECSPs is a step in the right direction, but further efforts are needed to foster collaboration across the financial ecosystem. This includes working with law enforcement agencies, regula- tory bodies, and other stakeholders to develop a comprehensive fraud prevention approach. While the private sector has its role to play, local govern- ments and supervisory authorities will also have to support players in the financial industry. As the regulatory environment continues to evolve, businessesmust proactively embrace innovation in fraud management. Going beyond the minimum compliance is key and will require a review of the customer experience – the customer journey – to in- tegrate increased fraud prevention mechanisms. Firms that invest in next-generation fraud preven- tion solutions, leverageAI-driven transactionmon- itoring, and foster a culture of security awareness will not only protect themselves but also gain a competitive edge in the digital economy. Vanessa MÜLLER, Partner, ESG Leader Clément ROBERT, Senior Manager, Regulatory Compliance EY Luxembourg 1)Opiniononnewtypesofpaymentfraudandpossiblemitigations.pdf Payment Fraud on the Rise: Regulator Pushing Various Initiatives to Support Clients and Industry S uite à l’accord de coalition 2023-2028 du gouvernement luxembourgeois, la Luxem- bourg Sustainable Finance Initia- tive (LSFI) a défini sa stratégie pour les 5 prochaines années. La Stratégie 2030 présente une vision de lamanière dont la LSFI fera progresser la finance durable au Luxembourg enmettant à jour ses missions et son champ d’action. Le rôle et la mission de la LSFI sont d’être l’entité de coordination du Luxembourg en matière de finance du- rable, de conduire le changement dans l’ensemble de l’écosystème en tant que Centre of Excellence et Knowledge Hub , de permettre au secteur financier d’accélérer le financement de la transi- tion, et de mesurer les progrès. En tant que Centre of Excellence et Knowledge Hub , la LSFI s’appuiera sur l’expertise et les ressources développées au cours des quatre dernières années, en fournissant des conseils et un leadership éclairé pour améliorer la compréhension et les compétences de l’écosystème. Cela inclura des initiatives de coaching et di- verses actions pour aider les institutions financières à naviguer dans cet environ- nement complexe. LaLSFItravailleraégalementplus étroite- ment avec le secteur financier .Alors que laLSFIs’engagedéjàaveclesreprésentants du secteur financier par le biais de ses ac- tivités régulières actuelles (Forum et As- sembléedespartiesprenantes,Groupesde travail et Conseils consultatifs), elle va maintenant approfondir ses relations en Développantl’ExpertiseetleLeadership, enIdentifiant deNouveauxPotentiels et Mobilisant le Secteur Financier, et en MesurantetCommuniquantlesProgrès . Gilles Roth, ministre luxembourgeois des Finances,acommenté:«Lastratégiedefi- nance durable 2030 de la LSFI Luxem- bourgestintroduiteàunmomentcritique. La nécessité de mobiliser la finance pour un impact positif est plus urgente que ja- mais.Lesdéfismondiauxtelsquelechan- gement climatique exigent que la finance joue un rôle de premier plandans lamise en place d’une économie durable. Cette stratégie est un nouveau chapitre dans l’histoire de LSFI. C’est un appel à l’action pournoustousafindetravaillerensemble, d’innoveretdemontrerlavoieenmatière definancedurable.Cefaisant,nouspour- rons faire en sorteque lafinance resteune force au service dubien». Pour atteindre ses objectifs et remplir sa mission, la LSFI fonctionnera sur la base de trois piliers stratégiques actualisés : 1.Renforcer l’Expertiseet leLeadership : Cepilierseconcentresurl’améliorationde la compréhension des sujets liés à la fi- nance durable et sur l’apport de compé- tences, de coachinget d’informations aux institutionsfinancières,auxdécideurspo- litiquesetauxautrespartiesprenantes.La LSFI vise à agir commeun centred’excel- lence et de connaissancespour leLuxem- bourg, en partageant des idées sur les tendances émergentes et les meilleures pratiques,etenencourageantlesconnais- sances dans l’ensemble de l’écosystème. 2. Identifier de Nouveaux Potentiels et Mobiliser le Secteur Financier : Recon- naissant le rôle essentiel du secteur finan- cier dans la promotion de la finance durable, ce piliermet l’accent sur la colla- boration et l’innovation. La LSFI cher- chera à créer des opportunités pour que lesorganisationspubliquesetprivéestra- vaillent ensemble, facilitant ledéveloppe- ment de nouvelles solutions de finance durable, l’innovation, les initiatives d’in- vestissement à impact, et augmentant la mobilisation des capitaux. 3. Mesurer et Communiquer les Pro- grès : Ce pilier reflète l’importance des donnéespourpermettreauLuxembourg demesurerlesprogrèsréalisésenmatière dedurabilité.LaLSFIs’efforcerad’exploi- ter les données pour fournir à l’écosys- tème des analyses et des informations de haute qualité, en suivant les progrès de la finance durable au fil du temps et en les communiquant efficacement. La stratégie 2030de laLSFI Luxembourg pour la finance durable a été élaborée en collaboration avec le cabinet de conseil OliverWymanet repose sur une évalua- tion stratégique menée par ce dernier. Cette évaluation a analysé l’écosystème luxembourgeois de la finance durable, les forces et les opportunités de la LSFI, ainsi que les développementsmondiaux dans le domaine de la finance durable. En outre, des entretiens approfondis ont été menés avec les parties prenantes de la LSFI afin de s’assurer qu’un large éventail de perspectives et d’expertises soit pris en compte. Lancement de la stratégie 2030 de la LSFI Luxembourg ©LSFI