30.4.2009

EN

Official Journal of the European Union

C 100/22

---

Opinion of the European Economic and Social Committee on Combating fraud and counterfeiting of non-cash means of payment

2009/C 100/04

On 17 January 2008 the European Economic and Social Committee, acting under Rule 29(2) of its Rules of Procedure, decided to draw up an own-initiative opinion on

Combating fraud and counterfeiting of non-cash means of payment.

The Section for the Single Market, Production and Consumption, which was responsible for preparing the Committee's work on the subject, adopted its opinion on 1 October 2008. The rapporteur was Mr IOZIA.

At its 448th plenary session, held on 22 and 23 October 2008 (meeting of 23 October), the European Economic and Social Committee adopted the following opinion unanimously.

1.   Conclusions and recommendations

1.1.   The European Economic and Social Committee regrets that the initiatives taken to date to prevent and combat fraud and the counterfeiting of non-cash means of payment have proven to be insufficient to halt the spread of this phenomenon. As already highlighted by the Commission in its 2004-2007 action plan, though the Community legal framework has been enhanced and strengthened, the exchange of information between public and private entities remains to be fully developed, as does effective cooperation among the relevant authorities of the Member States.

1.2.   The main barrier to the effective implementation of a fraud prevention system has been identified by the Commission as the difficulty in exchanging data within the EU on both fraudsters and those deemed at risk. To ensure effective preventative action, it seems necessary to increase the means of information exchange on fraudsters, by enhancing the channels of cooperation between the relevant national authorities.

1.3.   A further obstacle to effectively curbing fraud lies in the inconsistency of legislation across the Member States with regard to powers of inquiry, as well as the varying degrees of deterrence. Harmonising national legislation seems therefore the best way to effectively curb this typically trans-national form of crime.

1.4.   The EU must therefore step up its strategy to combat fraud and the counterfeiting of non-cash means of payment by deploying a range of measures. To this end, there is a need to:

—	foster the exchange of information between public and private entities;

—	step up cooperation among the relevant authorities of the Member States;

—	pro-actively harmonise national legislation with particular regard to data protection provisions within the EU so as to enable cross-border data exchange and curb fraud;

—	ensure that each competent national authority establishes a digital data base containing information that may indicate levels of fraud risk;

—	task Europol with monitoring the drive to prevent and counter fraud, and with coordinating the available data bases; and

—	launch targeted information campaigns involving consumer associations, with a view to alerting users to the potential risks involved in using non-cash payment instruments, and thus to bring on board an informed public in a more effective, timely fight against fraud.

2.   The rise of non-cash means of payment and related fraud

2.1.   One feature of the current global economy is the notable increase in non-cash means of payment, such as credit and debit cards and online payments. Transactions made by electronic payment instruments account for an increasing proportion of the volume and value of domestic and cross-border payments and this trend is set to accelerate further as markets and e-payment technologies continue to develop.

2.2.   The need to secure the development of alternative payment means to cash in the European Union is related to the liberalisation of capital movements and the implementation of Economic and Monetary Union. The modern technology-based economy cannot do without an effective payment system, because such a system gives a direct boost to the competitiveness of the financial sector and thus enhances overall economic efficiency. Indeed, it is a confirmed fact that electronic payment systems stimulate consumer spending and economic growth, as they facilitate the purchase of goods and services. It is estimated that 231 billion (cash and non-cash) transactions, worth a total of EUR 52 000 billion, are carried out in the European Union each year.

2.2.1.   Recent years have seen rising levels of non-cash payments across the world. Specifically, in 2004 the number of non-cash transactions per capita amounted to 142 (including 32.3 using payment cards) in the EU-25, 150 (28.3 with payment cards) in the euro-area Member States and 298 (47.5 with payment cards) in the USA. In 2006, the equivalent numbers were 158 (including 55.2 using payment cards) in the EU-25, 166 (50.5 with payment cards) in the euro-area Member States and 300 (145.1 with payment cards) in the USA. Within the EU, the countries that recorded the highest number of non-cash transactions per capita in 2006 were Finland, with 294 transactions, including 153.9 via payment cards, followed by the Netherlands with 257 transactions, including 103.2 via payment cards and the UK with 239, including 111.4 by card (1).

