Is the EU taking the right approach to APP fraud?
1. Introduction
The EU law-making institutions are currently discussing updates to the EU’s current payment laws. One of the issues they want to tackle is the growing number of payment scams in Europe.
The EU’s existing payments laws have helped greatly in reducing simple forms of fraud, such as where a fraudster steals a consumer’s card details. As a result, fraudsters have turned to more sophisticated scams, such as social engineering attacks. In these attacks, a fraudster may impersonate a consumer’s bank – for example, to persuade them their account has been compromised and they need to move their funds to a ‘safe’ account. Or the fraudster might pretend to develop a romantic relationship with the consumer before asking for money. Because the consumer actively initiates the transaction, these are commonly called ‘authorised push payment’ or ‘APP’ scams.
European policy-makers’ reforms must recognise that APP scams are complex, and typically involve a scammer using a variety of services – from social media, telecoms services, and banks – so that no one player has the full picture of the fraud taking place. Tackling APP fraud effectively therefore requires two things: educational programmes to help consumers act vigilantly and identify fraud; and trust and close collaboration between banks, telecoms companies, online platforms and authorities.
The Commission2 and Parliament’s proposals include new rules that force banks to reimburse consumers affected by APP fraud. Parliament’s proposal goes much further, however, with strict rules to share liability between banks, telecoms companies3 and online platforms.4 Parliament’s approach would encourage firms to focus on shifting liability for fraud between them. That is unlikely to be a helpful approach to fight fraud for four reasons:
a) Banks, telecoms companies and online platforms already have strong incentives to keep users safe. These players also have extensive regulatory commitments requiring them to take action against fraud.
b) Measures that focus on shifting liability for APP fraud undermine trust and co-operation.
c) Liability rules would contribute to a complex and incoherent legal framework.
d) Measures focused on liability undermine educational programmes, because they encourage users to be less vigilant, and create a ‘honeypot’ effect encouraging even more fraud.
Policy-makers could take more effective steps to tackle the problem. These include addressing where existing EU law prevents firms from co-operating, and helping promote voluntary crosssectoral initiatives to stop fraud.
2. Platforms have both incentives and existing obligations to tackle fraud
A key characteristic of APP fraud is that it tends to span across different services and platforms, and no one player has full visibility of the fraudster’s conduct and their interactions between the fraudster and their target. Take a romance scam: the fraudster might make contact with their target over social media, a dating app, or another legitimate website; move their communications onto email, instant messaging apps, or a traditional telephone call; and then the person affected will send money over a payment network. Criminals involved in this activity can quickly change their strategies, use of different platforms, and modi operandi to avoid detection.
In tackling fraud effectively, the right starting question is to ensure each type of firm has the right incentives – or is under regulatory obligations – to co-operate with other players in the fight against fraud.
Banks, telecoms firms and online platforms already have strong incentives and undertake action to ensure their services are safe, so that consumers continue to use them and businesses are comfortable advertising on them. This is illustrated from the extent of firms’ unilateral efforts: Amazon, for example, invested USD 1.2bn in 2024 to protect users from fraud and counterfeits,5 Meta removed over 19 million examples of spam from Facebook in the EU in the 6 months ending 31 March 2024;6 and Google removed nearly 14 million examples of spam or fraud from its search engine results over the same period.7 Even more importantly, all these types of firms are already working together on a voluntary basis to eliminate fraud – both firms of the same type and different types of platforms. These include, for example:
● The Tech Against Scams coalition,8 which includes both tech and financial services firms and aims to protect and educate users about scams, and share knowledge and best practices.
● The Global Signal Exchange, a platform for sharing real-time insights into online scams by consolidating different data sources together supported by Google and the Global Anti-Scam Alliance. Google also offers Cross-Account Protection, which means it shares information about suspicious activity with third-party apps and services connected to a consumer’s Google Account, and a Global Priority Flagger Program, where Google prioritises reports of fraud from nearly participating scams and fraud partners around the world.
