Are Your Payments Secure? The Office of Competition and Consumer Protection Introduces New Recommendations!

A working group appointed by the President of the Office of Competition and Consumer Protection (UOKiK), consisting of representatives from the Financial Supervision Authority (FSA) and banking sector experts, has issued recommendations for payment service providers (PSPs). The goal is to reduce the risk of fraudulent transactions, which frequently result from stolen authentication data, payment card cloning, or unauthorized access to the user’s mobile device.

What activities increase the risk of payment fraud?

The Office of Competition and Consumer Protection highlights key risks that may compromise transaction security, including:

1. The possibility for clients to independently increase transaction limits on their accounts via a mobile application or website, combined with maintaining high transaction limits.
2. The use of so-called “click-and-loan” features, allowing for quick and simplified debt commitments.
3. Card-not-present (CNP) payments that do not require strong customer authentication (SCA) from the payee.

What Are the Recommendations from The Office of Competition and Consumer Protection?

To mitigate fraud risks, The Office of Competition and Consumer Protection recommends implementing up to 16 preventive measures, including:

1. Regular monitoring and transaction analysis. Providers are advised to implement advanced monitoring systems that automatically analyze customer transactions for atypical patterns, such as sudden increases in transfer amounts or cross-border transactions for clients not previously engaging in such activities.
2. Introduction of a “cooling period” for new features and limit increases. This automatic system detects unusual or suspicious transactions and sends notifications requesting transaction confirmation through an alternative communication channel. It’s important to remember the cooling period must not exceed legally defined deadlines within which the provider is required to execute a specified transaction.
3. Implementation of a “panic button” function. Providers should enable consumers to immediately block all transactions within the mobile application and on their client portal. It is essential to emphasize that this function should not restrict the communication channels available on the mobile app or client portal.
4. Mandatory SCA for card-not-present (CNP) transactions. In practice, this measure may include two-factor authentication in the mobile app, such as an additional SMS code or biometric verification.
5. Default transaction limits. It is advised to set default transaction limits at a reasonable level for new clients. During the contract signing process, clients should also be informed of the risks associated with maintaining high transaction limits.

How to enhance consumer protection and prepare for audits?

The implementation of the recommendations is intended to increase consumer protection and reduce the risk of unauthorized transactions. The payment service providers should still be particularly careful, as these recommendations increase the probability of regulatory audits.

Do you have questions about payment services or new regulations? Contact us, we will be happy to help you!