2.2.2.   Spain was found to have the highest number of POS terminals in 2006, at 1 291 000; it recorded 1 276 transactions per terminal for an average amount of EUR 52. It was followed by France, with 1 142 000 terminals, 4 938 transactions per terminal, averaging EUR 51 each, and Italy with 1 117 000 terminals, 690 transactions per terminal, averaging EUR 93 each. The EU country with the highest number of transactions per terminal was Finland, with 7 799 transactions, averaging EUR 35 each, although with 105 000 terminals. Conversely, Ireland was the country with the highest average amount for individual credit and debit card transactions (EUR 94), although this was with 53 000 POS terminals (2).

2.2.3.   An EU-wide harmonised legal framework will enable service providers to rationalise payment infrastructures and services, and users to enjoy increased choice and a high level of protection.

2.3.   If it is to be possible to use these payment means in any part of the world, they must be efficient, easy to use, widely accepted, reliable and available at relatively low cost. Since efficiency is dependent on security, the highest economically-viable level of technical security needs to be ensured, while improvements in security levels should be measured by monitoring fraud statistics and by setting specific security benchmarks.

2.3.1.   Increasingly widespread fraud can reduce consumers’ confidence in these payment systems and is seen as one of the main barriers to expanding e-commerce. A further consequence is the damage to the merchant's reputation and to the perception of consumers regarding the level of security of such systems.

2.4.   Trans-national fraud is more frequent than that within individual countries, particularly where it is connected with remote payment transactions, especially via the Internet. According to Commission data (3), payment card fraud for the year 2000 amounted to EUR 600 million, or about 0.07 % of that year's turnover in the payment card sector, with a bigger increase reported in remote payments (by telephone, post or Internet). More recent studies have shown that 500 000 businesses were involved in non-cash payment fraud in the EU in 2006, in respect of 10 million fraudulent transactions, leading to the loss of around EUR 1 billion – almost twice the 2005 figure. The countries most affected by this fraud were found to be the UK, France, Italy, Spain and Germany.

2.5.   As this fraud is a growing, cross-border problem, a pan-European, coherent, preventative strategy is needed; while the individual measures taken by the Member States may be effective, they are not sufficient to tackle the threat posed by payment fraud.

2.6.   To meet the needs of the market and build confidence in the use of new technologies, there is also a need to step up efforts to establish a secure electronic signature, in the context of the initiatives launched under Directive 99/93/EC of the European Parliament and of the Council of 13 December 1999. The electronic signature is also crucial if the e-government project is to take off. The STORK project, co-funded by the EU, is seeking to resolve problems related to system interoperability.

2.7.   The Commission has pointed out that fraud using stolen or counterfeit non-cash payment instruments is primarily carried out by criminal organisations, which often have a complex structure in terms of personnel, equipment and logistical support and operate on a cross-border basis. These organisations use sophisticated techniques to commit payment fraud on the Internet and to counterfeit payment cards. They are able to rapidly change their modus operandi to circumvent counter measures taken against them.

2.7.1.   Investigations have found that in the case of the more complex types of fraud criminal organisations usually follow certain standard, tried and tested procedures, which take the following form:

—

identification of target business, which a gang member breaks into at night or stays hidden in after closing time, with the aim of installing a sophisticated electronic device into the POS system connected to the till, in order to capture codes from the magnetic strip of payment cards as well as the relevant PIN numbers;

—	the data stored on these electronic devices is then retrieved either physically or electronically – using GSM or Bluetooth technology – to be then used to produce encoded plastic clones of payment cards, complete with PIN number;

—	the illegally reproduced credit and debit cards are then used to purchase goods or make cash withdrawals, also in countries other than those in which the codes were cloned.

