EUROPEAN COMMISSION

Brussels, 13.9.2017

SWD(2017) 298 final

COMMISSION STAFF WORKING DOCUMENT

IMPACT ASSESSMENT

Accompanying the document

Proposal for a Directive of the European Parliament and the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA

{COM(2017) 489 final}
{SWD(2017) 299 final}

Contents

1.     WHAT IS THE PROBLEM AND WHY IS IT A PROBLEM    

1.1.     Policy context    

1.2.     Definition and magnitude of the problem    

1.2.1. Payments    

1.2.2. Non-cash payments    

1.2.3. Fraud in non-cash payments    

1.2.4. Why is it a problem    

1.3.     Problem drivers    

1.3.1. Some crimes cannot be effectively investigated and prosecuted under the current legal framework    

1.3.2. Some crimes cannot be effectively investigated and prosecuted due to operational obstacles    

1.3.3. Criminals take advantage of gaps in prevention to commit fraud    

1.4.     Who is affected and how    

1.5.     What is the EU dimension of the problem    

1.6.     How would the problem evolve, all things being equal    

1.7.     Evaluation of the existing policy framework    

2.     WHY SHOULD THE EU ACT    

3.     WHAT SHOULD BE ACHIEVED    

3.1.     General policy objectives    

3.2.     Specific policy objectives    

3.3.     Consistency with other EU policies and objectives    

4.     WHAT ARE THE VARIOUS OPTIONS TO ACHIEVE THE OBJECTIVES    

4.1.     Mapping of policy measures    

4.2.     Analysis of policy measures    

4.2.1.     Policy measures retained    

4.2.2.     Policy measures discarded    

4.3.     Policy options    

4.3.1.     Option O: baseline    

4.3.2.     Option A: improve implementation of EU legislation and facilitate self-regulation for public-private cooperation    

4.3.3.     Option B: introduce a new legislative framework and facilitate self-regulation for public-private cooperation    

4.3.4.     Option C: same as option B but with provisions on encouraging reporting for public-private cooperation instead of on self-regulation, and new provisions on raising awareness    

4.3.5.     Option D: same as option C but with additional jurisdiction provisions complementing EIO and injunction rules    

5.     WHAT ARE THE IMPACTS OF THE DIFFERENT POLICY OPTIONS    

5.1.     Qualitative assessment    

5.1.1.     Social impact    

5.1.2.     Economic impact    

5.1.3.     Fundamental rights impact    

5.2.     Quantitative assessment    

5.3.     REFIT potential    

6.     HOW DO THE OPTIONS COMPARE    

6.1.     Comparison of options    

6.2.     Preferred option    

7.     HOW WOULD ACTUAL IMPACTS BE MONITORED AND EVALUATED    

ANNEX 1: PROCEDURAL INFORMATION    

ANNEX 2: STAKEHOLDER CONSULTATION    

ANNEX 3: WHO IS AFFECTED BY THE INITIATIVE AND HOW    

ANNEX 4: ANALYTICAL MODELS USED IN PREPARING THE IMPACT ASSESSMENT    

A4.1. Qualitative assessment    

A4.1.1. Qualitative assessment of the policy measures    

A4.1.2. Qualitative assessment of the policy options    

A4.2. Quantitative assessment    

A4.2.1. Quantitative assessment of the policy measures    

A4.2.2. Quantitative assessment of the policy options    

ANNEX 5: EVALUATION OF THE EXISTING POLICY AND LEGISLATIVE FRAMEWORK    

ANNEX 6: GLOSSARY    

1.WHAT IS THE PROBLEM AND WHY IS IT A PROBLEM 

1.1.Policy context

The Framework Decision

The current EU legislation that provides common minimum rules to criminalise non-cash payment fraud is the Council Framework Decision 2001/413/JHA on combating fraud and counterfeiting of non-cash means of payment 1 .

The Framework Decision was part of the first EU Fraud Prevention Action Plan 2001, 2 which aimed to improve the prevention of fraud and counterfeiting of non-cash payments, especially by extending the cooperation and exchange of information for investigation and prosecution between the competent authorities of the Member States and by boosting the fraud prevention measures.

The main components of the Framework Decision are:

·Definition of "payment instrument" as any physical (“corporeal”) payment instrument which can be used to transfer money or monetary value and is protected against imitation or fraudulent use.

·Identification of different forms of behaviours requiring criminalisation in relation to fraud and counterfeiting of non-cash means of payments: offences related to payment instruments (e.g. theft, counterfeiting, falsification, receiving or selling fraudulent use stolen or counterfeited payment instruments, use of a stolen or counterfeited payment instrument); offences related to computers (i.e. performing or causing a transfer of money by introducing, altering, deleting or suppressing computer data or by interfering with the functioning of a computer programme or system); offences related to specifically adapted devices (e.g. fraudulent making, receiving, obtaining, sale or transfer to another person or possession of instruments, articles, computer programmes and any other means peculiarly adapted for the commission of counterfeiting or falsification of a payment instrument).

·Rules on liability and sanctions for legal persons, provisions on establishing jurisdiction on offences relating to non-cash payment fraud, on extradition and prosecution and rules to facilitate cross-border cooperation and exchange of information.

EU policy and legislative context

The policy and legislative context has significantly changed since the Framework Decision was adopted. Various legislative acts at EU level have been adopted since 2001, both in criminal and civil law, which:

1.provide pan-European cooperation mechanisms in criminal matters that facilitate coordination of investigation and prosecution (procedural criminal law). These include:

oCouncil Framework Decision 2002/584/JHA on the European Arrest Warrant and the surrender procedures between Member States 3 (EAW), which sets conditions for compulsory extradition for offences covered by the Framework Decision (e.g. “fraud, including that affecting the financial interests of the European Communities”, “forgery of means of payment”, “computer-related crime”, “participation in a criminal organisation”) when they are punished by a certain level of penalties. Member States can no longer refuse to extradite to another Member State citizens on the sole grounds of nationality, in case the offences committed are punishable by a custodial sentence or a detention order for a maximum period of at least three years. The European Arrest Warrant may apply for offences punishable by imprisonment or a detention order for a maximum period of at least 1 year or where a final custodial sentence has been passed or a detention order has been made, for sentences of at least 4 months.

oConvention on Mutual Assistance in Criminal Matters between the Member States of the European Union 4 , which sets up the conditions when the mutual assistance shall be afforded.

oDirective 2014/41/EU regarding the European Investigation Order in criminal matters 5 , which updates the legal framework applicable to the gathering and transfer of evidence between Member States, based on mutual recognition of judicial decisions. It allows an authority in one Member State (the "issuing authority") to request specific criminal investigative measures be carried out by an authority in another Member State (the "executing authority").

oCouncil Framework Decision 2005/214/JHA on the application of the principle of mutual recognition to financial penalties 6 , which facilitates the enforcement of financial penalties in cross-border cases, wherever in the EU they may have been imposed. It abolishes dual criminality checks in relation to 39 listed offences, which include fraud as well as counterfeiting of currency.

oCouncil Framework Decision 2009/948/JHA on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings 7 , which aims to improve judicial cooperation between Member States so as to prevent unnecessary parallel criminal proceedings concerning the same facts and the same person. It lays out the procedure whereby competent national authorities contact each other when they have reasonable grounds to believe that parallel proceedings are being conducted in another EU country. It also establishes the framework for these authorities to enter into direct consultations when parallel proceedings exist, in order to find a solution to avoid the negative consequences arising from these proceedings.

oCouncil Framework Decision 2009/315/JHA on the organisation and content of the exchange of information extracted from the criminal record between Member States 8 , which sets out the general principles for the functioning of the exchange of criminal records between EU countries, alongside Council Decision 2009/316/JHA on the establishment of the European Criminal Records Information System (ECRIS) 9 in application of Article 11 of Framework Decision 2009/315/JHA, which establishes ECRIS. They seek to prevent criminals from escaping their past by moving to a different EU country from that in which they were convicted. They do this by ensuring that information on all their convictions is available when needed, irrespective of the EU country in which they were convicted. They set an obligation for an EU country convicting a national of another EU country to transmit information on such conviction to the country of his nationality and define the obligations of the EU country of which the person is a national to store the received information on convictions as well as the procedures which that EU country is to follow when replying to requests for information about its nationals.

oDirective 2012/29/EU establishing minimum standards on the rights, support and protection of victims of crime 10 , which provides minimum standards on the rights, support and protection of victims of crime, ensuring that they receive appropriate information, support and protection and may participate in criminal proceedings wherever the damage occurred in the EU. These victims must have the right to, e.g., recover stolen property, have their expenses reimbursed, receive legal aid and have their case heard in court.

oCouncil conclusions on improving criminal justice in cyberspace 11 , in which the Council called on the Commission to take concrete actions based on a common EU approach to improve cooperation with service providers, make mutual legal assistance more efficient and to propose solutions to the problems of determining and enforcing jurisdiction in cyberspace. In response to these conclusions, The Commission conducted an expert consultation process and summarized its results in a non-paper 12 , presented to the Council on June 8 2017, which may result in a legislative initiative.

oRegulation (EU) 2016/794 on Europol 13 , which sets up the rules for Europol, in particular its:

§objectives, including mutual cooperation amongst EU countries in preventing and combating terrorism, serious crime affecting two or more EU countries and forms of crime which affect a common interest covered by EU policy;

§tasks, including collecting, storing, processing, analysing and exchanging information including criminal intelligence, as well as coordinating, organising and implementing investigative and operational actions to support Member States and supporting EU countries in combating crime enabled, promoted or committed using the internet), and

§scrutiny, including monitoring of Europol’s processing of personal data.

oCouncil Decision 2002/187/JHA setting up Eurojust 14 , which facilitates cross-border judicial cooperation in criminal matters.  

2.criminalise conduct related to fraud and counterfeiting of non-cash means of payment (substantive criminal law). These include:

oDirective 2013/40/EU on attacks against information systems 15 , which establishes minimum rules concerning the definition of criminal offences and the relevant sanctions, and to improve cooperation between competent authorities.

oDirective 2014/62/EU on the protection of the euro and other currencies against counterfeiting by criminal law 16 , which establishes minimum rules concerning the definition of criminal offences and sanctions, and introduces provisions to strengthen investigation of offences and cooperation against counterfeiting.

oDirective 2017/541/EU on combating terrorism 17 , which criminalises providing or collecting funds with the intention or the knowledge that they are to be used to commit terrorist offences and offences related to terrorist groups or terrorist activities.

oThe Proposal for a Directive on countering money laundering by criminal law 18 , which establishes minimum rules on the definition of offences and sanctions related to money laundering. At present, there are differences in the definition of money laundering offences and sanctions applied across the EU. These differences negatively affect cross-border police and judicial cooperation and may lead to “forum shopping” by offenders choosing to commit their crimes in the jurisdictions providing for lower sanctions. Non-cash payment fraud and cybercrime are included in the list of “predicate offences” (the underlying criminal activities generating the proceeds which are then laundered).

3.regulate the payment process, in particular to facilitate secure payments across the EU. These include:

oRevised Payment Services Directive (PSD2) 19 , which defines a comprehensive framework for the provision of payment services in the European Economic Area by, among others:

§setting higher security standards for payments and better protecting consumers against current threats;

§defining key terms such as “payment instrument”;

§specifying the conditions for the liability of the services provider and the payer;

§providing for mandatory reporting to the competent authority of major operational or security incident relating to the account information service provider or the payment initiation service provider.

§requiring Member States to ensure that payment service providers provide, at law enforcement on an annual basis, statistical data on fraud relating to different means of payment.

oDirective 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, 20 (the fourth Anti-Money Laundering Directive), which aims at better identifying suspicious transfers (including those resulting from non-cash payment fraud) and communicating them through suspicious transaction reports to national Financial Intelligence Units (FIUs).

The extension of the scope of the fourth Anti-Money Laundering Directive to virtual currencies exchange platforms and custodian wallet providers is currently under discussion. It aims to ensure a clearer regulatory framework and more transparency (due diligence) for exchanges between virtual and fiat currency.

oRegulation (EU) 2015/847 on information accompanying transfers of funds 21 , which sets out rules on the information on payers and payees, accompanying transfers of funds, in order to help prevent, detect and investigate money laundering and terrorist financing.

oRegulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market 22 (Electronic Identification and Trust Services (eIDAS) Regulation), which aims to improve trust in EU-wide electronic transactions and to increase the effectiveness of public and private online services and e-commerce by, e.g. removing existing barriers to the use of eID in the EU.

oRegulation (EU) 2012/260 establishing technical and business requirements for credit transfers and direct debits in euro 23 , which created the Single Euro Payments Area (SEPA) and supported the integration of the euro payments market by developing harmonised payment schemes, frameworks for electronic euro payments and mobile and online payments.

oDirective (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive) 24 , which aims at enhancing the overall level of cybersecurity in the EU. It provides Member States with a coordination mechanism to support a swift and good operational cooperation on specific cybersecurity incidents and the sharing of information about risks.

In addition to the above legislative acts, the legislation resulting from the data protection reform 25 is of critical importance in the context of combatting non-cash payment fraud:

·Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data 26 (General Data Protection Regulation).

·Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data 27 .

Last but not least, the fight against non-cash payment fraud needs to be seen in the context of three important EU policies:

·the European Agenda on Security 28 , which sets out the principles for EU action to respond effectively to security threats and the main steps planned by the European Commission to implement these, and identifies the 3 priorities for immediate action, by both national governments and the EU institutions, which share responsibility for EU security: 1) preventing terrorism and countering radicalisation; 2) fighting organised crime; 3) fighting cybercrime.

·the EU Cybersecurity Strategy 29 , which aimed at creating the world’s most secure online environment in the EU, by providing for partnerships with the private sector and non-governmental organisations or interest groups, and concrete action to protect and promote citizens’ rights. The current 2013 version is being revised and an updated strategy is expected by the end of 2017.

·The Digital Single Market Strategy 30 , which sets out 16 targeted actions based on 3 pillars: 1) Better access for consumers to digital goods and services across Europe, 2) Creating the right conditions and a level playing field for digital networks and innovative services to flourish and 3) Maximising the growth potential of the digital economy.

The Framework Decision today 31

The Framework Decision contributes to the above EU policy context by covering with criminal law a specific set of offences related to the payment process, i.e. those involving fraud and counterfeiting of non-cash means of payment.

That said, the European Agenda on Security acknowledges that the Framework Decision no longer reflects today’s realities and insufficiently addresses new challenges and technological developments such as virtual currencies and mobile payments.

While a full evaluation according to the Commission's Evaluation Guidelines was still to be conducted, by the publication of the European Agenda of Security in 2015 other exercises had provided information about the state of implementation and the strengths and weaknesses of the current legal framework. Two implementation reports were completed in 2004 32 and 2006 33 . In addition, relevant national provisions on non-cash payment fraud had recently been analysed under a Commission study on criminal sanction legislation and practice in representative Member States. 34 Furthermore, operational action under the EU policy cycle to tackle organized and serious international crime 35 had provided additional evidence as to the effectiveness of the existing rules.

Consequently, the Commission committed in the European Agenda of Security to review the existing legislation on combatting fraud and counterfeiting of non-cash means of payments.

