Open banking and fraud detection – compliance with something that does not exist yet
You have a hard task if you want to collect all the information regarding open banking fraud detection. Well, in such situations mathematicians say that there are more variables than available equations.
In fact, the lack of knowledge is not surprising. Even an expert would have a hard time just to enumerate at least the relevant legislations. PSD2, the revised Payment Services Directive and the related regulations (some of which are available only in English) are getting all the spotlight in this field. The Hungarian legislation does not make our situation easier either: the number and complexity of Hungarian regulation goes beyond what PSD2 brings. Just think of how much reference is inserted in the text of an average law to further legislation, or of all the legal phrases and long sentences that even a well-educated person finds almost impossible to interpreted.
And here we uprooted the basic problem. You may have general legal knowledge, but you would still be unable to extract the specific requirements from texts written in legalese on business services, operational processes or specialized systems – but these requirements are exactly what we ultimately need. For people with banking or IT expertise, the interpretation of legal text is the great obstacle. (I would like to note that compliance experts can provide effective help in this catch-22.)
If new legal requirements are published for banking (or in this case, fund transfer) services, or if there is a need to establish compliance in this area, then we can be sure that the requirements are included in a "general" law (this is typically the law on the provision of payment services or PFT in Hungarian) or in specific regulations and recommendations that define detailed obligations for customer management, supervisory reporting, IT systems, and security.
This is also the case with fraud detection. The PFT includes the higher level requirements for the PSD2 fraud monitoring mechanism and provides the interpretative provisions and conceptual definitions needed to understand the details (eg, what is sensitive payment data?). It is also important to mention that this legislation also defines the process elements to be followed in managing and cooperating with third party providers (TPP), and makes significant changes in customer protection and customer management.
It is well known that the details interesting for professionals are usually included in the regulations for implementation, not in the text of the law itself. It is the same in this case. The real challenge for analysts is the regulation called RTS on SCA & CSC, which was finalized after a rather lengthy process. (Of course, there is also an official title of the legislation: Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.) This is right document for anyone who wants to know the technical details of fraud detection and the closely related strong customer authentication.
Those who do not want to implement a new IT systems, also will find the real answers here (e.g. is it really mandatory to implement a fraud detection system?). Spoiler alert: officially (legally) it is not mandatory, but everday operations is almost unthinkable without it. Hungary is the only EU member state that has made it mandatory for payment service providers to connect to the instant payment system and to launch an instant payment service. Because over 90 percent of domestic bank transfers will happen through these services, fraud management must be rebuilt on new foundations. This can only be achieved with a carefully designed and well-structured fraud detection system, so the implementation is almost inevitable.
Anyone who has worked in a banking environment knows that you have supervisory reporting for every aspect of operations. PSD2 made it even more rigorous on one hand; on the other, it has created additional requirements for providing customer information. Of course, there are several legislative requirements on this field as well (9/2018. (III. 23.) MNB [The Hungarian financial authority] regulation, which is based on the 27/2017 (XI. 21.) MNB regulation). You have to be graphomaniac to comply, because the obligations are the following:
§ Form P45 - Abuse in payment services (a quarterly comprehensive report);
§ Form P63 - Authentication and exception handling reporting, fraud rate table (a quarterly comprehensive report);
§ Form P64 - Payment service provider information on more severe operations and security incidents. You have to send a report (or even more than one) on every incident – the real content production starts here.
§ Form P65 – Unrefunded payment transactions in which you declare that you do not return the client's money (well, not immediately…) despite the complaint. Similarly to the previous one, this is a case-by-case report, where you can also dare to attach evidence supporting the suspicion to the report sent to the supervisory authority.
§ Form P66 - Report on the total denial of access for a third-party payment provider to the accounts; in short, when you fire a TPP.
The real question usually arises after weeks of legal analysis and consultation: how can you actually comply with the regulatory requirements “embodied” in financial authority audits, or more specifically, how can you get off with them (I mean how can you conduct prudent operations). Well, this is a really tough question, because the position of the authority is not yet known in all respects on these topics, as there is no audit track record yet… Well, better late than never: the audits will start on September 14, 2019, and the answers will come - - even if we don't ask for them…