3.   Community legal framework

3.1.   Given that one of the main objectives of the EU is to ensure a fully functioning internal market, of which payment systems are an essential part, specific measures have been introduced over a number of years aimed at shaping a common strategy against payment card fraud, and these are centred on two main strands:

—	measures to harmonise the terms of contract governing the relationship between cardholder and card issuer, as well as those governing payment procedures; and

—	measures by all Member States to make payment card fraud a criminal offence and provide for effective and dissuasive penalties.

3.2.   The first strand includes:

—	Commission Recommendation 87/598/EEC of 8 December 1987 on Relations between financial institutions, traders and service establishments, and consumers, leading to a European code of conduct for e-payments, aimed at ensuring the introduction of consumer protection systems;

—

Commission Recommendation 88/590/EEC of 17 November 1988concerning the relationship between cardholder and card issuer, which calls on payment card issuers to adopt common terms of contract on the security of the payment device and of related data, and on the cardholder's own obligations in the case of lost, stolen or illegally copied payment devices;

—

Commission Recommendation 97/489/EC of 30 July 1997, aimed at ensuring a high level of consumer protection in the field of electronic payment instruments. This recommendation specifies the minimum information that must be contained in the terms and conditions governing the issuing and use of an electronic payment instrument;

—

Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, which later gave rise to the anti-money laundering system, through provisions limiting the use of cash;

—

Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007on payment services in the internal market, aimed at ensuring the coordination of national provisions on prudential requirements, the access of new payment service providers to the market, information requirements, and the respective rights and obligations of payment services users and providers.

3.3.   As regards the second strand, given the increase in fraud and the fact that preventative action had generally been taken at national level, the following measures have emerged:

—	Commission Communication COM(1998)395 on A framework for action on combating fraud and counterfeiting of non-cash means of payment, in which the Commission proposed a package of measures to promote an adequate security environment for payment instruments and the underlying systems;

—	Council Decision 2000/642/JHA of 17 October 2000, concerning arrangements for cooperation between financial intelligence units (FIUs) of the Member States in respect of exchanging information, which set minimum levels of cooperation between Member State FIUs;

—

Commission Communication COM(2001) 11 of 9 February 2001 on Preventing fraud and counterfeiting of non-cash means of payment, in which the Commission launched its 2001-2003 fraud prevention action plan for the EU. The plan states that prevention hinges on cooperation between the relevant public authorities and the payment systems industry. It pointed out that the most important improvements to be made were technical enhancements that increased payment security, e.g. the introduction of chip cards, mechanisms for prompt notification of loss or theft of payment instruments, and devices (such as a PIN or other code) to prevent or minimise as far as possible the possibility of committing fraud;

—

according to the plan, an essential element in any effective fraud prevention strategy was the exchange of information, specifically between banks and public authorities, within and between Member States. To this end, the plan called for the introduction of a mechanism to establish permanent dialogue between all stakeholders in the fight against fraud (credit card issuers, banking associations, network operators, Europol, national police forces, etc.). The Commission also proposed holding international conferences involving senior police officers and magistrates, to raise awareness of the problem of payment fraud and its impact on financial systems;

—

Council Framework Decision 2001/413/JHA of 28 May 2001, on combating fraud and counterfeiting of non-cash means of payment. This framework decision called on all Member States to provide for effective, proportionate and dissuasive criminal penalties, including penalties involving deprivation of liberty which could give rise to extradition, in the case of payment card fraud – carried out using IT or electronic equipment or other specifically adapted devices – involving: — theft or other unlawful appropriation of a payment instrument, — counterfeiting or falsification of a payment instrument in order for it to be used fraudulently, — receiving, obtaining, transporting, sale or transfer to another person, possession and fraudulent use of an unlawfully appropriated, counterfeited or falsified payment instrument, — unauthorised input, altering or suppression of computer data or unauthorised interference with the functioning of a computer programme or system, — fraudulent making, receiving, sale or design of instruments, computer programmes or any other means specifically adapted for the commission of such fraud;

—

The Decision also provided a specific framework for international cooperation, under which Member States must provide mutual investigative assistance in respect of proceedings relating to the offences provided for under this Decision. To this end, it stipulates that Member States shall designate operational contact points or may use existing operational structures for the exchange of information and for other contacts between Member States;