President Juncker reiterated that commitment by including improved rules on fraud in non-cash payments in his September 2015 Letter of Intent, initially planned for delivery in 2016:

"Priority 7: An Area of Justice and Fundamental Rights Based on Mutual Trust

-Follow up to the European Agenda on Security, including a proposal reviewing the framework decision on terrorism, improved rules on firearms and fraud of non-cash payments, and corresponding operational measures" 36

Stakeholders and citizens had the opportunity to express their views in an open public consultation through an online questionnaire that was accessible from 1/3 to 24/5/2017. The Commission organized as well targeted consultations with stakeholders from the public and private sector and civil society organisations. An external contractor also organized targeted consultations through interviews and an online survey, within a study on the evaluation of the current policy and legislative framework and impact assessment.

In general, stakeholders expressed doubts about the relevance, effectiveness and added value of the Framework Decision, and indicated the need to improve cooperation between national authorities and between public authorities and the private sector.

1.2.Definition and magnitude of the problem 

1.2.1. Payments

There are 3 main parties in any payment: the one who pays (payer), the one who gets paid (payee) and the one who executes the payment (enabler).

The payer shares with the enabler the necessary information to authorize it to give the funds to the payee, who in return provides products or services to the payer.

Figure 1: main parties and exchanges in a payment

Source: European Commission

For example, when someone (payer) buys a book in an online shop (payee), he shares with his bank and credit card company (enablers) the necessary information to trigger the execution of the payment and give the online shop the money in exchange for the book.

As the example above illustrates, there are three types of enablers:

1.Financial institutions (e.g. a bank): provide the monetary value.

2.Payment instruments (e.g. a credit card): provide the vehicle to convey the monetary value.

3.Providers of other services related to the execution of the payment (e.g. enablers of a credit card transaction).

In cash payments, a central bank provides the monetary value, which is conveyed in bills and coins (payment instruments). In non-cash payments there is a wider variety of payment instruments.

1.2.2. Non-cash payments

Taxonomy

The most common non-cash payment instruments are payment cards (credit and debit), credit transfers, direct debits, cheques, e-money, virtual currencies, mobile money, vouchers (e.g. tickets restaurant), coupons and fidelity cards.

Magnitude of the problem

The total value of non-cash payment transactions with cards, credit transfers, direct debits, cheques and e-money has been increasing in Europe in the last years:

Figure 2: value of transactions in key non-cash payment instruments in the EU 37

Source: European Central Bank, Payment Statistics , September 2016

The decrease in the value of transactions with cheques and direct debit has been compensated by the significant increase in the value of transactions with the other payment instruments, in particular credit transfers, which account for more than 90% of the total.

The total number of non-cash payment transactions with cards, credit transfers, direct debits, cheques and e-money has also been increasing in Europe in the last years:

Figure 3: number of transactions in key non-cash payment instruments in the EU 38

Source: European Central Bank, Payment Statistics , September 2016

The decrease in the number of transactions with cheques has been more than compensated by the significant increase in the number of transactions with the other payment instruments.

Payments with virtual currencies have also dramatically increased in the last years globally, both in value and number:

Figure 4: value and number of transactions with bitcoin globally 39

Source: blockchain.info/stats, accessed on June 2017

Although the data on mobile payments is limited, a 2016 study indicated that 54% of European consumers regularly use their mobile device to make payments, three times as many as in 2015. 40

For vouchers, coupons and fidelity cards no data about market size and number of transactions could be located, although these payment instruments are likely to represent a very small fraction of the total number of transactions and value of non-cash payments.

1.2.3. Fraud in non-cash payments

Taxonomy

Fraud can affect each of the 3 main parties/stages in a payment described in figure 1.

In non-cash payments, fraud takes the following forms in each of the stages:

1)Trigger the execution of payments by using payer information fraudulently.

The fraudster gets hold of the information required to trigger the execution of a payment and uses it for his own benefit, against the will of the legitimate owner of the funds.

There are multiple methods to collect that information: phishing, skimming, pharming 41 … or simply acquiring it from someone else.

Once the fraudster has acquired the necessary information, he can use payment instruments (in particular non-corporeal such as card credentials, credit transfers, direct debit and virtual currencies) to trigger the execution of a payment.

2)Execute payments by tampering with or stealing the payment instrument.

·Tampering with payment instruments:

oCounterfeiting: e.g. of cards (credit/debit, fuel, loyalty) out of stolen card credentials to pay in stores or withdraw cash in ATMs; counterfeiting of cheques, vouchers or coupons, etc.

oHacking of information systems to process payments: e.g. tampering with points of sale for card transactions; unlawfully increase the credit card limit to allow excess expenses go undetected, etc.

·Stealing payment instruments.

3)Fail to provide the product/service after receiving the payment.

This type of payment fraud covers the various forms of scams, from failing to deliver the product/service as initially agreed, to tricking the payer to trigger the payment (e.g. CEO fraud, in which the attacker pretends to be the CEO of a company and tricks an employee at the organisation into wiring funds to the fraudster). This third category is out of the scope of this impact assessment.

Magnitude of the problem

Fraud data exists only for card fraud which, as shown in figure 3, is the most important non-cash payment instrument in terms of number of transactions. 42  

There are two kinds of card fraud:

oThe card is present, e.g. using a counterfeit card to withdraw cash from an ATM or to pay in a point of sale in a shop.

oThe card is not present, e.g. when using stolen card credentials to buy goods online.

The total value of card fraud using cards issued in the Single European Payment Area (SEPA) amounted to €1.44 billion in 2013 (most recent data available 43 ), of which 66% (€950 million) corresponded to card-not-present fraud and 34% (€490 million) to card-present fraud (of which 20% to point-of-sale (POS) and 14% to ATM fraud). This represented 0.039% of the total value of card transactions:

Figure 5: evolution of the total value of card fraud using cards issued within SEPA 44

Source: European Central Bank, Fourth Report on Card Fraud , 2015

The total number of fraudulent transactions using cards issued in SEPA amounted to 11.29 million in 2013, of which 71% corresponded to card-not-present fraud and 29% to card-present fraud (of which 20% to POS and 9% to ATM fraud). This represented 0.020% of the total number of card transactions:

Figure 6: evolution of the total volume of card fraud using cards issued within SEPA 45

Source: European Central Bank, Fourth Report on Card Fraud , 2015

As figures 5 and 6 indicate, card-not-present fraud not only constitutes the largest share of card fraud but also a share that has increased in the last years, both in value and in number of transactions. Moreover, the increase in the total amounts of card fraud in the last years (both in value and in number of transactions) has been mainly driven by the increase in card-not-present fraud.

Card-present fraud (i.e. ATMs and POS terminals) decreased in 2013, due to: 46

·Near completion of migration to the EMV standard (cards with chip) within SEPA.

·Wider use of blocking overseas transactions using EU-issued cards unless they have been activated in advance.

·Increased physical security measures at the terminal (e.g. lids to protect PIN entry, skimming device detectors, etc…).

·Deactivation of the option to fall back to magnetic stripe usage for cards.

Card-present fraud is roughly equally divided in value into counterfeiting (45%) and fraud using lost or stolen cards 43% (2013). 47

1.2.4. Why is it a problem

Box 1 puts into perspective the magnitude of the problem described above:

Box 1: the magnitude of the problem put into perspective

The most problematic aspect of non-cash payment fraud is that it represents a threat to security. In addition, it is an obstacle to the digital single market.

A threat to security

Non-cash payment fraud provides income for organized crime and therefore enables other criminal activities such as terrorism, drug trafficking and trafficking in human beings. In particular, according to Europol, non-cash payment fraud income is used to finance:

·Travel:

oFlights: the experience gained from conducting the Global Airline Action Day 51 operations from 2014 to 2016 indicates a clear link between non-cash payment fraud, airline ticketing fraud and other serious and organised crimes, including terrorism. Some of the people travelling on fraudulently obtained tickets were known or suspected to be involved in other offences.

oOther travel fraud (i.e. selling and travelling on tickets that have been obtained fraudulently). The main way to purchase illegal tickets was through the use of compromised credit cards. Other methods included, e.g. the use of compromised loyalty point accounts, phishing travel agencies and voucher fraud. In addition to offenders, those travelling on fraudulently obtained tickets included victims of trafficking and people acting as ‘money mules’.

·Accommodation: law enforcement also reports that non-cash payment fraud is also used to facilitate other crimes that require temporary accommodation such as trafficking in human beings, illegal immigration or drug trafficking.

Europol also reported that the criminal market for payment card fraud in the EU is dominated by well-structured and globally active organised crime groups. 52

Whereas 0.0039% of the value of all card transactions being lost to fraud may seem a small percentage, this represents a total amount of at least EUR 1,44 billion per year going to fund organized crime groups. This amount is likely to increase, as described later in section 1.6 (“How would the problem evolve”), mainly fuelled by the increasing digitalisation of the economy and the emergence of new payment instruments (technological innovation).

An obstacle to the digital single market

Non-cash payment fraud hinders the development of the digital single market in two ways:

·It causes important direct economic losses. Section 1.2.3 quantified non-cash payment fraud in Europe in terms of the amount of direct fraud losses for which there is data available (card fraud). For example, the airlines lose around USD 1 billion per year globally in card fraud. 53  

·It reduces consumers' trust, which may result in reduced economic activity and limited engagement in the digital single market. According to the most recent Eurobarometer on Cyber Security, 54 the vast majority of Internet users (85%) feel that the risk of becoming a victim of cybercrime is increasing. Whereas the probability of 0.002% (1 in 5000) of a card transaction being fraudulent may seem small, the perception of insecurity has 42% of users are worried about the security of online payments. Because of security concerns, 12% are less likely to engage in digital transactions such as online banking.

1.3.Problem drivers

To analyse in detail the problem of non-cash payment fraud and identify its drivers, the Commission conducted an evaluation of the Framework Decision (see annex 5). The evaluation also analysed other EU legislative instruments put in place since the adoption of the Framework Decision, which are relevant to tackling non-cash payment fraud, and incorporated the input from the public consultation and expert meetings organized by the European Commission.

The evaluation detected three problem drivers:

1.Some crimes cannot be effectively investigated and prosecuted under the current legal framework.

2.Some crimes cannot be effectively investigated and prosecuted due to operational obstacles.

3.Criminals take advantage of gaps in prevention to commit fraud.

The problem drivers indicate that the issue at hand is mostly a regulatory failure, where the current EU legislative framework (the Framework Decision) has become partially obsolete, due mainly to technological developments. The evaluation indicated that this regulatory gap has not been sufficiently covered by more recent legislation, as the analysis of the problem drivers below will also highlight.

The drivers are divided into the following sub-drivers:

Table 1: drivers and sub-drivers

1.3.1. Some crimes cannot be effectively investigated and prosecuted under the current legal framework

a.Certain crimes cannot be prosecuted effectively because offences committed with certain payment instruments (in particular non-corporeal) are criminalised differently in Member States or not criminalised.

The Framework Decision contains a definition of payment instrument (Art. 1(a)) that technological developments have rendered obsolete.

The definition does not explicitly include non-corporeal payment instruments such as virtual currencies, e-money and mobile money, which are growing in importance as previously described and as stakeholders highlighted in the consultation.

It could be understood that non-corporeal instruments are implicitly included in Art. 3 on offences related to computers, which requires Member States to sanction fraudulent forms of conduct relating to the use of computer data and computer programmes or systems. However, the Framework Decision does not include any definition of “computer data” or “computer programme/system”, and therefore it is not possible to clearly identify the types of payment instruments that are covered. For example, does “computer” include mobile devices? Does computer data relate only to data stored in computers or is data stored in ‘the cloud’ also covered? The lack of a definition of “computer data” or “computer programme/system” creates a grey area in a criminal law instrument, not properly covering behaviours that are gaining more and more importance through the increasing dematerialisation of payment instruments and the opportunities that Internet offers for payment transactions.

Also, without a technology neutral definition, not only the payment instruments currently explicitly mentioned risk becoming obsolete (e.g. as eurocheques and eurocheque cards have already become) but also, if new payment instruments emerge in the future, it is unclear whether the Framework Decision would be able to cover them.

The Payment Services Directive (PSD2) 55 contains a broader definition of payment instrument: 56  

“Payment instrument shall mean any personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used by the payment service user in order to initiate a payment order.”

The formulation “set of procedures” covers non-corporeal payment instruments and in particular e-money. This definition includes most of the main non-cash means of payment, i.e. those covered by the Framework Decision plus e-money, mobile money, virtual cards, electronic ticket restaurants, virtual coupons and electronic wire transfers and direct debits.

Since the Payment Services Directive is not a criminal law instrument, the fact that the definition in it covers a number of non-corporeal payment instruments does not imply that offences involving these instruments are criminalised.

In addition, this definition is not entirely technology neutral as it does not cover those that do not initiate a payment order (e.g. fidelity/loyalty cards) and those that are not personalised (e.g. virtual currencies or some types of coupons).

The Attacks Against Information Systems Directive (AAIS) 57 is a criminal law directive which contains definitions of information system (a broader term than “computer”) and computer data: 58  

“(a) ‘information system’ means a device or group of inter-connected or related devices, one or more of which, pursuant to a programme, automatically processes computer data, as well as computer data stored, processed, retrieved or transmitted by that device or group of devices for the purposes of its or their operation, use, protection and maintenance;

(b) ‘computer data’ means a representation of facts, information or concepts in a form suitable for processing in an information system, including a programme suitable for causing an information system to perform a function;”

These definitions are general enough to encompass non-corporeal payment instruments.

That said, this Directive focuses on criminalizing attacks against information systems, which is not necessarily the same as non-cash payment fraud, as we will see in more detail in the offences section below. For example, it criminalises the illegal access to information systems but only when a security measure has been infringed. A fraudster using legitimate (but stolen) credit card credentials to shop online would not necessarily infringe any security measures.

The expert meetings and the consultation confirmed a gap in the current definitions as some payment instruments are not covered, considering it one of the most important obstacles to investigation and prosecution. In general, the lack of a technology neutral legal framework is a key factor behind the current regulatory failure that a potential initiative would need to address.

b.Preparatory acts for non-cash payment fraud cannot be prosecuted effectively because they are criminalised differently in Member States or not criminalised.

Using the taxonomy of non-cash payment fraud in section 1.2.3, based on figure 1, the stage of triggering the execution of payments by using payer information fraudulently includes two sets of behaviours: (i) preparatory acts, i.e. the collection (e.g. phishing, skimming), trade (e.g. carding websites), making available (e.g. dumping) and possession of payer information; (ii) the actual use of the payer information.

The Framework Decision covers the use of the payer information to trigger the execution of the payment in Art. 3 (“… without right introducing, altering, deleting or suppressing computer data, in particular identification data”). However, the use of unlawfully appropriated computer data covered by Art. 3, is criminalised only when offences intentionally result in a transfer of monetary value. This means that preparatory acts that precede fraud without being directly linked to it are excluded from Art. 3.

Moreover, Art. 4 covers the “fraudulent making, receiving, obtaining, sale or transfer to another person or the possession of computer programmes the purpose of which is the commission of any of the offences described under Art. 3.” This article also raises the issue of a lack of definition of a computer (programme). In addition, the use of these computer programmes is not explicitly mentioned and in some cases it may not be necessary to possess them to be able to use them (e.g. they might be used from the cloud).

Art. 5 covers “attempt” but since it does not contain a definition of “attempt”, it is not possible to determine whether preparatory acts would be included.

Experts from the Member States confirmed the need for a criminalisation at EU level of preparatory acts (in particular phishing), during the expert meetings.

