The Netherlands advocates in a non-paper that changes to the European proposal for the new Payment Services Regulation (PSR) be made in the areas of:

1. Transaction monitoring
2. Data sharing
3. Position of the alleged fraudster and proportionality of measures
4. Liability regime and gross negligence

The text suggests that transaction monitoring is only about protecting customers from fraud, while transaction monitoring is also required to detect criminal money (‘money laundering’).

The following is said on the first two areas:

1. Transaction monitoring

Transaction monitoring is central to PSPs ability to detect and stop fraud. It protects consumers against fraudulent transactions and helps to maintain confidence in our financial system. [2] In recital 102 it is explained that transaction monitoring is aimed at detection and prevention and data retention periods are linked to these goals. Moreover, the Regulation stresses that in order for transaction monitoring to be effective, it should be constantly improved and should benefit from as much relevant information as possible to be able to assess risks. Therefore, the Netherlands proposes the following:

1. To clarify the purpose of transaction monitoring and storing of the information that stems from it. When fraud is detected by PSPs, they can take real-time preventive action. For example by freezing suspected fraudulent transactions or contacting and informing the customer. However, the information that stems from monitoring can also be very valuable for other preventive or reconstruction purposes. For example, for accountability of the PSP towards supervisors, reconstruction in criminal investigation by the police and in the assessment of liability towards the customer to refund financial losses. These purposes should be added under article 83 (1C). This also means that in case of a proven fraudulent transaction, PSPs should be able to extend the retention period until after the customer relationship has ended. Otherwise this can be an incentive for fraudsters to swiftly change from PSP.

2. To add other information sources to transaction monitoring. Monitoring criteria should not only be based on information of the PSP (for example previous payment transactions) but could also be based on information – for example on modus operandi – from the customer, police and electronic communication service providers. [3] This information should therefore be added under article 83 (2).

Furthermore, the Netherlands requests:

3. The Presidency to discuss options to clarify of the use of AI in the Regulation. The Netherlands endorses the importance of the use of technology for transaction monitoring as described in recital 103. Where the use of AI in transaction monitoring results in automated processing of data and automated decision-making, guarantees for data subjects are required under the GDPR. [4] An important guarantee, for example, is the right not to be subject to decisions solely based on automated processing.

2. Data-sharing

The Netherlands endorses an important objective of the Commission’s proposal, namely detecting fraud and the necessary comparison of data from multiple registrations, as laid down in recital 103. In the current text, sharing of unique identifiers of a payee, manipulation techniques and other circumstances associated with fraudulent credit transfers identified individually by each PSP happens amongst PSPs on a voluntary basis when there is sufficient evidence that stems from transaction monitoring that there was a fraudulent payment transaction. The Netherlands has a number of proposals, as well as questions for clarification. The Netherlands proposes:

1. To include an option to share a limited set of data broader than the unique identifier, in conformity with GDPR, and for the purposes as laid down in 83 1 (c). Recital 103 mentions the importance of sharing of ¨all relevant information amongst PSPs¨ and mentions a few examples of data that can be shared, while article 83 (3) only describes sharing of the unique identifier. From practice in the Netherlands we know that a unique identifier is not enough data to properly detect fraud networks as they operate with multiple unique identifiers. As was highlighted in the Swedish non-paper, more data is needed for this purpose. According to the Netherlands this could include IP addresses of devices, stolen authentication elements and user agents. Sharing this data should be subject to GDPR safeguards and the use of privacy enhanced technology. The Netherlands proposes to request the EBA to establish which technical data/traces of fraud are needed for this purpose and to add this data in article 83 (3).

2. To clarify the link with the GDPR in transaction monitoring and data sharing. Because processing and sharing of data in the context of fraud detection and prevention can concern personal data of a criminal nature the Netherlands proposes to include a reference in Article 80 to Article 10 GDPR/2016, and/or article 11 2018/1275.

The Netherlands requests:

3. The Commission to elaborate on whether sharing of data on a voluntary basis by PSPs provides consumers with a sufficient level of protection against fraud in our payment system. Should this be more obligatory under certain circumstances?

4. The Commission to elaborate on why sharing of information with law enforcement or filing a police report in case of fraudulent transactions is not mentioned in the PSR. The Netherlands finds it important that criminal investigations take place into fraud and that PSPs report to the police when they detect fraud. This point was also brought forward in the Swedish non-paper.

5. The Commission to elaborate if the cooperation that is required from electronic service providers in case of bank impersonation fraud in article 59 also encompasses the sharing of relevant (personal) data, subject to GDPR requirements.

 

[2] Delegated regulation (EU) 2018/389
[3] For example, a police report that has been filed, new modus operandi, session data from electronic communication service providers.
[4] Article 22 GDPR

The following amendments are proposed regarding transaction monitoring and datasharing:

More information:

The Netherlands

• Page on the site of the Tweede Kamer on the non-paper
• Letter by the minister of Finance (Dutch)
• Non-paper of the Netherlands delegation. Regarding fraud-related clauses in the PSR.

Europe

General information on the financial data access and payments package (European Commission):

• Modernising payment services and opening financial services data: new opportunities for consumers and businesses (press release)
• Financial data access and payments package (page)
• Payment services (page)

European proposals for PSR and PSD3:

• Proposal for a Regulation on payment services in the internal market (PSR) – COM(2023) 367 – European Parliament file.
• Proposal for a Directive on payment services and electronic money services in the internal market (PSD3)
• Impact assessment, summary of the impact assessment
• Report from the Commission to the European Parliament, the Council, the European Central Bank and the European Economic and Social Committee on the review of Directive 2015/2366/EU on payment services in the internal market
• Report from the Commission on the review of settlement finality in payment and securities settlement systems including its application to domestic institutions participating in third-country systems and of financial collateral arrangements
• Summary of responses: Review of the Directive on settlement finality in payment and securities settlement systems
• Summary of responses: Review of the Directive on financial collateral arrangements

Earlier I wrote on data sharing in PSR: Sharing of transaction monitoring information by PSPs in the PSR proposal | financial data access and payments package EU.