The European organisation of payment service providers EDPIA [1] and several other organisations have asked European legislators [2] not only to make it easier for payment service providers (that include banks) to share transaction data between themselves of all European account holders. They also want that transaction data to be enriched with data from telecom providers (famous for their security problems [3]) and platform service providers.

The statement is signed by EDPIA and also by the European Fintech Assocation EFA, Payments Europe, the Open Finance Association, Computer & Communications Industry Association CCIA and the Electronic Money Association (EMA).

From the statement:

Tackling fraud in the digital ecosystem requires a dynamic approach that spans across all actors involved. A comprehensive solution must address each link in the fraud chain to be effective: not only payments services providers (or PSPs), but also telecommunication companies and online platforms. We, as an industry, are prepared to work with legislators to develop fit-for-purpose measures to fight fraud, as the current proposal falls short of addressing the challenge in its entirety. While the PSR draft includes requirements on electronic communications service providers to cooperate with PSPs to fight against fraud, there is no provision involving telecommunications providers to work towards the same objective. Also, the PSR draft fails to reference online platforms efforts to remove fraudulent content: the Digital Services Act (DSA) should be cross-referenced in the PSR, as it aims to ensure a safe, predictable and trusted online environment. In particular, the DSA allows the Commission to initiate drafting of codes of conduct, including setting out commitments to adopt specific risk mitigation measures. We would suggest expanding this practice to payment fraud prevention, e.g., by introducing Do Not Originate Lists and Sender ID Registers commitments for telecommunication companies, along with the use of advanced machine learning technology/AI systems to proactively remove fraudulent content on online platforms. To ensure optimal coordination across industries, we would recommend setting a dedicated taskforce of EU regulators including payments, technology and telecommunication sectors. For instance, in the payments sector, the Euro Retail Payments Board has created a Working Group on Fraud, which can play a key role for joint-industry efforts.

1.2. Extended Data Sharing

We recommend extending the ability to establish voluntary data sharing arrangements for the transaction monitoring purposes to include electronic communications service providers, online platforms, technical services providers, and competent authorities under the existing data sharing frameworks.

We support the provisions of the draft PSR allowing PSPs to voluntarily enter information sharing arrangements, to better detect fraudulent payment transactions and protect their customers. However, information sharing of personal identifiers alone is not enough: the list should be extended to at least name, organisation number, modus operandi and other relevant transaction information to the extent it is available. Also, fraud prevention efforts would benefit from information being provided to PSPs by all participants of the ecosystem – such as electronic communications service providers, and online platforms and would require clear data sharing rules, and possibly lead to the setting-up of a platform where the exchange takes place. The PSR adoption allows for a unique opportunity to support collaborative efforts and shape the process. Involvement of both European and national competent authorities is needed to swiftly address new fraud patterns and the threats private and public entities face.

If these recommendations are followed, it will mean even more financial personal data and other confidential data (such as telecom data) will be processed by even more parties. All this while there is no evidence that alternative measures, which pose less data protection risks, have been considered. Furthermore, a major problem is that the monitoring of data protection compliance by payment service providers, telecoms companies and platform companies by European data protection supervisors is completely inadequate, e.g. due to understaffing and underfunding of the European data protection supervisors.

The result of such developments is that the data protection risks for citizens are increasing, while it is not possible to withdraw from surveillance by these parties or to mitigate the risks.

Notes:

[1] The European Digital Payments Industry Alliance represents the interests of independent Payment Services Providers headquartered in Europe, according to this page.
[2] In this consultation reaction.
[3] It is common knowledge that telecom companies pose huge data protection risks to citizens and that insufficient security measures are taken by those companies. There is regulation (read e.g. this), but whether it achieves anything is questionable.