The Attacks Against Information Systems Directive criminalises the “intentional production, sale, procurement for use, import, distribution or otherwise making available… of… a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.” 59 , with the intention to gain illegal access to information systems by infringing a security measure. 60 As discussed earlier, a fraudster using legitimate (but stolen) credit card credentials to shop online would not necessarily infringe any security measures.

c.Cross-border investigations can be hampered because the same offences are sanctioned with different levels of penalties across Member States.

The Framework Decision requires Member States to set up criminal penalties that are effective, proportionate and dissuasive, without specifying minimum levels. As a consequence, Member States have adopted different levels of penalties.

Whereas all Member States include, at least for serious cases, penalties of imprisonment, these vary significantly. For example, figure 7 shows the variation in the level of maximum number of years of imprisonment for counterfeiting or falsification of payment instruments (Art. 2(b)):

Figure 7: maximum penalties across Member States for Art. 2(b) offences

Source: EY

The Attacks Against Information Systems Directive determines maximum level of penalties of at least 2 years for the offences it contemplates (illegal access to information systems, illegal system interference, illegal data interference, illegal interception, offences related to tools for committing offences and inciting, aiding, abetting and attempt). It also determines maximum level of penalties for aggravating circumstances from at least 3 years to at least 5 years, depending on the situation.

Directive 2015/849/EU on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (fourth Anti-Money Laundering Directive) defines a range of administrative sanctions and measures which can be imposed to obliged entities that do not comply with the preventative framework put in place by this Directive.

There were different views expressed at the expert meetings concerning the need to have a certain level of penalties specified in EU legislation. Some experts saw value in having similar level of offences across the EU, to facilitate cross-border cooperation and ensure a minimum level of deterrence. Other experts questioned the deterrence effect of penalties versus other factors such as the likelihood of being arrested. They also questioned the “forum-shopping” effect, where criminals would tend to operate in countries with lower levels of penalties, by arguing that, if it were true, it would be happening already, but there is no evidence of that. They expressed preference for determining the sanctions based on the gravity of the crime, rather than to facilitate investigations (some investigative tools are only available to crimes that have a certain level of penalties, see the section on cross-border cooperation below). That said, there was a certain consensus of having a level of penalties set at EU level coherent with other EU instruments (e.g. Attacks Against Information Systems Directive, European Arrest Warrant…), as long as it was limited to serious offences.

d.Deficiencies in allocating jurisdiction can hinder effective cross-border investigation and prosecution.

The Framework Decision specified a limited set of situations in which a Member State could claim jurisdiction: when the offence was either committed in its territory, or abroad by one of its nationals (on condition of double criminality, i.e. provided that it was also an offence abroad) or for the benefit of a legal person stablished in its territory. The last two situations could be optional based on whether the Member State extradited its nationals, a possibility that the European Arrest Warrant has rendered partially obsolete (see extradition section below).

The biggest challenge concerning jurisdiction in non-cash payments is the cross-border nature of the crime combined with the access to digital evidence, as non-cash payment fraud increasingly has a digital component.

To give an idea of the complexity of the issue, please consider the case of Hans, a German national working and living in Poland, where he has his bank account. Unfortunately, while on vacation in Romania, his credit card details were stolen via skimming when he paid a taxi that was cooperating with an organized crime group. This group sold his credit card details to a carding website hosted in the Netherlands, where a Portuguese national bought his card details for just €20. He later used them from his apartment in Italy (or at least from an IP address that pointed to Italy but he might very well have used a VPN to connect from his summer house in the Portuguese Algarve), to buy goods online in a website hosted in France (but belonging to a multinational company based in Ireland) to be shipped from Spain to his cousin in Luxembourg.

While this is a fictional case, representatives from law enforcement, the judiciary and the private sector described in the expert meetings similar situations, involving as many jurisdictions, to illustrate the challenges they face while investigating non-cash payment fraud. The main risk is that crimes might not be investigated because no country claims jurisdiction or that the lack of judicial cooperation makes the cross-border investigation process impossible in practice.

The Framework Decision provides limited tools to address these challenges. For example, coming back to Hans, when he sees the illegal activity in his credit card and informs the Polish authorities, they would not be able to claim jurisdiction on the basis of the Framework Decision only (offence neither committed in its territory nor by one of its nationals not for the benefit of a legal person established in Poland).

Overall, a majority of Member States (22) 61 have extended their jurisdiction beyond the requirements of the Framework Decision in a variety of ways. As pointed out in the expert meetings, these differences in the implementation increase the complexity of the attribution of jurisdiction of cross-border offences, which may result in longer prosecution times and, in some cases, no prosecution at all.

The Attacks Against Information Systems Directive includes broader jurisdiction rules than the Framework Decision, by, for example, eliminating the condition of double criminality and including situations in which the offender is physically present in the Member State, regardless of whether the information system attacked is in the same Member State, and vice versa, when the information system is in the Member State, regardless of where the offender is located.

The Commission committed in 2016 to addressing the challenges for investigations in cyber-enabled crimes in its Communication on Delivering on the European Agenda on Security 62 , aiming to propose solutions by the summer of 2017.

In its Conclusions on improving criminal justice in cyberspace 63 , adopted on 9 June 2016, the Council supported the Commission´s commitment and called on the Commission to take concrete actions based on a common EU approach to improve cooperation with service providers, make mutual legal assistance more efficient and to propose solutions to the problems of determining and enforcing jurisdiction in cyberspace. 

The Commission conducted an expert consultation process and summarized its results in a non-paper 64 , presented to the Council on June 8 2017, which may result in a legislative initiative.

1.3.2. Some crimes cannot be effectively investigated and prosecuted due to operational obstacles

a.It can take too much time to provide information in cross-border cooperation requests, hampering investigation and prosecution.

Stakeholders pointed out during the evaluation and consultation the fact that it takes a long time to receive the information requested from another Member State, when that information is received at all:

1)First, it takes time to set up the procedure to exchange the information between the Member States, in particular when this requires the authorisation of multiple authorities.

2)Second, it takes time for the Member State asking to understand what can be requested, and for the Member State asked what is being requested (including the urgency of the request), given the significant differences that still exist in their legislative frameworks, such as those concerning:

·Prescription periods, both in terms of duration and of the moment the period starts to count (e.g. when the offence is completed or when the victim discovers the fraud). The duration is usually linked to the severity of the maximum penalties, which, as discussed, vary significantly across Member States.

·Data retention rules, following the 2014 sentence of the Court of Justice of the European Union 65 declaring invalid the Data Retention Directive 66 , as well as data protection rules (to be harmonized with the new General Data Protection Regulation 67 , which enters into force in May 2018, and the directive regulating the processing of personal data by authorities 68 , which Member States have until May 2018 to transpose).

·Confiscation rules: while some Member States follow a “follow-the-money” approach and prioritise the asset recovery, other focus on tracking and retaining the perpetrator.

3)Last but not least, it takes time to produce the information requested:

·The information may not be ready available. When the information needs to be collected in the Member State, there can be coordination issues at the national level between law enforcement and judicial authorities for the exchange of information.

If an investigation needs to be open to collect the information, a new set of issues appears, such as:

§Lack of adequate investigative tools, in particular to investigate fraud with a cybercrime component (e.g. IT forensics, decryption, attribution).

§Lack of skills in law enforcement and the judiciary to deal with non-cash payment fraud cases of certain technological sophistication.

§Limited capacity of law enforcement, which causes other criminal offences to be prioritized over non-cash payment fraud (compared to other criminal offences, non-cash payment fraud is underreported, frequently involves a high volume of small financial losses, and has a relatively low level of penalties).

Also, the lack of public-private sector cooperation can hinder the ability to collect information promptly.

·When the information involves non-EU countries, as is often the case in e.g. skimming and counterfeiting of credit cards, a new level of complication and delays is added.

Stakeholders emphasized multiple times the important role that Europol plays in helping overcome each of these obstacles, setting up communication channels, helping understand the requests and supporting Member States with its analytical capabilities and technical expertise.

The Framework Decision contains two articles focused on cross-border cooperation: Art. 11 (mutual assistance) and Art. 12 (exchange of information).

Art. 12 requires Member States to designate operational contact points for the exchange of information. It does not specify who those contact points should be or how the network should work (e.g. service hours or maximum time to respond to requests).

The Attacks Against Information Systems Directive also contains provisions on exchange of information through a network of contact points, with additional requirements on service hours and maximum time to answer urgent requests of assistance.

b.Under-reporting to law enforcement due to constraints in public-private cooperation hampers effective investigations and prosecutions.

The Framework Decision does not include any provisions on public-private cooperation.

Stakeholders that contributed to the consultation widely considered public-private cooperation an enabler to tackle non-cash payment fraud across all levers, from investigation and prosecution and assistance to victims to prevention, given that information concerning non-cash payment fraud is spread across multiple private sector actors.

The evaluation and stakeholder consultation found that the main obstacles that prevent public-private cooperation from reaching its full potential relate to information sharing, both domestically and cross-border:

·Lack of clarity on the requirements on private sector to collect information (e.g. data protection and data retention rules), which may affect the admissibility of evidence in court.

·Limited implementation by payment service providers of systems to monitor, handle and follow up on general security incidents (e.g. data breaches) and security-related customer compliance, and to notify the competent authorities (e.g. law enforcement). However, it shall be taken into account that the new data protection legislation contains rules on personal data breaches.

A specific case of information sharing is mandatory reporting to law enforcement, which contributes to gain a better understanding of the fraud case and therefore enables a better response and prevention:

·Reporting obligations for payment services providers exist in the Payment Services Directive (PSD2), in cases of major operational or security incidents, and in the fourth Anti Money Laundering Directive, 69 for “obliged entities” (which include financial institutions), in case suspicious transactions are detected.

·A majority of Member States (16) 70 make it mandatory to report to law enforcement whenever there are suspicions raised with regard to the commission of an offence relating to payment instruments, computers and/or specifically adapted devices.

Under-reporting is common in non-cash payment fraud, due to:

·Poor information available to victims on the reporting systems in place, and the role of actors involved in their protection, which often differ from one Member State to another.

·The long-tail nature of non-cash payment fraud, a crime that typically affects a relatively large number of victims but each crime involves the loss of a relatively low value, which may discourage reporting (this allows fraudsters to draw less attention from users and payment service providers, which in turn encourages future fraud).

·Reputational concerns of businesses, for example to expose publicly that they have been victim of data breaches.

·The compensation to companies and individuals received by banks, which may cause that the victims abandon the proceedings as soon as the reimbursement has been received.

·Victims of fraud may blame themselves and/or fear that others will blame them for stupidity or even culpability.

·Limitations in current reporting systems (e.g. lack of reporting mechanisms for internet crimes, lack of feedback to victims that report, lack of reporting categories).

1.3.3. Criminals take advantage of gaps in prevention to commit fraud

a.Information sharing gaps in public-private cooperation hamper prevention.

The information sharing gaps described above also affect public-private cooperation efforts on prevention.

For example, stakeholders pointed out that limited information sharing between the private sector and public authorities prevents the early identification of new threats, which is critical to ensure effective prevention.

b.Criminals exploit the lack of awareness of victims.

Representatives from victims’ associations and other stakeholders pointed out that the lack of awareness of victims is a fundamental issue that drives non-cash payment fraud.

All types of stakeholders (payers, enablers and payees) could benefit from awareness raising campaigns to avoid falling victim of non-cash payment fraud. Cybercrime in general seems to be less known than the “regular” crimes and in some cases, taken less seriously, which increases the chances of becoming a victim of it.

To illustrate this, box 2 below describes how the lack of awareness of victims sustains the business model of phishing, a preparatory act for non-cash payment fraud:

Box 2: the economies of phishing 71

This driver focuses on prevention, which all types of stakeholders highlighted as an important area to be strengthened. Public-private cooperation can contribute to improving not only investigation and prosecution but also prevention. Therefore, the constraints to effective public-private cooperation appear in both drivers 2 and 3.

As specified in annex 5 (evaluation), most of the problems identified above (all except the long time needed to provide information in cross-border cooperation requests) can be attributed to shortcomings in the current EU legal framework rather than to a lack of implementation of existing EU rules.

The following problem tree summarizes the links between the drivers and the consequences of concern for the problem of non-cash payment fraud:

Figure 8: problem tree for non-cash payment fraud

1.4.Who is affected and how 

To guide the mapping of the stakeholders affected by non-cash payment fraud we can use the overview of the basic parties involved in a payment described in section 1.2.1. and shown in figure 1: those who pay (payers), those who get paid (payees) and those who execute the payments (enablers).

Payers

The payer shares with the enabler the necessary information to authorize it to give the funds to the payee, who in return provides products or services to the payer.

This information is therefore very valuable for criminals. When the payer is a natural person, this information contains personal data (e.g. name, date of birth, identity card number), as well as other information necessary to trigger the payment (e.g. PIN and other bank and security details for operating online services such as login name and password).

Criminals steal this information in a variety of ways (e.g. skimming, shimming, phishing, data breaches).

Payers are affected in two ways when criminals use this information to:

1)trigger fraudulent payments that entrain a financial loss for the payer, or

2)impersonate the victim and cause damage in multiple other forms, ranging from psychological and social distress to the various consequences of reputational damage (e.g. tangible ones like negative impact in credit rating history, criminal record or inclusion in defaulter lists, and intangible ones like damaged relationships).

Enablers

There are basically three types of enablers:

1.Financial institutions (e.g. a bank), which provide the monetary value.

2.Payment instruments (e.g. a credit card), which provide the vehicle to convey the monetary value.

3.Providers of other services related to the execution of the payment (e.g. enablers of a credit card transaction).

The enablers are referred to as “payment service providers” in the Payment Services Directive (PSD2).

Enablers suffer the consequences of fraud in two ways: through the loss of business opportunities due to lack of trust of the payers and through the direct losses caused by the fraud:

1)As described in the previous section, non-cash payment fraud reduces the trust of consumers, which may result in the unwillingness to use some payment services, in particular the digital ones. This results in lost business opportunities for the enablers offering those services.

2)When non-cash payment fraud occurs, there are direct economic costs. The PSD2 73 determines who bears these costs (i.e. the liability of the different actors), which, in most cases, is the enabler.

In general, payment service providers bear the financial consequences which occur after the notification of lost, stolen or misappropriated payment instruments. Pursuant to article 70 of the PSD2, the payment service provider must ensure that appropriate means are available at all times, allowing the payment service user to notify the loss, theft or misappropriation of payment instruments.

Card issuers are some of the enablers most affected by fraud. For example, when fraud takes place on less protected terminals in non-EU countries, most of the losses generated are on the card issuers’ side due to a lack of specific settlements and regulations on the refund of losses caused by less safe terminals.

Credit card schemes (e.g. Visa, MasterCard) are also affected by fraud since they have to handle chargeback processes following fraudulent card transactions.

PSD2 also requires that payment service providers refund the totality of the economic losses to the payer, as long as the payer did not act with negligence 74 or fraudulently.  

Payees

The payees, who get paid in exchange for a product or service, also suffer the consequences of non-cash payment fraud in two ways: through the loss of business opportunities due to lack of trust of the payers and through the direct losses caused by the fraud:

1)The payees (e.g. merchants) lose business opportunities when consumers are not willing to acquire their products and services due to lack of trust in the payment services.

2)Direct costs as a result of the fraud, e.g., when a service – such as a flight or train ticket – is provided against payment by credit card which is later blocked due to having been performed with stolen credentials.

As indicated earlier, in the airline industry for example these costs are estimated at around USD 1 billion per year as a result of airline tickets purchased using compromised card data. 75  

Other industries affected include accommodation and other travel services (e.g. car rental), as discussed in section 1.4.

