Reporting of fraud data related to payment services

The reformed Payment Services Directive (PSD2) and the Guidelines of the European Banking Authority (EBA) issued thereunder¹ oblige competent authorities to collect statistical data related to payment services on a regular basis. The Financial Supervisory Authority (FIN-FSA) must forward this data to the European Central Bank (ECB) and the European Banking Authority (EBA) as a single set of country data on a semi-annual basis.

Harmonised fraud data reporting is used to collect data on the number and euro value payment transactions² and fraudulent payment transactions and losses incurred. In addition, data is collected among other things on the types of fraud and on whether the payment transaction was authenticated via strong customer authentication. Exceptions concerning strong customer authentication apply as from 14 September 2019.

The reporting obligation will be imposed in the FIN-FSA’s regulations and guidelines (8/2014) Management of operational risk in supervised entities of the financial sector.

Who does the reporting concern?

The data collection concerns the following groups of supervised entities:

• Domestic payment institutions
• Domestic registered agents, i.e. natural and legal persons providing payment service without authorisation
• Finnish branches of foreign payment institutions providing payment services in Finland
• Domestic credit institutions providing payment services
• Foreign credit institutions’ branches providing payment services in Finland

Branches of domestic payment and credit institutions operating in other EEA member states must submit the data to the competent authority of the host country.

How are the data collected?

The data is reported to the FIN-FSA in a machine-readable format. The reporting file may be composed either directly from one’s own systems or using the MF template available in the Jakelu distribution service. The Jakelu distribution service contains further instructions on completing the workbook. The data content of the MF template corresponds to the EBA Guidelines. Supervised entity must themselves identify whether they provide a payment service subject to the present reporting obligation. If an agent belonging to any of the types of supervised entity listed above does not have activities referred to herein, we request that they affirm this to the FIN-FSA by 31 October 2019 by email at kirjaamo(at)finanssivalvonta.fi using the headline “Fraud data reporting” (”Petostietojen raportointi”).

The first reporting period is from 1 January to 30 June 2019, and the data must be submitted to the FIN-FSA at the latest on 31 October 2019. The response date for the first reporting period is exceptional. After the first reporting exercise, the reporting due dates are as follows:

• Payment institutions and credit institutions providing payment services must submit the data to the FIN-FSA semi-annually by 28 February and 31 August.
• Persons providing payment service without authorisation must report the data annually by 28 February.
   

Further information

• Heli Mäkitalo, Risk Expert, tel. +358 9 183 5369 or heli.makitalo(at)fiva.fi
• Technical questions concerning the data collection: VIRATIhelpdesk(at)fiva.fi

Further information on the FIN-FSA website

• Instructions on subscribing to the reporting release
• The Jakelu distribution service

¹EBA Guidelines of 18 July 2018 on fraud reporting under the Payment Services Directive 2 (PSD2)) (EBA/GL/2018/05)
²Credit transfers, direct debits, card based transactions, cash withdrawals using cards, e‐money payment transactions, money remittances, transactions initiated by payment initiation services providers.