Update on the Payments landscape – January 2023

Illustration of speech bubbles with photograph of Naresh Aggarwal

Update on payments landscape

The payments landscape continues to evolve and this blog shares some of the topics that caught my attention during the last month. If you think I’ve missed anything important, do please send an email to technical@treasurers.org.

 

Regulatory announcements

  • European Commission (EC) published a proposal to force banks and other payment service providers (PSPs) to offer 24/7 instant euro payment services without charging customers an additional fee to address the slow rollout and adoption by banks across the eurozone.  PSPs in the eurozone will have six months to begin accepting and one year to enable the sending of instant payments.
  • The Payment Systems Regulator (PSR) in conjunction with HM Treasury, the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) provided an update on the replacement to the Open Banking Implementation Entity (OBIE). This has identified three priorities to deliver this vision:
    • Unlocking the potential of Open Banking payments to support competition and innovation by creating greater choice between payments methods and enabling exciting opportunities to build the next generation of payments, including more efficient and tailored services;
    • Adopting a model that is scalable for future data sharing propositions; and
    • Establishing a sustainable footing for the ongoing development of the Open Banking ecosystem.

The Strategic Working Group is providing extensive analysis, which reflects the range of stakeholder views on current gaps in Open Banking, potential short and long-term solutions, and the structures required to further develop Open Banking and define a future roadmap and is expected to produce its final report during January 2023.

The joint group will publicly set out its recommendations in relation to the design of the future entity, both during the interim state and once a long-term regulatory framework is in place, and the vision for Open Banking, in Q1 2023.

  • The PSR continues to review the market for cross-border interchange fees – especially following the UK’s withdrawal from the EU. It has found that Visa and Mastercard have increased the interchange fees on online purchases made by UK consumers to European businesses and vice versa fivefold, from 0.2% to 1.15% for debit cards, and 0.3% to 1.5% for credit cards. The aim of the review is to understand the rationale behind the increases in rates for Mastercard and Visa’s consumer debit and credit “Card Not Present” transactions. The PSR expects to publish its interim findings in the second half of 2023 and a final report by the end of 2023. 

The consultation on this working paper will close at 5pm on Thursday 19 January, 2023 and the PSR would welcome feedback to cardfees@psr.org.uk.

  • The PSR has issued two new consultations in relation to Authorised Push Payments (APP):
    • Covering the metrics that the initial 14 largest payment service provider (PSP) groups will need to provide every 6 months, the re-consultation specifically considers the process for collecting and validating PSP’s APP scam receiving rates – Metric C. (The PSR is proposing that receiving PSPs will have the option to ask sending PSPs for a breakdown of their APP scam data, so that they can check it. And sponsor PSPs, where they have the ability to, have the option to identify APP scam transactions that should be allocated to their indirect PSPs.)
    • The PSR outlined the technical process that banks and building societies will have to follow as part of its new reporting requirement for authorised push payment (APP) scams.   The consultation will cover the technical process for the collection of scam data which will show for the first time how well firms are protecting customers.  The data the regulator will require banks and building societies to provide covers the proportion of victims who are left fully or partially out of pocket, as well as the rates of APP scams happening at both sending and receiving banks or building societies.  The publication of this data will dramatically increase the information available to customers about how well their bank or building society is doing in tackling scams and reimbursing victims. 
  • The G20 issued its report summarising progress during the second year of the roadmap to deliver enhanced cross-border payments. It brought together the work under the roadmap’s wide-ranging but interconnected set of initiatives and also confirmed the next steps in the roadmap for 2023 and beyond organised around the priority themes described in the FSB note for G20. Key activities included:
    • Outreach events to inform work being done on building block 1 to develop an implementation methodology for monitoring progress toward the roadmap’s targets, building block 6 to review the interaction between national data frameworks and cross-border payments, and building block 16 to establish unique identifiers with proxy registries.
    • Launch of service level task force made up of private-sector managers of service level agreements and payment schemes to support the development of service level templates under building block 3.
    • Workshops with both providers and users of PvP (Payment vs. Payment) arrangements to refine proposals for increased adoption of PvP and gain further insight into evolving user requirements for PvP services.
    • The development of preliminary ISO 20022 harmonisation to set minimum guidelines for core data components across the cross-border payments chain.

 

Interesting reports

  • The European Payments Council issued its annual report on Payment Threats and Trends. Its key findings included:
    • Social engineering attacks and phishing attempts are still increasing, and they remain instrumental often in combination with malware, with a shift from consumers, retailers,

SMEs to company executives, employees (through “CEO fraud”), and more frequently leading to authorised push payments (APP) fraud.

