Europe Declares War on Tech Spoofing

A proposed European payment regulation aims to crack down on online fraud. Who should pay?

The caller ID on the messaging app showed a bank name and requested a money transfer to pay for a purchase. Once the money was sent, the messenger and the funds vanished. This fraud, known as spoofing, impersonation scam, or authorized push payment fraud, deceives consumers by masking a hacker’s identity as a trusted source and stealing their credentials.

European policymakers are determined to confront this spoofing scourge. In the new Payment Services Regulation, members of the European Parliament argued that messaging services such as WhatsApp, digital platforms such as Facebook, or marketplaces such as Amazon and eBay could be liable for scams that originate on their platforms, on a par with banks and other payment service providers.

Online payment fraud represents a real and growing global problem. Total losses are expected to reach $362 billion in 2024-2028. How to combat this mounting problem divides transatlantic allies. The US relies on technology, particularly artificial intelligence, while the European Union pushes for regulation. Yet despite the common perception that strict EU rules hinder innovation and the handicap of a fragmented market, the payments sector underlines how it may help.

In the previous rendition of the European payments rules, the EU instituted double authentication, forcing users to provide two forms of identification to make a transaction. Buyers could not just give their credit card online. They need to “verify” their purchase by whipping out a card reader and punching in a detailed code sent by their bank.

Online retailers protested. When forced to go through the second authentication, a large percentage of buyers dropped out. The retailers argued that the second checks were unnecessary. They maintained that automated fraud checks, which use algorithms to detect risky transactions, are as effective. As evidence, they pointed to the experience in the US, where fraud levels of online purchases are comparable to the EU.

Rather than frighten off European innovation, supporters argued that these strong rules provide much welcome legal certainty. They forced companies to create new methods to minimize their obstacles — and indeed, the double authentication unleashed apps that eased the process on mobile phones. Most European banks now offer facial recognition on their mobile phone apps to provide a second authentication. The use of such biometric authentication, including fingerprints, iris scans, and facial recognition is expected to grow by 47% over the next five years, providing a secure way to verify identities online.

Fraud levels dropped, demonstrating the merit of those rules. Banks and payment service providers agreed that the path ahead required continued innovation in robust anti-fraud prevention measures. The new European regulation proposes that banks should refund the consumer for the full amount of the scam. The UK has already legislated a similar reimbursement model. Singapore also has an advanced model and other geographies are looking into similar measures.

When necessary, EU regulators have provided needed flexibility. European national financial market authorities set up regulatory sandboxes to let fintechs innovate without subjecting them to regulatory hurdles. As of October 2023, 14 regulatory sandboxes existed across 12 countries European countries.

Europe arguably leads the world in financial innovation. Its fintech market is worth an estimated $3.6 billion, making it two times more valuable than any other tech sector on the continent. Online banks such as Revolut and N26, and payment providers such as Ayden are soaring.

Europe’s new payment regulations are now up for negotiation in Brussels. Large US tech firms and messaging apps are pushing to lower the liability risk. They argue banks, not them, should be responsible. With spoofing or impersonation scams, the fraudulent transaction occurs on banking service portals, not the platforms. And so, banks themselves should enhance their security measures or pay the price.

Banks, not surprisingly, disagree. They cannot control the entry points that fraudsters use to reach consumers, whether it is by phone, messaging apps, online ads, or the dark web. Why shouldn’t telecom network operators, messaging, and other digital platforms also be obliged to avoid fraudsters from reaching consumers and if they fail, be held liable?

Legislative procedures in Brussels are long and drawn-out affairs. It might be another year or more before a decision is reached. Expect a compromise. Telecom operators, messaging services, and other online platforms probably will be compelled to collaborate with banks and other payment service providers to fight spoofing. Given that EU regulations often set a global standard, this new division of responsibility could become the next example of the much-ballyhooed Brussels effect.

Padraig Nolan serves as Chief Operating Officer of ETPPA, a prominent EU fintech association. He is also an advisory board member of the Lisbon-based Europe Startup Nations Alliance. Padraig holds a bachelor’s degree in law and economics (University of Galway) and a Master’s degree in European law (Utrecht University).

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.