—

Commission Communication COM(2004)679 of 20 October 2004 on A new EU Action Plan 2004-2007 to prevent fraud on non-cash means of payment. With this action plan, the Commission intended to further strengthen the existing initiatives to prevent fraud so as to help maintain and increase confidence in payments, given the increasing incidence of data hacking and identity theft. The Commission's priorities were the security of payment products and systems and increased cooperation between public authorities and the private sector, to be achieved by: — strengthening and restructuring the work of the EU Fraud Prevention Expert Group, — the implementation of a coordinated approach by manufacturers of payment products, payment service providers and the relevant authorities to ensure users the highest economically-viable level of security for electronic payments, — information exchanges among stakeholders, aimed at early detection and notification of fraud attempts, — increasing cooperation among EU administrative authorities to prevent payment fraud and by boosting the fraud investigation abilities of national law enforcement bodies; and by — introducing new means of notification for lost and stolen cards in the EU.

4.   Comments and proposals

4.1.   Although the Community legal framework has been enhanced and strengthened, the exchange of information between public and private entities remains to be fully developed, as does effective cooperation among the relevant authorities of the Member States. To this end, and partly in view of the recent accession to the EU of new Member States, the provisions of the framework decision and the recommendations need to be transposed into the national laws of all EU countries.

4.1.1.   The main barrier to the effective implementation of a fraud prevention system has been identified by the Commission as the difficulty in exchanging data within the EU on both fraudsters and those deemed at risk. The 2004-2007 action plan thus stressed the need to harmonise data protection provisions within the EU so as to enable cross-border data exchange, partly by aligning existing EU data protection rules.

4.2.   To ensure effective preventative action, the Committee would propose considering the case for each competent national authority to establish a digital data base into which payment card companies would channel the following data: information on points of sale and on transactions susceptible to fraud; identification details of the points of sale and of the legal representatives of businesses whose contracts to accept payment card transactions have been terminated for security reasons or for fraudulent conduct reported to the police; identification details of transactions not recognised by the cardholder or reported to the police; and information on ATMs that have been tampered with for the purposes of fraud. With due respect for national legislation, this archive could be used, inter alia, to analyse criminal activity and to aid police cooperation, including at international level, aimed at preventing and prosecuting crimes committed via credit cards and other payment means.

4.3.   Besides the exchange of information on fraudsters, cooperation needs to be stepped up between the relevant authorities in the Member States, by means of new initiatives to extend the collection and exchange of data among stakeholders in fraud prevention, with particular regard to police forces and payment card companies.

4.3.1.   To this end, the existing cooperation structures for combating euro counterfeiting could be streamlined, so that the relevant national authorities would also be directly involved in the prevention of non-cash payment fraud.

4.3.2.   In this regard, consideration could be given to the possibility of tasking Europol – whose remit, since the Council Decision of 29 April 1999, covers the fight against the counterfeiting of cash and other payment means – with monitoring the drive to prevent and counter non-cash payment fraud with the following objectives:

—	to coordinate the administration of the data bases of all Member States containing information on payment card counterfeiting cases, allowing access to the competent authorities of other Member States for genuine investigative purposes;

—	to provide real-time notification, to payment card companies and issuers, of fraud cases detected in other Member States;

—	to facilitate exchanges of the information specified under Framework Decision 2001/413/JHA of 28 May 2001 among the Member States’ police forces and judicial authorities.

4.4.   In this context, the Committee would propose considering the case for creating a network for Member State police forces and investigative bodies involved in the fight against fraud and the counterfeiting of non-cash means of payment. This could facilitate direct information exchange by means of a certified electronic mail system, enabling access to data bases to be opened up.

4.4.1.   Such an initiative would require prior agreement on the specific data to be included in these archives and would have to be compatible with national legislation on privacy, in line with the provisions of Article 79 of Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007. However, it would be a real step forward in the fight against non-cash payment fraud, as it would provide investigative bodies with the information they need directly, in real time and without excessive bureaucracy. At all events, minimum standards should be set at EU level on the type of information that can be exchanged, so as to ensure a common platform of data that can be used to combat fraud, with due respect for the provisions of Directive 1995/46/EC on personal data protection.