    • Awareness campaigns are still very important countermeasures against social engineering, and these campaigns should be coordinated, involving also public administrations. They should target individual and corporate customers, as well as employees. Service providers can implement techniques helping customers to verify that websites and emails are genuine and can provide customers with authenticators which do not expose sensitive information. The service providers can also implement protection mechanisms in their email infrastructure and take benefit from specialised services for closing down phishing websites.
    • Malware – existing in various forms - remains a major threat, in particular ransomware has been on the rise during the past year, requiring new mitigating measures.
    • Measures against malware include proper maintenance of own devices by the customers, including mobile devices (regularly update the operating system, use only needed software, install and activate anti-virus and anti-malware tools, enable secure access, etc).
    • One of the most sophisticated and lucrative types of payment fraud now and for the future seems to be Advanced Persistent Threat (APT). It must be considered as a potential high risk not only for payment infrastructures but also for all network related payment ecosystems.
    • Measures against APTs should start with security defence and include advanced security data analytics, technologies of early detection with real-time reporting and visualisation.
    • The number of (D)DoS attacks has increased. There is a continuation of botnets and because of the high volume of  infected consumer devices (e.g. PCs, mobile devices, etc.) severe threats remain. Extortion or ransom DDoS (RDDoS) attacks started to become a new threat.
    • Botnets can act as a force multiplier for malicious activity, including DDoS, using
    • compromised systems from computers to IoT devices. Botnets are also a preferred means to mine crypto-currency drawing on the victim’s system computing power and electricity.
    • A fraudulent payment transaction is often followed by the use of a monetisation channel
    • such as an immediate cash withdrawal, a purchase with no trace, a money transfer or a
    • transfer to another account (“money mulling”). Raising awareness among customers, identification of “mules” combined with monitoring and stopping measures should be adopted as mitigation actions.
    • Attacks leading to fraud can occur in all payment-relevant processes: on-boarding/provisioning, Request-to-Pay/E-Invoicing, initiation/authentication and execution. Often attacks are caused by exploiting a combination of several threats. Appropriate countermeasures depending on the threat type should be adopted:
      1. At onboarding and provisioning stage, attacks can target client information in an authoritative registry (e.g. postal address, mobile telephone number), make use of stolen credentials, and notably using SIM swapping.
      2. Invoicing and Request-to-Pay stages are particularly exposed to APP fraud or IBAN manipulation, including tampering of QR-codes.
      3. Initiation and Authentication are primarily exposed to malware attacks. Such attacks can be combined with social engineering (e.g. the customer is informed that a specific payment has been initiated, a payment has been erroneously received and should be reimbursed, etc.)
      4. Attacks at the payment execution stage focus on processing systems where the actual validation of the transaction and transfer of funds is executed. The most relevant type of at this stage attacks are via DDoS and APTs.
    • If the perspective of the analysis shifts from the payment processes to payment instruments and payment schemes, the following specificities may be observed:
      1. Concerning card payment fraud, criminals are changing their approach. Not only by changing to more high-tech frauds like APT, but also a part of the criminals is reverting to old school types of fraud such as lost and stolen, sometimes in combination with social engineering. As e-commerce is still on the rise, CNP fraud remains a significant factor for fraud losses.
      2. For SEPA Credit Transfer (SCT) and Direct Debit (SDD) transactions, the criminals’ use of impersonation and deception scams, as well as online attacks to compromise data, continue to be the primary factors behind fraud losses. Hereby criminals target personal and financial details which are used to facilitate fraudulent transactions. During the past year an increase in APP fraud is to be noted.
      3. For SEPA Instant Credit Transfer (SCT Inst), in addition to the threats targeting SEPA SCT, its specific features can be also exploited:
        1. immediate execution followed by immediate clearing and settlement with funds instantly made available to the beneficiary, and
        2. continuous processing on a 24/7 basis
    • Supporting SEPA schemes (SPL and SRTP) are relatively new, meaning that it is too early to observe real-life fraud cases targeting them to draw any meaningful conclusions. It can be expected that the same patterns of threats and fraud enablers can affect them.
    • Specific threats in the mobile wallet include targeted attacks on mobile device key stores, unlock credentials, user interfaces and NFC controllers.
  • EY issued a report - How the rise of PayTech is reshaping the payments landscape. The report introduces the term PayTechs – comprising FinTechs focused on the payments value chain, payments facilitators (PayFacs), PSPs, networks creating new payments propositions, and payments technology suppliers. It found 7 forces shaping the landscape enabling payments to become more instant, frictionless and embedded within customer journeys.

  • The report also notes that:
    • Connected commerce is driving the digital economy. New payments propositions are helping connect merchants and consumers directly, in the most efficient way, leading to faster, cheaper and safer payments methods.
    • “Value beyond payment” has been top of mind for many payment players as they look beyond transactions and focus on the holistic customer experience. By providing relevant services before and after payments, they’re evolving into “one-stop shops.”
    • Open banking will be a real game changer as many more players will embrace “pay by bank,” as well as new payment methods like variable recurring payments (VRPs).
    • The adoption of real-time payments rails (RTR) unlocks tremendous innovation across the overlay services, enabling all PSPs to serve customers better through account-to-account (A2A), which is further reinforced and accelerated by open banking.
    • Embedded payments are expected to scale and become more invisible as non-financial services providers integrate payments into customer journeys – driven by the rise of e-commerce, platforms and marketplaces.
    • The emergence of innovative payments facilitators (PayFacs) is fundamentally changing the way businesses, acquiring banks and card networks work together.
    • New PayTech ecosystems are developing that can securely store, manage and leverage consumer and merchant data generated through payment transactions – representing radical data monetization opportunities and unique customer offerings.
    • Crypto and digital currencies will offer not only new payment methods, but a new infrastructure enabling instant settlement through distributed ledger technology (DLT), programmability, smart contracts and tokenisation.
  • Mastercard has issue a useful introductory guide to real time payments.

 

Naresh Aggarwal

Associate Director, Policy & Technical

 

Scroll to top