In terms of liability rules set by the PSD2, the payee is held liable when it fails to accept strong customer authentication. 76 Otherwise the payment service provider is the one liable.

It is difficult to determine which of the groups of stakeholders above is most affected by non-cash payment fraud. Whereas the payment service providers (i.e. the enablers) bear most of the liability according to the PSD2, the payers such a Bulgarian citizen who loses more than two thirds of his monthly wage, or the payees such as the airline industry which loses more than USD 1 billion per year due to card fraud, are also significantly affected.

1.5.What is the EU dimension of the problem

Non-cash payment fraud has a significant cross-border dimension, both within the EU and beyond.

For example, with regard to card fraud, whereas only a fraction of the transactions (<10% in value) are cross-border (within and outside SEPA), they account for half of the total fraud. The disproportion is particularly significant for transactions acquired from outside SEPA (2% in value), which account for 22% of all fraud. 77

In a typical skimming case, the credentials of a credit card can be stolen in a Member State, the counterfeit card can be created in another Member State and the cashing out with the counterfeit card can occur in a country outside the EU without the same security standards (in particular EMV). Box 3 illustrates this point with a concrete example:

Box 3: the cross-border nature of non-cash payment fraud

In general, non-cash payment fraud has an increasing digital/online component, which reinforces its cross-border dimension.

See annex 5 (evaluation of the existing policy/legal framework) for a detailed analysis of the existing cross-border challenges to tackle these crimes.

1.6.How would the problem evolve, all things being equal

This section presents a series of quantitative estimates and qualitative considerations that describe how non-cash payment fraud could evolve in the coming years, all things being equal. These estimates and considerations inform the baseline policy option of doing nothing, which will be discussed in sections 4, 5 and 6.

Quantitative estimates

Since fraud data exists only for card fraud (the most important non-cash payment instrument in terms of number of transactions, see figure 3), the quantitative estimates will focus on it. As indicated in section 1.2.3. when assessing the magnitude of fraud, by considering only the available data of card fraud, the size of the problem is being underestimated. In the same way, by using this data to quantitatively develop the baseline scenario, it is likely that the forecasts underestimate the magnitude of the problem.

As seen in section 1.2.3, the compounded annual growth rate of card fraud was 11% in terms of value and 20% in terms of number of transactions, over the 2011-2013 period. All things being equal, we could assume that these annual growth rates would continue in the coming years. 79 If so, the value of card fraud would double by 2020 compared to 2013, with almost four times as many fraudulent transactions:

Figure 9: estimated evolution of card fraud (2013-2020)

Qualitative considerations

The evolution of non-cash payment fraud is linked to the following factors:

1.Digitalisation of the economy.

The exponential nature of the digital age not only brings exponential possibilities for economic growth but also for cybercrime, including those within non-cash payment fraud. The value of monetary damage caused by reported cybercrime is 50 times higher now than it was in 2001, when the Framework Decision was adopted, 80 and is likely to continue growing.

All things being equal, cybercrime will continue to generate important economic benefits for criminals, which justify the enormous amount of R&D hours required to produce malware, the main tool to carry out cybercrime (every day, more than 300,000 new malware samples are detected). 81

By 2020 it is expected that 50 billion new devices (cars, homes, medical devices, buildings, mobile phones, dishwashers, toys…) will be connected to the Internet. This “Internet of Things” will generate massive amounts of information about its users, part of which could be sensitive enough to be exploited by criminals to commit non-cash payment fraud.

2.Emergence of new payment instruments.

The burst of innovation in the current technology revolution will likely continue developing new payment instruments to make the payment experience more convenient for users. Unfortunately, new payment instruments can also generate new opportunities for criminals. Furthermore, law enforcement may not be prepared to tackle them effectively (e.g. due to loopholes in the legal system or a lack of skills to deal with them).

For example, new payment instruments could make use of biometrics as a way to identify the payer. Biometrics (e.g. fingerprints, palm prints, iris…), unlike passwords or credit card credentials, are permanent identification markers, so the consequences of them being stolen and misused can be more problematic for the victims.

Other areas that could bring important innovations are artificial intelligence and robotics. These technologies have the potential to revolutionize the way non-cash payments are done by introducing increasing automation, governed by complex algorithms that could potentially be manipulated for fraudulent purposes.

3.Nature of the crime.

As more and more countries join the technology revolution and more people around the world get connected to the Internet, the cross-border nature of non-cash payment fraud becomes even more relevant.

Furthermore, Internet not only can provide training materials to commit fraud but also the necessary tools through the crime-as-a-service model. 82  

Box 4: carding websites as an example of crime-as-a-service

More people connected unfortunately also means more potential fraudsters that could take advantage of those training materials and tools, likely at a low risk, due to the challenges to cross-border investigation and prosecution common to cybercrimes in general (e.g. attribution, access to digital evidence, jurisdiction).

Some existing EU instruments currently under transposition by Member States could contribute to reduce non-cash payment fraud to some extent:

·The PSD2 (to be transposed by January 2018) could reduce fraud thanks to its strong customer authentication requirements for remote transactions. At the same time, PSD2 also aims to facilitate the entry of new payment providers, which could lead to new forms of fraud.

·The Directive on the freezing and confiscation of instrumentalities and proceeds of crime 86 seeks to attack the financial incentive which drives crime, but aims mainly to ensure a minimum level of protection from criminal infiltration in the legal economy through the acquisition of assets and to facilitate the mutual recognition of freezing and confiscation orders in other Member States. This instrument alone would, however, not be sufficiently deterrent, as confiscation in general only occurs after a successful freezing of illicit assets following a conviction. Moreover, its deterrent effect will be limited if criminals are able to better hide their assets outside of the EU, resulting in a net capital flow of criminal money out of the EU.

These instruments, however, do not fully address the problem drivers identified specific to non-cash payment fraud, such as the lack of criminalisation of certain behaviours, obstacles to effective investigation and prosecution or prevention issues linked to information sharing gaps in public-private cooperation and lack of awareness of victims.

The baseline scenario would fall short in addressing concerns expressed by stakeholders, who indicated a strong consensus that the Framework Decision is not comprehensive, and that there are emerging trends that should be better covered. Also, a number of stakeholders (particularly private companies and trade, business or professional associations) agreed that it is necessary to have a more coherent level of penalties for offences related to non-cash means of payment across the EU. Most of them considered that different levels of penalties may result in different prioritisation of cases at national level, hampering cross-border cooperation and possibly creating “safe havens” for criminals. Stakeholders from the private sector (such as merchants and financial institutions) expressed frustration about the lack of legal certainty with regard to information sharing, which hampers cooperation with law enforcement authorities. The baseline scenario would leave this unchanged.

In summary, non-cash payment fraud is likely to increase in value, volume and complexity, all things equal.

1.7.Evaluation of the existing policy framework

The evaluation of the existing policy framework indicates that the Framework Decision is only partially relevant to the needs of stakeholders in the area of non-cash payment fraud.

Specifically, the scope of the Framework Decision is no longer fully relevant in view of recent technological developments, and provisions on cross-border cooperation and exchange of information do not seem to be aligned with the increasing international dimension of the crime, where multiple parties around the world may be involved, including both criminals and victims.  

The results of the evaluation were identified as the problem drivers for non-cash payment fraud, presented in section 1.3.

Please see annex 5 for more details on the evaluation.

2.WHY SHOULD THE EU ACT

Legal basis

The legal basis for EU action is Article 83(1) of the Treaty on the Functioning of the European Union:

“The European Parliament and the Council may, by means of directives adopted in accordance with the ordinary legislative procedure, establish minimum rules concerning the definition of criminal offences and sanctions in the areas of particularly serious crime with a cross-border dimension resulting from the nature or impact of such offences or from a special need to combat them on a common basis.

Article 83(1) explicitly mentions counterfeiting of means of payment, computer crime and organised crime as areas of particularly serious crimes with a cross-border dimension.

As discussed in the problem analysis in section 1, counterfeiting of means of payment is one type of non-cash payment fraud. Section 1 also explained how non-cash payment fraud has an increasing digital dimension which falls under computer crime. Furthermore, section 1 also described how non-cash payment fraud is part of organised crime.

Subsidiarity

Non-cash payment fraud has a very important cross-border dimension, both within the EU and beyond, as described in sections 1.3 (remember Hans’ case, where as many as 10 Member States could be involved) and 1.5 (remember the real 2013 case of counterfeiting cards affecting 27 countries). Also, increasingly, these crimes are moving entirely online. The objective of effectively combating such crimes therefore cannot be sufficiently achieved by Member States acting alone or in an uncoordinated way:

·As described in the previous section, these crimes create situations where the victim, the perpetrator and the evidence can all be under different national legal frameworks, within the EU and beyond. As a result, it can be very time consuming and challenging for single countries to effectively counter these criminal activities without common minimum rules.

·The need for EU action has already been acknowledged through the creation of the existing EU legislation on combating fraud and counterfeiting of non-cash means of payment (the Framework Decision).

·The need for EU intervention is also reflected in the current initiatives to coordinate Member States measures in this field at EU level, such as a dedicated Europol team working on payment fraud 87 and the EMPACT Policy Cycle priority on operational cooperation against non-cash payment fraud. 88 The added value of these initiatives in helping Member States combatting these crimes was acknowledged multiple times during the stakeholder consultation, in particular during the expert meetings.

Another added value of EU action is to facilitate cooperation with non-EU countries, given that the international dimension of non-cash payment fraud frequently goes beyond EU borders. The existence of minimum common rules in the EU can also inspire effective legislative solutions in non-EU countries thereby facilitating cross-border cooperation globally.

3.WHAT SHOULD BE ACHIEVED

This section identifies the general and strategic objectives for a possible EU intervention to address the gaps identified in section 1.

1.8.General policy objectives

There are two general policy objectives, which describe the ultimately intended goals of a possible EU intervention (i.e. reducing the negative impact of the consequences of non-cash payment fraud identified in section 1.4):

1)Enhance security, the main general objective, by reducing the attractiveness (i.e. reduce gains, increase risk) for organized crime groups of non-cash payment fraud as a source of income and therefore as an enabler of other criminal activities, including terrorism.

2)Support the digital single market, by reducing the negative impact on economic activity that non-cash payment fraud causes to the different stakeholders (section 1.5). This includes both losses derived from the reduced trust of consumers and businesses in the payment processes as well as direct losses.

These objectives are interrelated:

·Synergies: enhancing security would support the digital single market, as the economic losses caused by non-cash payment fraud would decrease. It would also reduce the risk of consumers and businesses of falling victim of fraud, increasing their trust and therefore economic activity.

·Trade-offs: enhancing security could entail additional costs and constraints to the digital single market. For example, the implementation of increased security in payment authentication systems could bring additional costs to businesses, which could have a negative impact in their operations, in particular for SMEs. In addition, consumers might actually be less willing to use payment services if they find the security measures too burdensome.

1.9.Specific policy objectives

There are three specific policy objectives:

1)Ensure that a clear, robust and technology neutral policy/legal framework is in place.

2)Eliminate operational obstacles that hamper investigation and prosecution.

3)Enhance prevention.

These objectives address the problem drivers identified in section 1.3:

Table 2: problem drivers, specific objectives and general objectives

These objectives will be monitored through a series of indicators described in section 7, which also specifies possible data sources, whether the information is already being collected and the actors responsible for collecting it.

1.10.Consistency with other EU policies and objectives

The general and specific objectives identified are consistent and complementary with those of other EU policies and legislation:

The Treaties

The previously mentioned objectives are consistent with:

·the Treaty on European Union 89 , which, on Article 3.2, establishes that "the Union shall offer its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of people is ensured in conjunction with appropriate measures with respect to external border controls, asylum, immigration and the prevention and combating of crime."

·the Treaty on the Functioning of the European Union, which, on Article 67.3 establishes that the Union should "endeavour to ensure a high level of security through measures to prevent and combat crime, […], and through measures for coordination and cooperation between police and judicial authorities and other competent authorities, as well as through the mutual recognition of judgments in criminal matters and, if necessary, through the approximation of criminal laws".

The Charter of Fundamental Rights of the European Union 90

The objectives of a possible initiative would be consistent with the Charter of Fundamental Rights, in particular:

·Right to liberty and security (Article 6 of the Charter), as this would be the main objective of the initiative;

·Protection of personal data (Article 8), with which potential provisions on exchange of information, etc… should comply;

·Freedom to conduct a business (Article 16), since the initiative would aim to enhance protection of businesses bearing the consequences of fraud;

·Consumer protection (Article 38) and right to an effective remedy and to a fair trial (Article 47), since the initiative would aim to enhance protection of and assistance to consumers that become victims of fraud.

 Security and Digital Single Market strategies

The main general objective, enhancing security, is at the core of the EU Agenda on Security and the EU Cybersecurity Strategy:

·The EU Agenda on Security sets out the principles for EU action to respond effectively to security threats by 1) preventing terrorism and countering radicalisation; 2) fighting organised crime; 3) fighting cybercrime.

One of the actions described for the period 2015-2020 is “reviewing and possibly extending legislation on combating non-cash fraud and counterfeiting by including new forms of crime against financial instruments".

In the 6th progress report towards an effective and genuine Security Union 91 , the European Commission confirms that, "concerning payment card fraud, it is necessary to widen existing law enforcement cooperation to a broader range of criminal activities which target non-cash means of payments."

The 7th progress report 92 highlights a number of legislative and non-legislative initiatives in the field of crime prevention, which could contribute to the objectives of a possible EU action, such as:

oincreasing the role of Europol as an EU hub for information exchange on serious cross-border crime, in order to become more effective, efficient and accountable;

obuilding Member States' capacities for cybercrime resilience and implementing the Network Information Security (NIS) Directive;

oimproving the access to electronic evidence to investigators in cross-border cases.

In March 2017, the Council decided to continue the EU Policy Cycle 93 for organised and serious international crime for the period 2018-2021, based on the 2017 EU Serious and Organised Crime Threat Assessment "Crime in the Age of Technology" (SOCTA 2017) 94 . The SOCTA 2017 provides an overview of the most important criminal threats in the EU, which should be tackled as priorities, and which include payment card fraud. 

·The EU Cybersecurity Strategy aims at creating the world’s most secure online environment in the EU, including for online payment transactions, an aim which is fully aligned with the main general objective of enhancing security.

·The Digital Single Market Strategy identifies existing key challenges that need to be overcome to ensure better access to digital goods and services across Europe. These challenges include providing adequate protection to consumers and businesses’ assets and tackling cybercrime through the adoption and implementation of a strong and effective legislation. The general objective of supporting the digital single market is obviously aligned with this Strategy.

EU legislative context

As described in section 1.1. (policy context), various EU legislative acts have been adopted since the Framework Decision entered into force, both in criminal and civil law. The general and specific objectives of a possible new EU action on combatting non-cash payment fraud would be consistent with these legislative acts:

1.Pan-European cooperation mechanisms in criminal matters that facilitate coordination of investigation and prosecution (procedural criminal law):

·Council Framework Decision 2002/584/JHA on the European Arrest Warrant and the surrender procedures between Member States;

·Convention on Mutual Assistance in Criminal Matters between the Member States of the European Union;

·Directive 2014/41/EU regarding the European Investigation Order in criminal matters;

·Council Framework Decision 2005/214/JHA on the application of the principle of mutual recognition to financial penalties;

·Council Framework Decision 2009/948/JHA on prevention and settlement of conflicts of exercise of jurisdiction in criminal proceedings;

·Council Framework Decision 2009/315/JHA on the organisation and content of the exchange of information extracted from the criminal record between Member States;

·Directive 2012/29/EU establishing minimum standards on the rights, support and protection of victims of crime;

·Council conclusions on improving criminal justice in cyberspace;

·Regulation (EU) 2016/794 on Europol;

·Council Decision 2002/187/JHA setting up Eurojust.

