European Central Bank report on card fraud in the euro area

The latest version of the European Central Bank fraud report is now available. The report, Seventh report on card fraud, analyses trends in card fraud in 2019 as reported by card payment schemes active in the euro area.

The analysis focuses on data for 2019, which are put into the context of a five-year period from 2015 to 2019. Card payment schemes active in the euro area report data broken down by Single Euro Payments Area (SEPA) country, covering almost the entire card market.1

Card fraud consists of (i) fraudulent transactions with physical cards (card-present fraud), such as cash withdrawals with counterfeit or stolen cards; and (ii) fraudulent transactions conducted remotely (card-not-present fraud), for example where criminals conduct online payments with card details obtained through phishing or data breaches.2

The total value of fraudulent transactions using cards issued within SEPA3 and acquired worldwide4 amounted to €1.87 billion in 2019. For cards issued in the euro area only, the total value of fraudulent card transactions amounted to €1.03 billion.

Fraud as a share of the total value of transactions

Fraud as a share of the total value of transactions decreased in 2019, as fraud in absolute terms increased at a slower pace than overall card payments. The total value of overall card transactions using cards issued within SEPA and acquired worldwide increased by 6.5% compared with 2018, whereas corresponding fraud grew by 3.4%. Consequently, fraud as a share of the total value of transactions decreased by 0.001 percentage points to 0.036% in 2019.

Over the five-year period between 2015 and 2019, the lowest fraud share was observed in 2017 (0.035%), which was the lowest figure recorded since the start of data collection in 2007. A share of 0.036% means that on average 3.6 cent were lost to fraud for each €100- worth of transactions using cards issued within SEPA in 2019.

For cards issued in the euro area, the value of fraud as a share of total card transactions in 2019 remained below the share for SEPA as whole at 0.032%, albeit up slightly from 0.031% in 2018.

Card-Not-Present (CNP) fraud

The vast majority of fraudulent transactions continue to be related to card-not- present (CNP) fraud. In 2019 80% of the value of card fraud resulted from CNP transactions, i.e. payments via the internet, mail or phone.

In contrast, fraudulent transactions at physical point-of-sale (POS) terminals such as face-to-face payments at retailers or restaurants and at automated teller machines (ATMs) only accounted for 15% and 5% of the total value of card fraud in 2019 respectively.5

CNP fraud accounted for €1.50 billion in fraud losses in 2019, up by 4.3% on the previous year. Partially available data on total CNP transactions suggest that fraud grew at a considerably slower rate than overall CNP transactions in 2019. With respect to card-present transactions, fraud committed at POS terminals went up by 2.2% in 2019, while fraud committed at ATMs decreased by 6.1%.

The latter was driven by a notable decline in counterfeit card fraud at ATMs involving transactions acquired outside SEPA, as the increased global adoption of EMV chip technology6 further reduced opportunities for committing magnetic stripe counterfeit fraud.7

Delayed debit and credit card transactions

Delayed debit and credit card transactions appear more affected by fraud than debit card payments. When distinguishing card payments by card function, the fraud share of delayed debit and credit cards in 2019 (0.088%) continued to be considerably larger than the share for debit card transactions (0.016%), the former being more frequently used for online payments and cross-border transactions.

However, the fraud share for delayed debit and credit cards declined notably compared with previous years (from around 0.11% in 2015 and 2016 to 0.088% in 2019).

SEPA

More than half of the total value of fraud in 2019 was related to cross-border transactions within SEPA. From a geographical perspective, domestic transactions accounted for 89% of the value of all card transactions in 2019, but only 35% of fraudulent transactions. Cross-border transactions within SEPA represented 9% of all card transactions in terms of value, but 51% of reported fraud. Although only 2% of all transactions were acquired outside SEPA, they accounted for 14% of fraud.

While the increase in the absolute value of card fraud in 2019 related almost exclusively to increases in fraud involving cross-border transactions acquired within SEPA, relative fraud shares declined for both domestic and cross-border transactions compared with the previous year.

RTS and SCA

Further reductions in European fraud shares are expected with the implementation of the Regulatory Technical Standards (RTS) for strong customer authentication (SCA) and common and secure open standards of communication (CSC) under the revised Payment Services Directive (PSD2).

The share of fraud in the total value of transactions was lower from 2017 to 2019 than in previous years. This was supported by the implementation of various fraud prevention measures by payment service providers (PSPs) and card payment schemes, such as EMV standards, card tokenisation and geo-blocking, along with efforts by European regulators to strengthen the security requirements for card payments with PSD2.

Implementation of the RTS for SCA and CSC under PSD2, which entered into force in 2019, should make card payments even more secure and reduce opportunities for fraud. The full effect of these regulatory measures was expected to materialise following market-wide implementation by 31 December 2020. The first experiences reported by individual card payment schemes already appear encouraging, although it is too early to draw market-wide conclusions.

Overall Outlook

Overall, the outlook on card fraud has improved slightly since the last edition of this report, but industry, regulators and consumers need to remain vigilant. Although fraud in relative terms decreased slightly in 2019, overall levels remain persistent and are increasing in absolute terms.

Moreover, the recent surge in card payments for online purchases during the COVID-19 pandemic may increasingly make such payments the target of criminal activities (e.g. by phishing).

Consequently, card payment schemes and their participating PSPs are encouraged to continue to exchange information related to fraud prevention and best security practices.

PSPs also need to go on fighting fraud and provide secure payment solutions to end users. It is important for them to be supported in this by the merchants, as they play a key role in the successful implementation of these solutions.

For more information on Fraud at a Country level please CLICK HERE

 

1       Unless otherwise specified, total figures in this report (transactions, fraud, fraud shares) refer to values and cover the SEPA perspective from an issuing point of view. Country-based tables throughout the report reflect EU Member State figures. On occasions, where relevant, the euro area total figures (EA19) are also provided.

2     The general information on card usage, data collection methodology and classification provided in the first report on card fraud is not repeated in this version (see “Report on Card Fraud”,      ECB, July 2012).

3       The “issuing country” is the country of the card issuing payment service provider.

4        The “acquiring country” is the country of the card transaction beneficiary. For card-present transactions, the acquiring country is determined by the location of the ATM or POS terminal used. For CNP transactions, the acquiring country is determined by the country where the merchant (or the respective subsidiary) is legally incorporated.

5     The same trend is observed with respect to fraud volumes, although ATM fraud was even less prevalent in terms of volumes, while card-present fraud at POS terminals was more common.

6        Most implementations of chip-and-PIN are based on EMV as the industry standard for card transactions at POS terminals and ATMs.

7     Source: EMVCo Worldwide EMV Deployment Statistics, 2018-20.