4.5.   The greatest obstacle to curbing fraud within the EU lies in the inconsistency of legislation across the Member States with regard to powers of inquiry, as well as the varying degrees of deterrence. This means that fraud is particularly prevalent in countries where investigators’ powers of inquiry are less pervasive or where penalties are insufficient to act as a deterrent. Harmonising national legislation seems therefore the only way to effectively curb this kind of fraud, given that, as already highlighted in the 2004-2007 action plan, previous initiatives have proved insufficient to combat the threat posed by payment card fraud.

4.5.1.   In this regard (4), there is a need to verify that the Member States have effectively transposed into their national criminal laws the offences referred to in Articles 2, 3 and 4 of Council Framework Decision 2001/413/JHA of 28 May 2001, concerning criminal offences related to payment instruments, computers and specifically adapted devices. While respecting Member States’ sovereignty, it should be checked that the penalties imposed for such offences are actually dissuasive, partly in terms of the extent of the statutory penalty provided for. At the same time, the penalties for fraud cases of comparable gravity should be harmonised at EU level, as already envisaged, for example, in the fight against money laundering.

4.6.   Adopting the proposed initiatives would enable an effective fight against fraud and facilitate the establishment of a SEPA (Single Euro Payment Area) in which non-cash payments can be made throughout the euro area, from a single account and under the same basic conditions, regardless of place of residence, removing any distinction between national and cross-border payments.

4.7.   The EU needs to step up its strategy to counter payment fraud and counterfeiting, through an array of different measures. Informing the public must be a key element, aimed at increasing awareness among credit and debit card users of the risks attached to non-cash payment instruments. Consumers who have not been warned could fall prey to the phenomenon of phishing, for example. The EU institutions should help to inform the public through European campaigns, coordinated by the Commission.

4.8.   Consumer and business associations have a key role to play in this: close cooperation between them could help establish an early warning system, increase awareness, and provide information on the most common and recently-discovered practices. To achieve this, targeted consumer information campaigns are needed, including practical, easily-accessible advice aimed at increasing knowledge of the workings of payment cards and of the immediate precautions to take where a cardholder suspects that they have been a victim of fraud.

4.9.   The commitment of Member States should also be reflected in tougher penalties for fraud, which need to be duly enforced. In the case of crimes committed in other EU countries and – for certain particularly serious offences – also in third countries, the relevant criminal law should be made universally applicable, extending the European judicial area. This practice is becoming more widespread, as are proposals to prosecute such offences and impose penalties. Given that payment fraud is generally carried out by organised gangs working across several countries, an effective instrument to combat such fraud would be the United Nations Convention against trans-national organised crime and the protocols thereto, adopted by the General Assembly on 15 November 2000 and 31 May 2001, which provides for stringent measures in the case of such trans-national crime.

---

(1)  Source of data; European Commission, COM(2005) 603 final, Proposal for a Directive of the European Parliament and of the Council on payment services in the internal market, SEC(2005) 1535.

(2)  Source of data: appendix to the 2007 annual report of Banca d’Italia. The figures derive from data provided by the ECB, BIS, Poste Italiane S.p.A. and Banca d’Italia.

(3)  Source of data: European Commission, COM(2004) 679 final of 20.10.2004, Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee, the European Central Bank and Europol A new EU Action Plan 2004-2007 to prevent fraud on non-cash means of payment, SEC(2004) 1264.

(4)  The Commission staff working document (SEC(2008) 511 of 22.4.2008) Report on fraud regarding non cash means of payments in the EU: the implementation of the 2004-2007 EU Action Plan stresses the need for effective sanctions, given that the penalties applied in certain Member States are too low to be dissuasive, as has emerged from two reports presented by the Commission in April 2004 [COM(2004) 356] and February 2006 [COM(2006) 65] on the measures taken by the Member States to implement Council Framework Decision 2001/413/JHA of 28.5.2001.

---