The general and specific objectives are fully aligned with those of these legislative acts. As a principle, the potential new intervention would not introduce provisions specific to non-cash payment fraud that would deviate from these horizontal instruments, to avoid fragmentation which could complicate the transposition and implementation by Member States.

The only possible exception could be the support and protection of victims, which the proposed EU action could complement. Directive 2012/29/EU establishes minimum standards, which could be completed for the area of non-cash payment fraud, if needed. For example, this Directive only covers natural person, whereas legal persons can also become victims of non-cash payment fraud, as discussed in section 1.4 (who is affected and how). Also, this Directive focuses on providing assistance in the context of criminal proceedings. A new initiative would aim at providing assistance to victims outside the criminal proceeding (for instance as regards to consequences relating to identity theft).

In the case of the European Arrest Warrant and the European Investigation Order, the new initiative would also be consistent with both, by setting up an appropriate level of minimum maximum sanctions that reflects the gravity of the crime and therefore ensures that the EAW and is applicable and the EIO can be recognised and executed for the defined offences.

2.Legal acts that criminalise conduct related to fraud and counterfeiting of non-cash means of payment (substantive criminal law):

·Directive 2013/40/EU on attacks against information systems:

oA new initiative would be complementary to Directive 2013/40, by addressing a different aspect of cybercrime. 95 The two instruments would correspond to different sets of provisions of the Council of Europe Budapest Convention on Cybercrime, 96 which represents the international legal framework of reference for the EU. 97

oThe initiative would also be consistent with Directive 2013/40, as it would be based on the same approach regarding specific issues (e.g. defining minimum maximum levels of penalties, jurisdiction).

·Directive 2014/62/EU on the protection of the euro and other currencies against counterfeiting by criminal law:

oA new initiative would be complementary to Directive 2014/62/EU as it would cover counterfeiting of non-cash payment instruments, while Directive 2014/62/EU covers the counterfeiting of cash.

oIt would also be consistent with Directive 2014/62/EU, as it would use the same approach on some provisions such as on investigative tools.

·Directive 2017/541/EU on combating terrorism:

oA new initiative would be complementary to Directive 2017/541/EU, as it would aim to reduce the overall amount of funds derived from non-cash payment fraud, most of which go to organized crime groups to commit serious crimes, including terrorism.

·The Proposal for a Directive on countering money laundering by criminal law:

oThe new initiative and the proposal for a Directive on countering money laundering by criminal law are complementary as the latter provides the necessary legal framework to counter the laundering of criminal proceeds generated by non-cash payment fraud ("money mules") as a predicate offence.

3.Legal acts that regulate the payment process, in particular to facilitate secure payments across the EU:

·Revised Payment Services Directive (PSD2):

oA new initiative on non-cash payment fraud would be complementary to PSD2, as it would aim at reducing crime, while PSD2 enhances payments security. Also, it would enable public-private cooperation and enhance reporting to law enforcement authorities, which would complement statistical data provided under the PSD2.

·Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, (the fourth Anti-Money Laundering Directive):

oA new initiative would be complementary to Directive 2015/849, as it would address the situation where the non-cash payment instruments have been, for instance, unlawfully appropriated, counterfeited or falsified by the criminals, whereas Directive 2015/849 covers the situation where criminals abuse non-cash payment instruments with a view to concealing their activities.

·Proposal for a Directive amending Directive 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing: 98  

oA new initiative would be consistent with the proposal for a Directive amending Directive 2015/849 as it incorporates the same definition of virtual currencies. If this definition changes during the adoption process, the definition in the new initiative should be aligned accordingly. 

·Regulation (EU) 2015/847 on information accompanying transfers of funds, regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive):

oA new initiative on non-cash payment fraud would be complementary to these legislative acts, as it would aim at reducing crime, while these acts enhance payments security.

In addition to the above legislative acts, the new initiative would be coherent with the General Data Protection Regulation and the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data:

·The new data protection legislation modernises the already existing rules on security of personal data. In addition, the new legislation (GDPR) imposes an obligation of a notification of personal data breaches to the national data protection supervisory authorities and to the data subject in certain circumstances. Non-compliance with such rules will be subject to administrative fines.

·A new initiative on non-cash payment fraud would be in compliance with the GDPR and Directive (EU) 2016/680, as it would:

opursue the objective of greater protection of personal data (credit card number shall be considered as personal data and, credit card also contains other personal data such as the name of a citizen).

oleave to Member States to take the necessary measures to favour public-private cooperation, including exchange of information, while providing for these measures to be in compliance with the GDPR.

4.WHAT ARE THE VARIOUS OPTIONS TO ACHIEVE THE OBJECTIVES

This section addresses the possible policy options for achieving the objectives defined in section 3 and tackling the problems identified in section 1. Each policy option is made of a group of policy measures.

The following process was applied to determine the policy options:

1)mapping of policy measures,

2)analysis of policy measures: identify which policy measures to retain and which to discard,

3)formation of policy options: combine retained policy measures into groups to form the policy options. The options are cumulative (i.e. increasing level of EU legislative action), as it will be detailed in section 4.3.

1.1.Mapping of policy measures

Three broad possibilities were considered in the analysis: do nothing, do not legislate (i.e. support through non-legislative tools) or legislate. Figure 10 maps the policy measures (1 to 14) for each of these possibilities and the policy options (A to D) in which the measures could be grouped:

Figure 10: mapping of policy measures and policy options

1.2.Analysis of policy measures

1.2.1.Policy measures retained

The policies measures retained are those that provide the alternatives that are most feasible (legally, technically and politically), coherent with other EU instruments, effective, relevant and proportional to tackle the problem drivers detected in section 1:

Table 3: problem drivers identified and corresponding policy measures retained

1.2.2.Policy measures discarded

·Possible solution to the problem of certain crimes not being effectively prosecuted because offences committed with certain payment instruments (in particular non-corporeal) are criminalised differently in Member States or not criminalised.

Policy measure 4 considers adding detailed definitions with a comprehensive list of payment instruments and forms of crime.

Compared to policy measure 3 (technology-neutral definitions), this measure would be less effective in covering non-cash payment instruments and crimes that could arise in the next years, with the risk of becoming outdated in a short time. Furthermore, it would create issues of consistency with the existing EU legal framework, especially with the definition of payment instruments included in the Payment Services Directive. This would also lead to significant administrative costs in transposing the specific definitions at national level, since most of the Member States have already adopted the definition in the Payment Services Directive.

·Possible solution to the problem of preparatory acts not being effectively prosecuted because they are criminalised differently in Member States or not criminalised.

Policy measure 6 considers including preparatory acts as an aggravating circumstance to sanctions, and sets minimum level of maximum penalties for the criminalised offences.

Compared to measure 5 of criminalising preparatory acts, this measure could entail less administrative and financial costs for law enforcement, especially in Member States that apply the principle of legality 99 , because preparatory or supportive activities would be investigated and taken into account as an aggravating circumstance to sanctions only if the fraud actually occurred. For the same reason, however, it would be much less effective in preventing and fighting the different forms of non-cash payment fraud, since law enforcement would act only after the actual fraud occurred.

·Possible solution to the problem of victims not always receiving adequate assistance.

Policy measure 10 considers adding new provisions protecting natural persons from identity theft, in coherence with the Victims' Directive.

Compared to measure 11 of adding new provisions protecting natural and legal persons, this measure only covers a limited group of victims. In particular, it leaves out SME’s, which, by lacking the resources of larger companies, are more vulnerable to fraud and its negative consequences. Although this option would entail less administrative and financial costs for law enforcement and Member States, these costs would likely be outweighed by the negative impact on consumption and trade flows that lower trust in non-cash payment transactions brings if an important group of victims remains not properly covered.

·Possible solution to the problem of under-reporting to law enforcement.

Policy measure 13 considers including provisions on mandatory reporting to law-enforcement.

Compared to measure 14 on encouraging reporting, mandatory reporting could be more effective in increasing the chances of detecting, prosecuting and sanctioning perpetrators, since a much higher number of cases would be reported to law enforcement and more information would be available for investigations. However, these benefits are likely to be outweighed by the dramatic increase of the administrative and financial costs borne by law enforcement agencies to be able to deal with the dramatic increase in the volume of information (not all of which would be useful), especially in those Member States applying the principle of legality. The private sector would also incur in important administrative costs to put in place the mechanisms for systematic reporting.

Encouraging reporting is likely to be a proportionate measure that could generate more positive results in practice.

In addition to these measures discarded during the analysis, some other alternatives were early discarded:

·Full harmonisation of level of penalties (minimum and maximum levels).

This alternative is not feasible in EU criminal law, which can only introduce minimum rules on sanctions.

·Creating an EU database on fraud data.

This idea seemed attractive in theory as a possible way for private sector to cooperate with law enforcement and facilitate investigations. However, there would be many different technical and legal challenges for the creation of such database (e.g. data protection/retention issues, etc).

1.3.Policy options 

The retained policy measures were grouped in different ways to form the policy options.

The basic criterion to form a policy option was that it should tackle all the problems detected in the evaluation. After trying multiple combinations of the retained measures, with alternative policy approaches and alternative policy instruments (e.g. self-regulation, non-regulation, regulation), and taking into account the input from stakeholders (e.g. with regard to the importance of jurisdiction), four policy options were selected for further analysis.

The options are cumulative, i.e. with an increasing level of EU legislative action. Given that the issue at hand is basically a regulatory failure, it is important to lay out the full range of regulatory tools to determine the most proportionate EU response.

The table below shows the intervention by summarizing how each of the policy options tackle all the problems detected and help achieve the specific objectives:

Table 4: problem drivers, specific objectives and options (intervention logic)

1.3.1.Option O: baseline 

As seen in section 1.6, non-cash payment fraud is likely to increase in value, volume and complexity, all things equal, and in particular under the current policy and legal framework.

The problem drivers previously identified would evolve based on separate initiatives in Member States rather than being mitigated through a specific and common EU approach.

Please refer to section 1.6 for a complete description of the baseline scenario.

1.3.2.Option A: improve implementation of EU legislation and facilitate self-regulation for public-private cooperation 

Compared to the baseline situation, this option would not only focus on the implementation of existing relevant legislation (e.g. the Framework Decision, PSD2, Directive on Attacks Against Information Systems), but also on trying to address the problem drivers through exchanges of best practices and capability building.

Specific actions would include:

·publication of a third implementation report on the Framework Decision alongside a guidebook explaining the legislative framework in each Member State, highlighting best practices to law enforcement and other stakeholders to facilitate cooperation;

·specific activities promoted by the Commission (e.g. guidelines, training courses, workshop events with country representatives and exchange of good practice and experiences) for ensuring that the provisions of the Framework Decision and of the complementary EU legislation are utilised to their fullest extent.

In addition, it would include a self-regulatory framework for public-private cooperation between relevant actors from the financial services industry, law enforcement and other stakeholders (e.g. merchants), aiming to improve the exchange of information, which could in turn improve investigation and prosecution and prevention.

The Commission could incentivise the creation of such public-private partnership through a dedicated Communication.

Improvements in public-private cooperation would need to be addressed with the current tools, through the exchange of best practices. Successful examples of public-private cooperation already exist in a number of Member States 100 to facilitate reporting of fraud to law enforcement authorities and step up response to identified threats. These can provide guidelines about how to improve public-private cooperation.

With regard to the awareness raising activities, the Commission would facilitate the exchange of best practices among Member States. These activities could target any of the types of victims of non-cash payment fraud described in section 1.4. (“Who is affected and how”).

1.3.3.Option B: introduce a new legislative framework and facilitate self-regulation for public-private cooperation

Compared to the baseline, this option introduces a new basic legislative framework covering:

·technology neutral definitions, to ensure that fraud can be effectively prosecuted regardless of the payment instrument used. To reinforce the future proof aspect of the definitions, they should be drafted in a way that encourages investments in security technologies. One way to do this is to maintain the part of the definition of payment instrument in the Framework Decision that specifies that the instrument should be secured. 101 As recital 10 of the Framework Decision explains:

“By giving protection by penal law primarily to payment instruments that are provided with a special form of protection against imitation or abuse, the intention is to encourage operators to provide that protection to payment instruments issued by them, and thereby to add an element of prevention to the instrument”;

·preparatory acts, covered as a separate offence and regardless of whether the payment fraud has occurred or whether it has generated financial losses for the victim; it also includes provisions criminalizing identify theft as an aggravating circumstance;

·minimum maximum level of penalties, to ensure that different level of penalties across Member States do not hamper cross-border investigations. Other EU legislative acts in criminal law have set minimum levels of maximum penalties, such as the Directive 2013/40 on attacks against information systems, Directive 2011/93 on combating the sexual abuse and sexual exploitation of children and child pornography, among others. In the area of fraud, the European Parliament has made explicit its support to establishing minimum level of criminal sanctions “to ensure a degree of consistency across the EU on sanctions concerning financial fraud. Such a step, would in the view of the Committees, also discourage forum shopping on the part of money-launderers and fraudsters.” 102

As discussed in section 1.3.1(c), the experts shared conflicting views concerning the effectiveness of minimum maximum sanctions, but there was consensus as to their usefulness to be coherent with other EU legislative acts. Indeed, this option would be fully coherent with minimum maximum sanctions in related EU legislation.

·facilitation of cross-border cooperation, for example by:

ostrengthening and clarifying the role of the dedicated contact points. 103

oencouraging Member States to share information with Europol.

ocollecting statistics on investigations and prosecutions of non-cash payment fraud offences.

·jurisdiction provisions on competence would be updated as in the Attacks Against Information Systems Directive. 104  

Idem to option A, the Commission would:

·support non-legislative initiatives to foster public-private cooperation through a self-regulated framework, which would address both the under-reporting and the information sharing gaps;

·address the lack of awareness of victims by facilitating the exchange of best practices and ensuring the full implementation of existing and relevant EU law.

A technology neutral definition covering all forms of value transfer would ensure that all forms of crime relating to payment instruments are tackled.

The criminalisation of preparatory acts would allow the investigation of conduct that enables non-cash payment fraud. It could also imply a more effective use of investigative resources, since it would make possible the investigation of cases before they become too complex (e.g. before the credentials are sold to multiple parties that use them to actually commit the fraud). The criminalisation of preparatory acts could also have a deterrent effect for this offence and for fraud itself.

Whereas law enforcement and judicial authorities by and large consider national penalties appropriate, other stakeholders (particularly private enterprises, trade, business or professional associations) underline that it is necessary to have more coherent level of penalties for offences related to non-cash means of payment across the EU to avoid different prioritisation of cases at national level, hampering cross-border cooperation and creating “safe havens” for criminals. This option would therefore address these concerns by setting a minimum level for maximum penalties.

To avoid that unclear rules on jurisdiction result in cases not being prosecuted, this option would set clearer criteria to mitigate the risks of conflicts of jurisdiction.