● Scam Signal API – a tool offered by Vodafone to help banks identify impersonation fraud, and block scam payments, in real-time.9
Beyond voluntary actions, EU law already imposes significant obligations on banks, telecoms firms and platforms in tackling APP fraud. For example:
● Banks are already obliged to report on incidents of fraud,10 and to check that the account name matches what the payer has provided (called ‘confirmation of payee’) when executing a euro-dominated instant payment. The proposed PSR will also require banks to undertake further reporting; adopt fraud monitoring systems; share information on bank accounts suspected of being used to commit fraud; and educate and alert their customers on fraud risks.11
● Online platforms are already subject to the EU’s Digital Services Act (DSA).12 The DSA requires these platforms to promptly remove illegal material once they become aware of it, for example when they are informed by law enforcement.13 It requires platforms to have mechanisms for users to easily report illegal content, online marketplaces to make best efforts to verify a trader’s identity; and users to see who any advertisement is presented for and who paid for it.14 The largest platforms are also under obligations to identify and mitigate systemic risks stemming from their platforms.15
● Both banks and telecoms firms are subject to the NIS2 Directive,16 a cybersecurity law which requires them to take steps like assessing security risks, implementing cybersecurity policies and appropriately managing cybersecurity incidents.
3. Imposing liability shifts undermines trust and co-operation
Given that no one player in the ecosystem has a full view of fraud, two tools are essential to solving the problem. The first is educational programs to help consumers spot when they are being scammed, and which are proven to make a big difference.17 The second is closer cooperation and information-sharing across the ecosystem, such as sharing of data, intelligence and best practices within and across the industries which are abused by scammers. This is reflected in the views of Euro Retail Payments Board (ERPB) working group on fraud, whose recent report recommends that “initiatives need to mobilize all relevant actors from the local, national and EU level in a collaborative way”.18
Proposals to make different firms across the ecosystem liable for covering the costs of reimbursing consumers would, however, seem likely to undermine trust and co-operation and instead create a culture of blame-shifting:
● Banks would have incentives to ‘over-report’ fraud to online platforms without undertaking proper enquiries themselves, since this will maximise their chance of passing on liability to a telecoms firm or online platform.
● Telecoms firms’ and online platforms’ would have fewer reasons to co-operate with banks by sharing information and intelligence about emerging threats – since banks could use that information to shift more liability to the telecom firms and online platforms who co-operate with them.
● Telecoms firms and online platforms would likely respond by reallocating resources towards assessing the (potentially large) influx of reports from banks who want to reduce their own liability, rather than focusing on proactive co-operation and on preventative steps which could have greater overall impact on stopping fraud in the first place.
4. Liability rules would create an incoherent legal framework
This game of liability ‘hot potato’ would also raise new contradictions and unresolved tensions with other EU policy objectives. In relation to telecoms firms, for example, the European Electronic Communications Code (EECC) and ePrivacy Directive (EPD) both oblige telecoms firms to protect confidentiality, manage security risks, and in particular protect encryption.19 The ePrivacy Directive and the Net Neutrality Regulation20 also limit the ability of telecoms firms to monitor and block calls and messages. Expectations about how telecoms firms can investigate and take action against fraud must take these existing policy priorities into account.
Online platforms, too, would be subject to competing policy objectives if new liability rules were to be introduced. In adopting the DSA, for example, EU policy-makers engaged in difficult discussions about how to ensure online platforms protect their users while preserving the benefits of digital ecosystems, innovation, and freedom of expression. As a result, the DSA reaffirmed that online platforms are not generally liable for users who abuse their platforms, and platforms should not be forced into general monitoring of content on their platforms, or mandatory removal of lawful content.21 Parliament’s proposal is hard to reconcile with the DSA, since it does not refer to the DSA’s set of detailed safeguards for the removal of content.22
Liability rules would therefore contribute to existing concerns that the EU’s regulatory framework risks becoming incoherent, with policy-makers refusing to acknowledge the tensions between different policy priorities, and putting unrealistic expectations on firms to manage inconsistencies between different EU laws. In turn, that creates a confusing and uncertain environment for consumers, for example where platforms are forced to take different approaches to different types of illegal content.
