Thematic assessment on abuses of payment services and the compensation process

The Financial Supervisory Authority (FIN-FSA) has conducted a thematic assessment of practices and compensation processes pertaining to the abuse of payment services in banks’ relationships with consumer-customers. Banks were requested to describe, among other things, the most common ways of abuse related to payment services and how they provide guidance to their customers about various security threats. In connection with the thematic assessment, data was also collected from banks on developments in the volume of fraudulent payment transactions.

The FIN-FSA urges banks to continue to actively monitor current security threats and fraud phenomena associated with payment instruments, inform their customers about them through various channels and provide advice on how to protect against fraud and abuse of payment instruments.

Banks must continuously improve the possibilities provided to the customers to set use restrictions and various alerts regarding payments to make them more versatile than presently. These services must also be clearly communicated to the customers.

According to the data collected for the thematic assessment, various types of fraud have become more common. Frauds are also more advanced than before. As the most common types of abuses pertaining to payment services, the banks mentioned phishing in its different variations, frauds (for example investment fraud, CEO fraud and love fraud) as well as online abuse of payment cards.

Examples of fraud types emerging in recent years included fraud on social media (such as Facebook), phishing in the name of Microsoft customer service, showing of fake websites in Google search results, posing as different brands, as well as fraud and phishing text messages from a false telephone number. In addition, the payment features of various digital wallets (such as ApplePay and GooglePay) get abused.

It is sometimes difficult for banks’ customers to detect whether they are actually being defrauded or not. Hence, banks must keep up the active monitoring of current security threats and fraud phenomena pertaining to payment instruments, communicate about them and to provide guidance on how to protect against them.

Banks typically provide the possibility in their online and mobile service to set limits for credit transfers and card payments, and on the other hand, to set alerts on suspicious transactions. These use restriction options vary across banks. Banks have room for improvement in terms of the available use restrictions and various alerts to make them more versatile than presently. These services must also be clearly communicated to the customers.

In 2019–2022, the annual volume of fraudulent credit transfers has varied from €24.9 million to €33.9 million. The share of fraudulent credit transfers is very low in relative terms. For example, in 2022 it was 0.0007% of all credit transfers. Nevertheless, it is important that banks continue to focus on the prevention of abuse and continuously develop their anti-fraud methods and systems.

Banks have described their compensation process for unauthorised payment transactions and prepared their related internal guidelines relatively well. However, differences were found across the banks in the level of detail of these descriptions and guidelines.

The results of the thematic assessments will be utilised by the FIN-FSA in the ongoing supervision of the area as well as in follow-up thematic area being planned about the security of banks’ online and mobile banking services.

For further information, please contact

Markku Koponen, Head of Division, telephone +358 9 183 5389 or Markku.Koponen(at)fiva.fi