Cross-border cooperation would benefit from further approximation of national legal frameworks. Moreover, additional measures aiming at clarifying the role of contact points in law enforcement and reducing response times would further favour effective cooperation. This would address the concerns raised by law enforcement agencies in the open public consultation, as well as the concerns raised in the expert meetings organised by the Commission.

Furthermore, this option aims at increasing the protection of the interests of the victims by defining as aggravating circumstances situations in which fraud has consequences going beyond the financial loss (e.g. reputational or psychological damage resulting from identity theft).

1.3.4.Option C: same as option B but with provisions on encouraging reporting for public-private cooperation instead of on self-regulation, and new provisions on raising awareness

Compared to the baseline, this option introduces the same new basic legislative framework described in option B (i.e. with new provisions on definitions, preparatory acts, level of penalties and cross-border cooperation), as well as the same provisions on jurisdiction as in option B (i.e. update on competence as in AAIS Directive).

Differently from option B, this option would:

·address the issues related to public-private cooperation (under-reporting and information sharing for prevention) through new provisions on encouraging reporting; Whereas in option B the issue of information sharing gaps in public-private cooperation would be addressed through self-regulation, in option C the Directive would include provisions requiring Member States to ensure that appropriate reporting channels are made available and that they remove the obstacles to an effective exchange of information between private entities and public authorities such as law enforcement. The main difference between self-regulation and encouraging reporting is therefore that the latter involves legislation and the former doesn't.

During the stakeholder consultation, private entities pointed out that they frequently chose not to report incidents due to legal uncertainty in the exchange of information and that with legal certainty these incidents would have been reported. The provisions on encouraging reporting could address this issue.

·address the lack of awareness by introducing specific provisions ensuring awareness raising among potential victims. The Directive would not detail what these specific awareness raising measures should be, as it would be up to the Member States to decide the concrete measures that would be most effective and efficient, considering the national situation.

In addition to the requirements on Member States to ensure that a clear, robust and technology neutral policy/legal framework is in place this option would introduce requirements for Member States to address the legal obstacles that may hamper information exchange by providing the legal certainty that stakeholders from private sector consistently asked for during the consultations.

1.3.5.Option D: same as option C but with additional jurisdiction provisions complementing EIO and injunction rules

This option is the same as option C but adding to its jurisdiction provisions other measures that facilitate the cross-border exchange of evidence for investigations and prosecutions by:

·complementing the European Investigation Order (EIO) 105 with measures adapted to non-cash payment fraud, such as:

oproviding adequate training on investigative techniques;

oensuring the protection of exchanged data (also when personal data is shared) and that information disclosed is proportionate to the purpose for which it was requested and that the information was acquired in accordance with the relevant legislative, regulatory, or administrative provisions;

ohaving the issuing authority provide feedback to the executing authority about the use made of the evidence provided and about the outcome of the prosecution.

As discussed in the policy context in section 1.1., the EIO updates the legal framework applicable to the gathering and transfer of evidence between Member States, based on mutual recognition of judicial decisions.

·adapting the rules on injunctions (orders granted by a court or an administrative body whereby someone is required to perform or to refrain from performing a specific action) for cooperation/evidence purposes, by:

oincluding rules to enable Member States to issue injunction orders for co-operation (for example injunction for cessation of an infringement) whenever there is a jurisdictional implication and interest to have a legal standing in a foreign court ruling;

oincluding an obligation for Member States to maintain a central database of the injunctions for cooperation initiated on their territory that would allow for monitoring the enforcement of these orders;

ostrengthening the procedural law provisions in respect to measures safeguarding the victims’ rights in a foreign jurisdiction and adopting provisional measures for securing the enforcement of the judgment (i.e. freezing injunctions 106 ).

In addition to the requirements on Member States described in option C, this option would include additional rules on jurisdiction to facilitate access to information by law enforcement.

5.WHAT ARE THE IMPACTS OF THE DIFFERENT POLICY OPTIONS 

The following criteria were used to assess the impacts of each policy option:

Table 5: criteria for the assessment of options

The effectiveness criterion was split into social and economic impacts, which were in turn divided into intermediate impacts, to increase the granularity and detail of the assessment.

Better Regulation guidelines (2015) require an assessment of environmental impacts. The evaluation results did not indicate any implications of the Framework Decision for environment and in the assessment of environmental impacts of the policy options were not considered significant.

The criteria above were used to assess the impacts of each policy option qualitatively and quantitatively.

1.4.Qualitative assessment

The methodology used in the qualitative assessment was the following:

1.Qualitatively assess each policy measure using the above criteria (see annex 4).

2.Qualitatively assess the policy options, taking into account the assessment of the policy measures they are made of (see annex 4).

3.Provide scores to grade the policy options and enable their comparison (see section 6). The scoring system used was the following:

Table 6: scoring system for qualitative assessment of options

Limitations:

The qualitative assessment of impacts of different policy measures and options has been carried out against the baseline constituted by evaluation findings and available data. Where these were not available, the assessment is based on plausible explanations on if and how the situation is likely to change under a particular scenario (e.g. if and how introducing a definition of payment instruments and a broad definition of crimes will affect rights to liberty and security: small positive impact can be expected as forms of non-cash payment not covered by current legislation will be regulated and this improves chances for prosecuting fraud criminals and protection of victims of fraud crimes). However, such judgements can be subjective. To mitigate this limitation, the judgements and justifications of the scores were validated with focus group participants and external reviewers.

The following sections summarize the social, economic and fundamental rights impacts described in detail in annex 4.

5.1.1.Social impact

0. Baseline

The increasing number of criminal acts and organised crime gains are likely to have moderate negative impact on security.

Option A: improve implementation of EU legislation and facilitate self-regulation for public-private cooperation

Improved cooperation between public and private sectors and capacity to address non-cash payment fraud, together with enforced prosecution could lead to small improvements of security.

Option B: introduce a new legislative framework and facilitate self-regulation for public-private cooperation

Given the lack of binding measures addressing the rights of non-cash payment fraud’ victims (i.e. identity theft related) and the cooperation between public and private sectors, a moderate impact is expected in terms of the improvement of security, mostly due to the increased chances of detecting, prosecuting and sanctioning criminals.

Option C: same as option B but with provisions on encouraging reporting for public-private cooperation instead of on self-regulation, and new provisions on raising awareness

A significant impact is expected in terms of the improvement of security, due to the increased chances of detecting, prosecuting and sanctioning criminals, the enhanced protection of fraud’ victims from identify theft and the facilitation of public-private cooperation, including reporting.

Option D: same as option C but with jurisdiction provisions complementing EIO and injunction rules

This option will increase the chances for detecting, prosecuting and sanctioning criminals by building on existing law enforcement cooperation mechanisms, i.e. the EIO and the injunctions for cooperation.

5.1.2.Economic impact

0. Baseline

Non-cash payment transactions will increasingly contribute to the digital single market by facilitating digital purchases of goods and services. However, the growing level of fraud and its costs, borne by consumers and economic operators, is likely to remain a barrier for the digital single market to achieve its full potential.

Option A: improve implementation of EU legislation and facilitate self-regulation for public-private cooperation

The level of fraud and its cost for individual consumers and economic operators is likely to be somewhat compensated by increased consumption and the overall impact on functioning of the digital market and competition could be small and negative. This, coupled with additional administrative and financial costs to support the implementation of existing EU legislation, the exchange of best practices and capability building, would likely have moderate negative impact on the digital single market.

Option B: introduce a new legislative framework and facilitate self-regulation for public-private cooperation

Accumulated benefits of consumptions, trade flows, consumer choice and cost savings for economic operators would likely drive significant positive impacts on the functioning of the digital market and competition. However, the economic benefits would be mitigated by increased administrative and financial costs.

Option C: same as option B but with provisions on encouraging reporting for public-private cooperation instead of on self-regulation, and new provisions on raising awareness.

Accumulated benefits of consumer choice and protection (both natural and legal persons), consumption (both business-to-customer and business-to-business), and cost savings for economic operators would likely drive significant positive impacts on functioning of the digital market and competition. However, the economic benefits would be mitigated by increased administrative and financial costs.

Option D: same as option C but with jurisdiction provisions complementing EIO and injunction rules.

Idem as option C, but with higher administrative and financial costs, which would result in a lower positive economic impact.

5.1.3.Fundamental rights impact

0. Baseline

The Framework Decision does not explicitly refer to protection of personal data, which is instead currently covered by Directive 95/46/EC. This Directive will be repealed in 2018 by the General Data Protection Regulation, which will provide a single set of rules and modernise data protection across the EU. 107  

Option A: improve implementation of EU legislation and facilitate self-regulation for public-private cooperation

There would be no additional impact on fundamental rights, provided that the establishment of self-regulation for public-private cooperation is done in full compliance of the EU data protection rules.

Option B: introduce a new legislative framework and facilitate self-regulation for public-private cooperation

This option could have a positive impact on the right to security by regulating forms of non-cash payment fraud not covered currently. Also, the criminalisation of preparatory acts could have a positive impact on the protection of personal data.

As in option A, attention to existing data protection rules should be given when facilitating self-regulation of public-private partnerships and any new legislative framework shall be designed to fully comply with the legislation on the protection of personal data.

Option C: same as option B but with provisions on encouraging reporting for public-private cooperation instead of on self-regulation, and new provisions on raising awareness

In addition to the applicable considerations made for option B, attention should be given to the provisions encouraging reporting, to ensure that they respect data protection rules.

The new provisions on raising awareness could have a positive impact on the right to security.

Option D: same as option C but with jurisdiction provisions complementing EIO and injunction rules

In addition to the applicable considerations made for option C, the additional tools for investigation and prosecution that it provides (complementary rules to the EIO and injunctions) should be implemented in full respect of the data protection legislation.

5.2.Quantitative assessment

The quantitative assessment aims at estimating for each policy option:

·the main financial and administrative costs, distinguishing between one-off and continuous costs;

·the main benefits (savings) due to reduction of fraud and reduction of organised crime gains.

Costs

The following costs were estimated, using a number of assumptions:

·One-off costs:

oTransposing EU legislation in Member States.

Assumptions:

§Civil servant daily wage of € 130, based on the average monthly earnings for the public administration by Eurostat, which is about € 2 600, 108 and assuming 20 working days in a month.

§Using as a reference the data from a related impact assessment, 109 it was assumed that 20 working days are necessary for transposing into national law "simple" EU legislation, and 60 working days are necessary for transposing "more articulated" EU legislation.

·Continuous costs:

oImplementing and enforcing the new legislation, in particular when it leads to an increase in the number of cases to be investigated.

oFacilitating cross-border cooperation, including collection of statistics, operation of contact points (also for reporting purposes) and cooperation with Europol and Eurojust.

oImplementation of awareness raising campaigns.

Assumptions:

§Civil servant daily wage of € 130, as described above.

§While there is little firm basis for the number of days required to complete the continuous costs estimates, for the only purpose of comparing the policy options it was assumed as a reference that a Member State requires around 100 working days per year for implementing "simple" legislation and around 200 working days for more complex legislation. This reference was also used to estimate the cross-border cooperation costs and implementation of awareness raising campaigns.

A general assumption was that the estimated cost of each policy option was the sum of the estimated costs of the policy measures it is made of. This could lead to an overestimation of the costs, since some economies can occur when developing/transposing legislation combining two or more legislative and/or non-legislative measures.

Limitations:

·The quantification of the main costs of the policy measures/policy options is limited by the lack of data, which requires the use of a number of assumptions.

·In particular, with regard to reporting for private entities, it would be voluntary, so it is not possible to provide meaningful estimates of their potential reporting costs.

·These assumptions have a certain degree of approximation and subjectivity, mitigated by relying on the findings of the qualitative assessment, which were validated with focus groups and external reviewers.

The tables below summarize the one-off and continuous costs estimates for the retained policy measures and the policy options they combine into:

Table 7: one-off and continuous costs estimates for the retained policy measures (EUR)

Annex 4 contains the complete details of the calculations, as well as the one-off and continuous costs for the EU institutions (e.g. development of legislation, facilitating best practices, etc…).

Benefits

The main benefit that would be expected of initiatives combatting non-cash payment fraud is a reduction of it.

Assumptions:

·To estimate how each policy option could reduce fraud, it was assumed that the reduction of fraud would be proportional to the decrease of criminal acts and organized crime gains related to non-cash payment fraud, which was qualitatively assessed for each of the policy measures.

·The qualitative scores range from -2 (policy measure 0) to +2 (policy measure 5).

·In the baseline (policy measure 0), it was assumed that there will not be any decrease of criminal acts and organized crime gains (0%).

·The range of qualitative scores for the policy measures was converted into a range of percentages using taking into account the above and with an equivalence of 1 to 1. In other words:

Percentage decrease of criminal acts = -2 – qualitative score

The qualitative scores range of -2 to +2 results in a respective range of 0% to -4% change (decrease) of criminal acts and organized crime gains resulting from non-cash payment fraud.

·The percentage for each policy option was the sum of the percentages for its policy measures.

·It is assumed a current level of fraud of 1.44 billion EUR, which corresponds to the level of card fraud in 2013 calculated by the European Central Bank (latest data available).

Limitations:

·As in the case of costs, the quantification of the benefits is limited by the lack of data, which requires the use of a number of assumptions:

oThe lack of data concerns the total volume of fraud. Taking the 2013 data of card fraud from the 2015 ECB report as basis to estimate the potential benefits will likely lead to an underestimation of the benefits. As discussed in section 1.2.30., although card fraud appears to be the main form of non-cash payment fraud (~ 75% in value), there are others (e.g. cheques, virtual currencies, mobile payments), in which the policy options would likely also generate benefits.

·The lack of data also affects the capacity to estimate the benefits in general. In the absence of indicators to monitor the reduction of fraud, this can only be estimated through a number of assumptions, which have a certain degree of approximation and subjectivity, mitigated by relying on the findings of the qualitative assessment, which were validated with focus groups and external reviewers.

·In particular, the assumptions of the conversion of the qualitative range into percentages of decrease of fraud were used for the sole purpose of comparing the options. Therefore, the total value of benefits for a given policy option must be interpreted in relation to the other options, rather than as an accurate estimate of the actual reduction of fraud that a given policy option would cause.

The tables below summarize the benefits for the retained policy measures and the policy options they combine into:

Table 9: estimated benefits for the retained policy measures (EUR million)

Table 10: estimated benefits for the policy options (EUR million)

5.3.REFIT potential

Qualitative

The qualitative assessment described earlier has taken into account the simplification potential of the different policy options compared to the Framework Decision, in the analysis of efficiency impacts.

For example, the simplification potential includes:

·Further approximation of national criminal law frameworks (e.g. by providing common definitions and a common minimum level of sanctions for the maximum penalty) would simplify and facilitate cooperation between national law enforcement agencies investigating and prosecuting cross-border cases.

·In particular, clearer rules on jurisdiction, a reinforced stronger role for national contact points and the sharing of data and information between national police authorities and with Europol could further simplify the procedures and practices for cooperation.

Quantitative

The REFIT potential of the policy options can only be assessed from a qualitative point of view.

It is not possible to quantify these costs and benefits beyond those already estimated for the impacts of the legislative initiative of the preferred option due to a lack of data (and in some cases the impossibility to isolate the effects of the Framework Decision). In particular, it was not possible to conduct a systematic backward-looking analysis of the existing costs.

It is important to stress that, overall, the REFIT potential of this initiative is very limited:

1.Firstly, the 2001 Framework Decision is already a relatively simple legal act with limited potential to be further simplified.