5. Mandatory liability rules would undermine educational programmes and create a ‘honeypot’ effect
Giving those affected by fraud a guarantee that they will be compensated will have perverse effects and creates a ‘moral hazard’. It would encourage users to be less cautious and prudent, which would counteract initiatives to increase consumer awareness and vigilance about fraud.
Worse, it would increase incentives to participate in fraud. Guaranteed reimbursement gives fraudsters incentives to pose as ‘victims’ in order to collect compensation – which can be as simple as falsely claiming that a product has not been delivered. In preparing the Instant Payments Regulation, for example, the Commission accepted that “more lenient refund conditions may give rise to greater moral hazard in the form of unfounded refund claims (e.g. where the payer changed their mind, did not like the product, etc.)”.23 It also provides more incentives for consumers to allow their account to be used (wittingly or unwittingly) as a ‘mule account’ for fraudsters. A recent survey carried out by the UK's leading fraud prevention service illustrated that 20% of UK adults thought agreeing to act as a ‘money mule’ could be reasonable, and that the proportion of adults who admit to committing fraud – often at a small scale and with a view that it is a ‘victimless crime’ – has increased in the years since the UK introduced compulsory reimbursement.24
In countries where compulsory reimbursement of consumers have been introduced, banks have had to expend considerable resources identifying and weeding out ‘first party fraud’, or cases where fraudsters have posed as ‘victims’. Compounding this moral hazard, banks spread the costs of reimbursing those affected to all their customers, which results in a redistribution from responsible and cautious consumers to more reckless ones.
Read the full publication here
Zach Meyers is assistant director of the Centre for European Reform.1
2 Proposal for a regulation on payment services (PSR), 28 June 2023, COM(2023) 367, arts 83 and 84. These steps include requiring banks to improve fraud monitoring; share data among themselves about fraud; and educate and alert customers about fraud risks.
3 PSR art 59(5).
4 European Parliament legislative resolution on the PSR, 23 April 2024, recitals 79-82a, arts 2(9a) and 59. Is the EU taking the right approach to APP fraud?
5 Amazon, DSA EU Store Transparency Report, 24 October 2024.
6 Facebook, DSA Transparency Report, 26 April 2024 (updated 13 June 2024).
7 Google, Biannual VLOSE/VLOP Transparency Report, 26 April 2024.
8 CoinBase, ‘Announcing the Tech Against Scams Coalition’, 21 May 2024.
9 Vodafone, ‘Vodafone Business launches scam signal to defend against impersonation fraud’, 22 April 2024.
10 Directive 2015/2366 (Payment Services Directive) (PSD2) art 96(6).
11 PSR arts 83 and 84.
12 Regulation 2022/2065 (Digital Services Act) (DSA).
13 DSA art 9.
14 DSA arts 16, 30 and 26.
15 DSA arts 34 and 35.
16 Directive 2022/2555 (NIS2).
17 Jeremy Burke et al, ‘Can educational interventions reduce susceptibility to financial fraud?’, Journal of Economic Behaviour &
Organization, Vol 198, June 2022.
18 ECB, ‘Report of the ERPB Working Group on fraud related to retail payments’, September 2024.
19 Directive 2018/1972 (European Electronic Communications Code) (EECC) art 40; Directive 2002/58/EC (ePrivacy Directive) (EPD).
20 Regulation 2015/2120 (Net Neutrality Directive).
21 DSA art 8.
22 For example, DSA art 9 provides that when a public authority orders a platform to remove illegal content, the order must contain clear reasons why the information is illegal and a URL setting out precisely where the content is located.
23 European Commission Staff Working Document, Impact assessment for the Instant Payments Regulation proposal, SWD(2022) 546.
24 CIFAS, ‘1 in 8 UK adults admit to committing fraud in the last 12 months’, press release, 29 November 2023.