The Central Bank of Malta has issued a notice in relation to their supervisory expectations on fraud risk mitigation for the instant payment environment. This notice is addressed to payment service providers (PSPs) which are operating in Malta.
The notice introduces 11 measures which are aimed at strengthening security and consumer protection in relation to instant payments in line with the Instant Payments Regulation. Under this law, PSPs are expected to keep strengthening their framework and operational arrangements with the evolution of the environment.
The supervisory expectations span over a vast range of obligations; however, the emphasis is on authorised push payment fraud, impersonation scams and other emerging fraud typologies.
PSPs have to enable payment service users (PSUs) to modify their instant credit transfer limits at any time and at their sole discretion. Such modifications are to take effect immediately, which gives PSUs full control over transaction limits. Adjustments are to be honoured by the PSPs without any limitations. This right is available to all PSUs and the obligation applies 24/7/365 and should therefore be available without any limits, across platforms or time.
A temporary delay can be given to such adjustments of spending limits for up to 6 hours prior to the spending limit taking effect. The delay can only be introduced if certain requirements are met. Delays should not be present if there are no identifiable red flags. This mechanism should not be used as a default system. Time is to be measured in real time and not restricted to working hours.
The delay period is intended to be used to carry out enhanced monitoring and provide targeted warnings or notifications to the users, and, where necessary, establish contact through appropriate channels. The delay period mechanism should not create an open-ended discretion for PSPs to refuse or indefinitely postpone limit adjustments. Afterwards, if the PSU does not cancel or withdraw the request within the time period, the adjustment to the spending limit shall take effect immediately.
Limit changes should trigger an AML/CFT risk reassessment where necessary, with monitoring and scrutiny adjusted accordingly.
Registration of a new device is considered to be a high-risk event from a fraud perspective, especially in cases of account takeover. Currently, registration of new devices has to be confirmed by using strong customer authentication. However, there are still instances where fraudsters are managing to install the mobile applicable and access the victims’ payment accounts when there is two-factor authentication.
In view of this, the Central Bank suggests the following practices:
Staff which have direct contact with users should be appropriately trained to recognise and respond to potential fraud scenarios. In cases of red flags being identified, reasonable steps must be taken to alert the PSU that the transaction may be fraudulent and provide clear guidance prior to the transaction being executed. Further rights under current laws given to the PSP may be used in cases where there are objective justified grounds to suspect fraudulent activity.
PSPs are expected to ensure that transaction monitoring frameworks operate in real time and cover both pre-transaction and post-transaction stages. The system, processes and controls should be designed to operate continuously and effectively.
Furthermore, the user should have visibility of the payment transactions through the digital channels, which will enable them to monitor account activity and react promptly in case of unauthorised or suspicious transactions.
Specific events or behaviours which may indicate an increased risk of fraud should be identified and monitored by the PSP. These indicators should be used as part of a broader risk assessment framework to determine whether additional controls, warnings or interventions are required. As to see whether there are grounds of suspected fraudulent activity, indicators should be assessed collectively. Where these grounds exist, PSPs may take appropriate and proportionate measures on by a case-by-case basis.
Since payment services are increasingly delivered through digital and automated channels, PSPs should make use of technology-driven solutions in managing fraud risk in such a way that reduces the friction in a PSU’s journey. Routine or systematic manual controls with the user should not be the primary control mechanism. PSPs are encouraged to implement risk-based real-time transaction notifications and payment warnings, particularly for higher-risk transactions. Such measures should complement existing fraud controls, while PSPs must retain the ability to intervene where strong fraud indicators are identified.
For the fraud prevention framework, a PSP should implement controls to detect risks of remote access and screen-sharing where feasible. These controls should be designed in a proportionate and privacy-conscious manner and should compliment existing controls.
Verification of payee (VoP) should be available on a continuous basis since it is important as a fraud prevention tool. Where verification of payee is not available, this should be treated as an exceptional situation and may, depending on the circumstances, indicate non-compliance with the IPR; however, the unavailability of VoP should not automatically delay or block payments. PSPs should apply proportionate, risk-based measures on a case-by-case basis where additional fraud risks are identified.
With the increasing scale and sophistication of fraud, individual PSPs acting in isolation will not be sufficient to effectively mitigate fraud risks across the payments ecosystem. Due to this PSPs are encouraged to collaborate and share relevant information that may assist in the detection and prevention of fraudulent activity. PSPs should ensure they have the operational, technical and legal capabilities to support timely fraud information sharing and participate in EU-level fraud prevention initiatives.
PSPs should implement ongoing and targeted fraud awareness campaigns to educate PSUs on common and emerging fraud typologies, including social engineering and impersonation scams, and promote safe payment practices. Communications should be clear, accessible and aligned with emerging fraud trends, complementing existing transaction monitoring and fraud prevention controls.
Liability for authorised push payment fraud should be assessed on a case-by-case basis. A PSP's implementation of effective fraud prevention measures is a significant factor in determining liability. Conversely, deficiencies in the PSP's fraud prevention framework may increase its exposure to liability.
This guidance is to be implemented according to the nature, scale and complexity of the activities of the PSP.
Following the issue of this notice, PSPs have two deadlines to follow:
Implementation must however be completed by 1st July 2027.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Dr Kimberley Blundell