2.Secondly, this initiative aims to increase security by addressing the current gaps. This would normally entail more administrative costs to investigate and prosecute crimes that are not currently covered, rather than significant savings that would result from simplifying cross-border cooperation.

3.Thirdly, the initiative does not aim to impose additional legal obligations on businesses and citizens, but to request Member States to encourage and facilitate reporting through appropriate channels (rather than imposing mandatory reporting), in line with other EU instruments such as Directive 2011/93 on combatting the sexual abuse and sexual exploitation of children and child pornography (Art. 16(2))

It would be interesting to assess the REFIT potential of the set of EU measures to combat terrorist financing, of which an initiative on combatting non-cash payment fraud would be part of. That broader analysis was out of the scope of this impact assessment.

6.HOW DO THE OPTIONS COMPARE

5.4.Comparison of options

This section compares the options using the qualitative and quantitative analysis of impacts from section 5.

Qualitative comparison

The table below shows the qualitative scores for each main assessment criteria and each option, based on the previous assessment of impacts.

The overall score was determined as the average of the scores of the main assessment criteria, (i.e. taking all criteria into account equally) in order to obtain the best, well-rounded option. As discussed in section 5.1, the judgements and justifications of the scores were validated with focus group participants and external reviewers:

Table 11: comparative qualitative assessment of the policy options

Coherence

On the basis of the outcome of the evaluation (annex 5), the relevance of the existing legal framework appears to be questionable. Also, very few respondents to the consultation indicated that the existing legal EU legal framework sufficiently addressed the different issues concerning non-cash payment fraud, such as the definitions of payment instruments, criminalisation of preparatory acts or the lack of common minimum level of penalties. Therefore, options including legislative initiatives (B, C and D) are considered preferable to the baseline scenario and to option A which includes non-legislative measures only.

Most of the stakeholders consider the level of public-private cooperation to not be fully effective in combating non-cash payment fraud. Private sector representatives appear to be most dissatisfied. Main obstacles in cooperation include, for instance, limitations in the possibility to share information with law enforcement authorities and in the use of tools to enable the exchange of information. The vast majority of stakeholders 110 agreed that in order to investigate and prosecute criminals, financial institutions should be allowed to spontaneously share with the national police or the police of another EU country some of the victim’s personal information (e.g. name, bank account, address, etc.).

Therefore, options including measures to increase legal certainty for exchanging information were preferred.

As regards to the coherence with other legislative instruments, law enforcement and judicial authorities’ representatives highlighted the value of making the definition of payment instruments consistent with the one included in the Payment Services Directive (PSD2) and pointed out the need to take into account relevant provisions under the Directive 2013/40 on Attacks Against Information Systems. At the second expert meeting, law enforcement and judicial authorities’ representatives agreed on the possibility of replicating, mutatis mutandis, the provisions on jurisdiction included in the Directive 2013/40.

Option D would possibly interfere with the ongoing process on access to electronic evidence. This process aims at providing a comprehensive set of solutions that would address the identified issues regarding the territoriality of investigations across the board (and not for a specific crime area, as it would be the case if option D was pursued).

Effectiveness

If the current situation remains unchanged, consumer choice may decrease because of higher risks of being victims of fraud, the costs for economic operators could increase due to better protection needed against new forms of crime and the number of criminal acts and organised crime gains could continue rising, bringing about a negative effect in terms of effectiveness of EU action.

In option A, addressing the problem drivers by improving implementation of existing EU legislation, including by promoting the exchange of best practices and capability building, could improve the conditions for investigations and prosecutions to a certain extent. It is uncertain that these initiatives would be able to help evolve the national legal frameworks to address in a timely manner new means of payment and offences related to non-cash payment fraud that are currently not covered (e.g. sale of stolen credentials). It would also be difficult to achieve a common minimum level of penalties through only the initiatives of this option. Finally, it is unlikely that this option would effectively tackle the jurisdiction issues, given the current gaps in the Framework Decision, as illustrated through specific cases presented by Europol in the expert meetings.

The level of effectiveness of law enforcement action could raise significantly for options including legislative measures (B, C, D): while option A would not likely bring about overall improvements in efficiency, option B would increase the chances of detecting, investigating, prosecuting and sanctioning conduct that enable non-cash payment fraud (preparatory acts) as discussed earlier.

Poor cooperation among private and public authorities was mentioned by several stakeholders 111 as obstacles encountered when fighting non-cash payment fraud. Legislative measures (C, D) to enhance public-private cooperation and exchange of information, were considered more effective than non-legislative ones (A, B). However, the non-mandatory nature of envisaged legislative solutions reduces the differences between options, in terms of effectiveness.

The expected effects of a self-regulatory framework for public-private cooperation in options A and B would be positively influenced by: 1) the extended scope of the revised legislation, which ensures that cooperation would also tackle new payment instruments and forms of crime; 2) the facilitated cross-border cooperation, making it easier for these initiatives to involve stakeholders from different Member States and better tackle cross-border fraud.

However, possible legal issues regarding the ability to exchange information would not be addressed.

Efficiency

The baseline scenario would not bring about any cost, or benefit. Under option A, where possible actions would not be of a legislative nature, additional costs related to implementation would be limited to those Member States that still need to bring their national legislation fully in line with the related EU legislation. Awareness raising to enhance prevention would have limited costs, as it is the case for workshops and other actions devoted to the exchange of best practices. Costs of implementation and enforcement of new legislation would naturally increase, as legal requirements augment; for instance, measures aiming at enhancing cross-border cooperation through points of contact in law enforcement or a provision on collecting statistics would have continuous financial consequences for national administrations.

On the other hand, benefits would equally increase for options including legislative measures: approximation of national criminal law frameworks, through common definitions and minimum levels of maximum penalties set at EU level would ease cooperation.

Fundamental rights

Non-regulatory solutions would have no impact on fundamental rights, while options B, C and D would have a positive impact as regards to the right to liberty and security and data protection.

EU added value

The magnitude of the added value of the EU intervention under option A is likely to be limited compared to the baseline: it is unclear how effective this action would be in incentivising voluntary public-private cooperation agreements. In addition, given that a number of such agreements already exist, the added value of the communication is likely to be quite limited. On the other hand, this option would not affect the competences of the Member States.

Legislative measures would represent an added value compared to the Framework Decision. For example, a common minimum level of sanctions would reduce the disparities between Member States and ensure a more coherent treatment of fraud criminals across the EU. Also, with regard to cross-border cooperation, Member States would be unlikely to cooperate effectively without EU action.

The introduction of legislative measures would add a new layer of interference in the competences of the Member States. As options B, C and D increase respectively the number of legislative measures, they also increase respectively the degree of interference with the competences of the Member States.

The table below summarizes the pros and cons of the different policy options:

Table 12: summary of pros and cons of the policy options

The policy options meet the specific objectives to different degrees:

1)Ensure that a clear, robust and technology neutral legal framework is in place

As outlined in the evaluation of the existing policy and legislative framework (annex 5), the Framework Decision appears to be outdated and to fall short in addressing some of the areas that are considered key for countering non-cash payment fraud effectively.

Option A would provide elements of clarification and marginally increase approximation of national legislation (by bringing Member States that still need to make progress in certain areas in line with the Framework Decision).

However, the Framework Decision does not contain a technology neutral definition and stakeholders agreed that it needs improvement as regards to the criminalisation of specific preparatory acts. Options B, C and D would address those issues, by updating definitions (e.g. payment instruments, payment orders and information systems) to make them technology neutral and therefore future proof, while being as precise as criminal law requires. These technology neutral definitions will be used to describe the offences to be criminalised and ensure that the legal framework allows that all the relevant crimes to be effectively investigated and prosecuted (as explained in section 1.3. the problem drivers indicate that the issue at hand is mostly a regulatory failure, where the current EU legislative framework has become partially obsolete, due mainly to technological developments).

A clear and robust legal framework governing exchange of information is also needed to enable public-private cooperation, as clearly pointed out by representatives of the private sector. Options A and B would address this issue only partially, without a providing a clear legal basis for exchange of information, like the one provided in options C and D.

2)Eliminate operational obstacles that hamper investigation and prosecution

Option A aims at addressing obstacles to investigation and prosecution through training and exchange of best practices. Although these can be valid supporting measures, they are likely to bring only marginal improvements to cooperation, compared to providing a clear role for national points of contact and clarifying rules on jurisdiction to avoid conflicts of jurisdiction (as in the cases presented by Europol and included in annex 5 as an example), as options B, C and D would provide.

Moreover, timely access to information and effective information exchange with private parties have been identified as key issues by experts. By providing legal certainty, options C and D would pave the way towards public-private cooperation, creating the conditions for enhancing the quality of reporting and the possibility for private parties to assist better law enforcement authorities in their action.

3)Enhance prevention

Under options A and B, enhancing prevention would be an indirect consequence of the improvements in public-private cooperation brought about by non-legislative initiatives.

However, possible legal issues regarding the ability to exchange information would not be addressed, failing to meet stakeholders' expectations, as expressed in particular by the private sector in the expert meetings and by other stakeholders (e.g. national banking federation) in the open public consultation.

Therefore, prevention would be more effective if a sound framework for public-private cooperation is in place, as proposed under options C and D.

Qualitative comparison

The table below compares the estimated costs and benefits for the different options

Table 13: comparative quantitative assessment of the policy options (EUR million)

As highlighted in section 5.2 (quantitative assessment), given the limitations caused by the lack of data, the calculation of benefits was carried for the main purpose of comparing the options. In consequence, the total value of benefits must be interpreted in relation to the other options, rather than as an accurate estimate of the actual reduction of fraud that the preferred policy option would actually cause. In particular, the much higher potential benefits in relation to the costs for options B, C, D should not be taken at face value. That said, option D is the option that could offer comparatively more benefits in the form of reduction of fraud, followed closely by option C.

5.5.Preferred option

On the basis of the assessment, the preferred option identified is option C.

Option D scores slightly better than C against several assessment criteria (such as social and economic impacts) but C has a better overall qualitative score. Option C is the second best option in terms of potential savings, but given the limitations in the quantitative assessment due to lack of data, more weigh was given to the qualitative assessment to decide on the preferred option.

Main advantages

Option C would effectively pursue the strategic objectives of the EU intervention since:

·broad minimum common definitions (measure 3) and minimum rules for sanctions (measure 5) would address different forms of fraud, including new and emerging ones, cross-border crimes (measures 12 and 7), and preparatory activities (measure 5);

·assistance to victims (measure 11) would further reinforce consumers' trust and economic operators in non-cash payment transactions and the digital single market.

In particular, option C would incorporate technology neutral definitions, which are more likely to be future proof. To further reinforce the future proof aspect, the definitions would be drafted in a way that encourages investments in security technologies, by, for example, specifying that the payment instrument is provided with a protection against imitation or abuse (i.e. is secured).

Furthermore, the liability rules set by the PSD2, in which the payment service provider is the one liable unless the payee fails to accept strong customer authentication, also contribute to encouraging payment service providers to ensure an up to date level of protection of the payment instrument.

The expected economic impacts in terms of a) consumer choice and protection (both individuals and businesses), b) consumptions (both business-to-customer and business-to-business), and c) cost savings for economic operators are likely to drive significant positive impacts on the functioning of the digital single market.

The EU added value of the option can be associated to the provisions a) setting minimum levels of sanctions (which could reduce the disparities between Member States and to ensure a more coherent treatment of fraud criminals across EU), and b) facilitating cross-border cooperation.

Main disadvantages

The use of broad and all-encompassing definitions for non-cash payment instruments and crimes could lead to divergences in interpretation across Member Stats, possibly limiting the simplification benefits.

Reporting on voluntary basis would not guarantee a dramatic increase in the number of information (fraud incidents and/or suspicious transactions) collected by law enforcement authorities. However, information (including modi operandi and other strategic information) could be shared by the private sectors within established public-private cooperation mechanisms, provided that partners’ liabilities and responsibilities will be addressed and defined.

The option would entail significant financial and administrative costs (one-off of EUR 0.56 million and annual costs of 2.28 million EUR) to national authorities for transposing, implementing and enforcing the new legislation, facilitating cross-border cooperation, including collection of statistics, operation of contact points (also for reporting purposes) and cooperation with Europol and Eurojust, as well as implementation of awareness raising campaigns.

Trade-offs

This option would enhance security but at a cost for national administrations.

Also, the implementation of increased security in payment authentication systems could generate constraints for consumers which may affect negatively their willingness to engage in online payments and the digital single market (e.g. if consumers find the security measures too burdensome).

Fundamental rights

As described in section 5.1.3. (fundamental rights), the preferred option could have a positive impact on the right to security, freedom to conduct a business and consumer protection by regulating forms of non-cash payment fraud not covered currently.

The measures of this option have as final objective the protection of the rights of victims and potential victims. The establishment of a clear legal framework for law enforcement and judicial authorities to act upon criminal activities directly affecting the personal data of the victims, including the criminalisation of preparatory acts, may in particular have a positive impact on the protection of victims' and potential victims' right to privacy and right to protection of personal data.

At the same time, this option respects fundamental rights and freedoms as recognised by the Charter of Fundamental Rights of the European Union, and would have to be implemented accordingly. Any limitation on the exercise of such fundamental rights and freedoms would be subject to the conditions set out in Article 52(1) of the Charter, namely be subject to the principle of proportionality with respect to the legitimate aim of genuinely meeting objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others, be provided for by law and respect the essence of those rights and freedoms.

In particular, this option respects the principle of legality and proportionality of criminal offences and penalties as, in providing for minimum rules on the criminalisation of non-cash payment fraud, it limits the scope of the offences to what is necessary to allow for the effective prosecution of acts that pose a particular threat to security and introduces minimum rules on the level of sanctions in accordance with the principle of proportionality, having regard to the nature of the offence.

The criminalization of preparatory acts could have a positive impact on the protection of personal data. That said, attention should be given to the provisions encouraging reporting, to ensure that they are in accordance with the fundamental right to protection of personal data and existing applicable legislation, including in the context of public-private cooperation.

Subsidiarity

Given the international dimension and the scope of the problems to solve, the measures included in the preferred policy options need to be adopted at EU level in order to achieve the identified objectives. In particular, action by Member States would fall short in addressing, e.g. the following issues:

·Differences among different definitions of criminal offences and level of sanctions among Member States, in order to enhance cross-border cooperation and ensure coherence in the law enforcement approach to non-cash payment fraud;

·Disparities about the protection of EU consumers and economic operators, therefore reinforcing trust in the digital single market and preventing deviations in their choices and buying behaviours;

·Obstacles to cross-border cooperation on combatting non-cash payment fraud.

In addition, the preferred option offers the most added value at a reasonable degree of interference in the competences of the Member States.

Proportionality

Regulation has been discarded as delivery instrument of the policy option because Article 83(1) TFEU only allows for the means of Directives to give Member States a high degree of flexibility in terms of implementation.

The option would introduce a minimum set of common broad definitions, minimum level of maximum sanctions and rights of victims. Therefore, Member States would retain a degree of discretion in setting the levels of sanctions. Likewise, Member States would be allowed to grant more favourable rights to the victims of non-cash payment fraud.

The option would not impose disproportionate obligations to the private sectors (including SMEs) and citizens, since reporting to law enforcement authorities would be voluntary.

The costs that the preferred option would entail are justified in light of the negative consequences of non-cash payment fraud. As discussed in section 1.2.4. (“Why is it a problem”), at least EUR 1.4 billion per year are stolen to fund organized crime groups and activities such as terrorism, drug trafficking and trafficking in human beings. In addition, citizens and businesses suffer direct economic losses, representing an obstacle to the digital single market.

