SDG 16: Peace, Justice, and Strong Institutions | SDG 9: Industry, Innovation, and Infrastructure

Reserve Bank of India (RBI)

The joint 2025 report by the European Banking Authority (EBA) and the European Central Bank (ECB) highlights that the total value of fraudulent payment transactions in the European Economic Area (EEA) reached €4.2 billion in 2024, marking a 17% year-on-year increase from 2023. Credit transfers (€2.5 billion) and card payments (€1.3 billion) accounted for the majority of these losses.

Key Findings on Fraud Vectors:

• Remote Transactions: Fraud overwhelmingly occurred in remote transactions for credit transfers, card payments, and e-money. Remote card fraud in value terms was 83% of all card fraud in 2024, despite remote transactions being only 28% of overall card transaction value.

• Fraud Type: The primary driver of credit transfer fraud (85% of losses) was the manipulation of the payer (Authorised Push Payment or APP scams), which accounted for more than half (76% in value terms in 2024) of fraudulent credit transfer value. For card payments, the issuance of a payment order by the fraudster (e.g., card detail theft) accounted for over 90% of the value of fraud.

• Cross-Border Vulnerability: While most transactions are domestic, the majority of card payment fraud (70% in value and volume) and a large share of credit transfer fraud (40% to 50% in value) are cross-border. Fraud rates for transactions outside the EEA were substantially higher, notably 17 times higher for card payments acquired outside the EEA compared to domestic transactions, where SCA may not be required.

What is Strong Customer Authentication (SCA)? SCA, mandated by the EU’s PSD2, requires multi-factor authentication for most electronic payment transactions. It mandates the use of two or more independent elements (knowledge, possession, or inherence) for user login and transaction initiation to significantly reduce the risk of fraud in online and digital payments. SCA-authenticated transactions generally showed lower fraud rates than non-SCA transactions, especially for card payments.

Policy Relevance

The SCA requirements under PSD2 and the fraud trends in Europe offer critical policy lessons for India, which also mandates multi-factor authentication (known as Additional Factor Authentication or AFA) for most online and high-value transactions under RBI guidelines.

• Liability Regime: The report shows that in the EEA, Payment Service Users (PSUs) bore the overwhelming majority of losses for credit transfers (around 85% of annual losses in 2024), raising questions about consumer protection and the interpretation of ‘authorisation’ and ‘gross negligence’. This high concentration of liability on the user contrasts with India’s consumer-friendly liability regime, and the EEA’s struggle highlights the need for a global consensus on liability in SCA-authenticated transactions, especially in the growing instant payment (APP scam) ecosystem common to both regions.

• Security Standardisation: SCA implementation has been key to mitigating card fraud within the EEA, validating the RBI’s strategy of requiring strong security measures for Indian payments. As India’s digital payments expand globally, the observed 17-fold increase in fraud outside the EEA where SCA is inconsistent demonstrates the necessity of advocating for harmonised global security standards that align with India’s own stringent AFA requirements.

Follow the full report here: EBA ECB 2025 REPORT ON PAYMENT FRAUD