As part of its strategy for addressing fraud risks in the context of the Single Euro Payments Area (SEPA) payment schemes the European Payments Council (EPC), has elected to develop a SEPA-wide “Malware Information Sharing Platform” (MISP) instance for real-time fraud information sharing with direct browser access by all SEPA payment scheme participants.
To that end, the EPC has launched a public request for proposal to find a reliable independent service provider to which it can outsource the management and the maintenance of the EPC MISP instance.
As a scheme manager, the EPC is responsible for addressing real-time fraud risks in the context of the schemes, the EPC needs to take appropriate action related to fraud data collection and analysis, information sharing and prevention measures.
In addition, the ECB/Eurosystem, as overseer of the SEPA payment schemes, has already recommended the EPC:
- To develop an early warning-sharing system for specific fraud cases, towards relevant scheme participants.
- To broadcast fraud-related information towards all scheme participants, for example through the publication of quarterly qualitative dashboards.
In this context, the EPC Scheme Management Board (SMB) approved the EPC Payment Scheme Fraud Prevention Working Group (PSFPWG)’s implementation proposal on the development of the MISP instance for real-time fraud information sharing.
Real-Time Fraud Use Cases
The PSFPWG considers four main use cases:
- General sharing of information/ statistics on fraud (Broadcasting)
- Direct communication between two affected scheme participants
- Sharing of IBAN lists, User Agents, Device IDs, IP-Addresses, websites, etc. (taking into account and subject to all applicable EU legal frameworks)
- Funds blocking and recovery
The first two use cases (most straightforward) will be prioritised through a phased go-live approach, as these also relate to the use cases recommended by the Overseer.
These will be expanded to the other two use cases and potentially further identified use cases along implementation and usage experiences, with the possibility of early adoption through pilots by volunteering participants/ national communities.
The fraud typology documentation and classification (maintenance) for the various use cases is to be aligned/mapped with the ECB payment statistical reporting and the EBA Guidelines on Fraud reporting, and if possible, in sync with the EBA Association’s “Fraud Taxonomy” document.
Also, the MISP solution should allow the EPC to gather statistical information on fraud to support its ‘broadcasting’ role, however, without replacing or duplicating the participants’ existing reporting duties pursuant to relevant rules and regulation.
The full RFP can be found HERE