On the whole, the option does not go beyond what is necessary to achieve the objective identified for the EU intervention.

7.HOW WOULD ACTUAL IMPACTS BE MONITORED AND EVALUATED

The Commission should review the implementation of any (legislative or non-legislative) proposal on non-cash payment fraud with regard to the achievement of policy objectives identified in this impact assessment. A commitment to evaluating the impacts of a legislative act, if proposed, should be included in the draft text. This evaluation should be engaged 6 years after the deadline for implementation of the legislative act to ensure that there is a sufficiently long period to evaluate the effects of the initiative after it has been fully implemented across all Member States. It may include a public consultation and/or survey stakeholders to review the effect of the potential legislative act on the different categories of stakeholders.

In addition to that formal evaluation, the Commission will remain in close contact with the Member States and with the relevant stakeholders to monitor the effects of the new legislative act. The European multidisciplinary platform against criminal threats (EMPACT), part of the EU Policy Cycle, 112 represents an excellent forum to exchange of information with the Member States (law enforcement) and to gather first-hand information and qualitative evidence on cross-border cooperation on combatting non-cash payment fraud. Qualitative evidence provided by law enforcement and prosecutors (e.g. examples of cases that cannot be prosecuted because jurisdiction cannot be established) can be a cost effective yet informative way to illustrate the gaps that a possible legislative instrument would aim to cover.

The Commission will also remain in contact with social partners such as victims’ and consumers’ associations.

The Commission should also submit a report assessing the extent to which the Member States have taken the necessary measures in order to comply with the legislative act, 2 years after the deadline to implement it.

Table 14 summarizes the indicators proposed to monitor the achievement of policy objectives identified in this impact assessment. The general and specific objectives are the same ones as those proposed in section 3, whereas the operational objectives are linked to the preferred option described in section 7.2.

The indicator “Volume (value and number of transactions) of non-cash payment fraud” serves the two general policy objectives. It uses as sources the statistical data on fraud related to the different means of payment (not only cards) that payment service providers will be required to provide under Art.96(6) of PSD2 on incident reporting. Therefore, this indicator will provide additional information on the breakdown of fraud by non-cash means of payment, which will allow the future success of the intervention to be measured more broadly than only in terms of card fraud. In addition, the European Central Bank is currently devising definitions that would allow tracking fraud committed using different non-cash means of payment, and which will provide further data for this indicator.

To avoid putting any additional administrative burden on Member States or the private sector due to the collection of information used for monitoring, the proposed indicators mainly rely on the existing data sources (e.g. ECB, Eurobarometer).

The preferred option contains a requirement for Member States to collect national statistics on non-cash payment fraud crimes, to facilitate cross-border cooperation. This data will be used to monitor the ratio between fraud volume and law enforcement action. The costs of this data collection were included in the analysis of the options.

For the remaining data that is not currently available, the Commission will conduct a targeted survey. The costs of the survey should be borne by the Directorate General of Migration and Home Affairs within its operational expenditure (e.g. as support expenditure for operations of the Cybercrime policy area). The survey will be biannual and will be conducted at least twice, coinciding, if applicable, with the reporting requirements for the Commission on the transposition and implementation of the potential legislative act.

As a result, the proposed monitoring arrangements would not generate additional administrative burden (reporting obligations) for firms, including SMEs, beyond those already imposed by the reporting requirements on non-cash payment fraud data of Art. 96(6) of the PSD2.

As seen throughout the Impact Assessment, the PSD2 is of key importance for the impact and the success of a potential legislative proposal on non-cash payment fraud because of the reporting requirements but also in multiple other areas such as prevention. Other EU policies and legislative instruments, such as the ongoing process on improving criminal justice in cyberspace, also have an impact on the success of the potential legislative act (see annex 6).

The benchmark against which progress will be measured is the baseline situation when the legislative act enters into force. The Commission will compile the necessary data at that point, conducting a small survey/study if necessary, funded by the Directorate General of Migration and Home Affairs.

With regard to targets (a proxy for success criteria), given the different situations in the Member States as the evaluation section describes (see annex 5), it was considered more effective to measure progress of each Member State against its own baseline, rather than through identical targets across Member States.

Table 14: monitoring of general, specific and operational objectives

ANNEX 1: PROCEDURAL INFORMATION

1.Organisation and timing

The Directorate-General for Migration and Home Affairs (HOME) is the lead service for the preparation of the initiative (2016/HOME/077 – inception impact assessment published in May 2016) and the work on the evaluation and impact assessment.

Given that evidence was already available on difficulties encountered by law enforcement (see section 1.3. "Evidence", below) in tackling non-cash payment fraud, the decision was taken to run the evaluation of the current situation at the same time with the impact assessment. The results of the evaluation (presented in Annex 7) by-and-large confirm the preliminary analysis.

The evaluation of the current situation was carried out back-to-back with the Impact Assessment for possible new measures in the area of non-cash payment fraud. The Commission committed in the European Agenda of Security (2015) to review the existing legislation on combatting fraud and counterfeiting of non-cash means of payment. President Juncker reiterated that commitment by including improved rules on fraud in non-cash payments in his September 2015 Letter of Intent, initially planned for delivery in 2016. The proposal was rescheduled for delivery after the summer of 2017, which required carrying out the evaluation back-to-back with the Impact Assessment.

An inter-service steering group (ISSG), chaired by the Secretariat-General, was set up in December 2015 with the participation of the following Commission Directorates-General: Legal Service; Competition (COMP); Financial Stability, Financial Services and Capital Markets Union (FISMA); Informatics (DIGIT); Internal Market, Industry, Entrepreneurship and SMEs (GROW); Environment; Communications Networks, Content and Technology (CONNECT); Joint Research Centre (JRC); Justice and Consumers (JUST).

Invitations were also sent to DG Economic and Financial Affairs (ECFIN).

The ISG met three times, discussing the inception impact assessment, the terms of reference for the external study 113 , the questionnaire for the public consultation, as well as subsequent reports of the support study and the draft impact assessment.

2.Consultation of the RSB

The Regulatory Scrutiny Board received the draft version of the present impact assessment report on 22 June 2017. It issued an impact assessment quality checklist on 7 July 2017 with a number of very helpful comments. A detailed response to the RSB quality checklist was sent in advance to the RSB meeting on 12 July 2017, which specified how each of the RSB comments would be incorporated to the final version of the impact assessment.

The RSB issued a positive opinion without reservations on 14 July 2017, with a number of recommendations that completed the previously issued quality checklist. All of the RSB comments were incorporated into the final version of this document.

3.Evidence

The problem definition was based on:

·previous implementation reports and studies carried out by the Commission 114  

·the dedicated action under the Operational Action Plans 2014, 2015 and 2016 of the EMPACT sub-priority "Payment Card Fraud" of the EU Policy Cycle 115  

·the information gathered in the framework of the 7th cycle of mutual evaluation, 116 dedicated to the practical implementation and operation of the European polices on preventing and combating cybercrime.

The information available has been complemented by additional research.

This was used to update and substantiate the problems identified in those implementation reports and studies, identify possible solutions and assess their impacts (see external expertise below).

4.External expertise

As indicated above, the impact assessment work was based on previous reports and studies and partly informed by external expertise.

Following discussions with the ISG, a request for services for the impact assessment and evaluation support study was launched in August 2016 and the study was delivered in June 2017. Its draft final report including the assessment of all major impacts was scrutinised by the ISG and commented by various services of the Commission. The study relied on:

·the reconstruction of the Framework Decision intervention logic showing the objectives of the intervention and the chain of expected effects (outputs, outcomes and impacts);

·desk research on EU and national documents;

·field research, including interviews, a web based survey targeted to representatives of: law enforcement authorities in the area of data protection, victims' assistance and the private sector, and a validation focus group. Overall, 125 stakeholders have been involved in the study covering all Member States except CY, HU and HR. Moreover, the study used the results of the open public consultation that the European Commission (EC) launched in March 2017 to collect opinions on the effectiveness of the current legislative and policy framework and on existing problems and possible options for future initiatives.

The responses of the stakeholders that had only partially answered to the survey have been taken into account only when the stakeholders had provided at least one detailed response to an open question.

The survey included both closed and open questions. The analysis mainly focused on closed questions and used qualitative inputs provided by respondents to the open questions to further illustrate the results. Overall, stakeholders’ inputs to open questions were generic and heterogeneous therefore making it difficult any comparison of the answers.

All questions having at least 40% of responses have been analysed. Questions with more than 60% of “No Answers entered” and “do not know” were not taken into account. Share of survey respondents indicated in the analysis have been calculated based on the total number of stakeholders who provided an answer different from “do not know” and “No Answers entered”.

The analysis of the survey is structured around evaluation questions mirroring the structure of the core text. Survey questions have thus been grouped according to the main evaluation question they refer to.

The results of the consultation are presented in detail in annex 2.

ANNEX 2: STAKEHOLDER CONSULTATION

Three types of consultation activities were carried out: open public consultation, targeted consultation organized by the European Commission and targeted consultation organized by a contractor:

1. Open public consultation

The European Commission launched an open public consultation on 1 March 2017, which aimed to gather feedback from the public at large on the problem definition, the relevance and effectiveness of the current legal framework in the field of non-cash payment fraud, as well as options, and their possible impacts to tackle existing issues. The consultation closed after 12 weeks, on 24 May 2017.

The open public consultation was conducted through an online questionnaire published on the internet in all EU official languages and announced at the "single access point". Two separate questionnaires were prepared: one for the general public and another one for private organisations, public authorities, or practitioners in the area of non-cash payment fraud. It was advertised on the European Commission's website, 117 through social media channels (DG HOME and Europol's EC3 Twitter accounts), through established networks of stakeholders (e.g. contacts held by the European Cybercrime Centre at Europol) and at all relevant meetings (as listed below).

Thirty-three practitioners and twenty-one members of the general public answered the questionnaires of the open public consultation. Four practitioners provided additional inputs through written contributions. Practitioners included:

·private companies (private sector);

·international or national public authorities (law enforcement agencies, judicial authorities and EU institutions and bodies);

·trade, business or professional associations (e.g. national banking federations) ;

·non-governmental organisations, platforms or networks;

·professional consultancies, law firms, self-employed consultants;

Members of the general public contributed from nine Member States (AT, BE, DE, EL, ES, FR, IT, PT, SE). Practitioners did not always specify their country of origin or residence but at least 13 Member States (CZ, DE, DK, EL, ES, FI, HU, IE, IT, NL, PT, RO, SK) were covered. Some stakeholders operated at EU level.

Results of the public consultation are analysed and integrated in this annex.

2. Targeted consultation organized by the European Commission

1.Large expert meetings:

oRepresentatives from police and judicial authorities from all EU countries (selected by Member States) were invited to take part in two expert meetings:

§on 2-3 May 2017, the first meeting was used to verify, validate and integrate the preliminary analysis conducted on the evaluation of the existing issues

§on 1-2 June 2017, the second meeting was used to gather experts' views about the possible solutions to the identified problems.

oExperts from private sector (financial institutions, payment service providers, merchants, card schemes) were invited on 31 May – 1 June to discuss the preliminary analysis conducted on the evaluation of the existing issues and present their views on priorities for action and possible solutions.

On 1 June 2017, experts from law enforcement authorities and private sector met together to discuss challenges related to public-private cooperation.

2.Other meetings with the following experts and stakeholders:

oExperts from academia, law enforcement agencies and virtual currencies industries, organized in cooperation with Europol (EC3) (June 2016) 118 .

oRepresentatives of police and law enforcement were consulted in the framework of the dedicated EMPACT Payment Card Fraud sub-priority, three times in 2016 and once in 2017.

oRepresentatives of consumers' organisations were consulted in the framework of a dedicated meeting with the European Commission (16 March 2017)

oRepresentatives of private financial institutions:

§Meetings (three) of the Advisory Group on Financial Services of the European Cybercrime Centre at Europol

§European Payment Council Card Fraud Prevention Forum (29 March 2017)

§European Card Payments Association - Security Working Group (24 May 2017)

oRepresentatives of virtual currencies industries: meeting of the Blockchain and Virtual Currencies Working Group (10 January 2017)

oRepresentatives of financial regulators: the work towards a possible new initiative was discussed twice at the SecuRe Pay Forum (November 2016 and April 2017). 119

oRepresentatives from academia: Conference "Payment Card Fraud Trends – Legal Aspects" - Thessaloniki, 22 November 2016

b)A set of targeted consultations performed by an external contractor team to support the different steps of the project.

3. Targeted consultation organized by a contractor

A contractor organized targeted consultations that included online surveys and interviews. The preliminary results of the consultation were presented to a Validation Focus Group which then provided feedback as well as verified the results of the consultation.

The survey aimed at gathering qualitative and quantitative evidence on non-cash payment fraud (including counterfeiting) in order to assess the dimension of crime and understand the positions and perspectives of the different stakeholders acting at national and at EU level. The survey mainly included a set of predefined questions with some open-ended questions to allow participants to contribute with more detailed opinions or advice. The survey was targeted to representatives from law enforcement and judiciary, data protection authorities, national banking federations, associations and civil society organisations as well as other stakeholders from the private sector.

The purpose of the interviews was to complement the information collected through the surveys by filling in the possible data gaps and by improving the understanding of the responses. In particular, interviews allowed to: (i) gather information related to the implementation of the EU framework by pointing at loopholes and specific issues deserving further attention; (ii) deepen the understanding of the recent technological developments and future trends in non-cash payment fraud in order to design up-to-date and realistic policy options; (iii) support the identification of relevant cases of public-private cooperation and (iv) gather recommendations and suggestions in order to improve the prevention and fight against non-cash payment fraud.

An online Validation Focus Group was organised on 11 April, 2017 with the aim of presenting the main findings of the evaluation study, illustrating expected policy options and gathering input on their impacts.

Overall, 125 stakeholders 120 were involved covering all Member States except CY, HU and HR. The figure below illustrates a detailed category breakdown of the stakeholders. All categories initially identified have been involved.

Figure 1: stakeholders consulted through targeted consultations

When looking at stakeholders addressed through the different data collection tools, the evaluation team collected answers to the survey from 88 stakeholders including 21 representatives from law enforcement authorities, 19 representatives from associations and data protection authorities, 10 representatives from national banking federations and 38 representatives from the private sector.

53 stakeholders were interviewed including 11 representatives from law enforcement, 6 from the judiciary, 10 from associations and data protection authorities, 5 representing public-private partnership, 1 from Academia, 1 from legal practitioners, 2 from national banking federations, 9 from the private sector and 8 from EU institutions and bodies.

7 stakeholders attended the Validation Focus Group including representatives from EU institutions and bodies, the private sector, public-private partnership, law enforcement and Academia.

Main results

Dimension of crime

Costs related to non-cash payment fraud were generally perceived as high and were expected to increase in the coming years. Stakeholders from all categories faced difficulties when asked to quantify the criminal phenomenon. Statistics are rare 121 and not always accessible. Some of them 122 , however, provided case-based evidence implying the significance of certain types of non-cash payment fraud.

Stakeholders from national banking federations reported an increase of transactions that resulted in consumers’ complaints following the misuse of a non-cash payment. This trend could be seen since the 1990s. Some private sector representatives indicated that that this trend was decreasing. As regards to investigations, prosecutions and convictions related to non-cash payment fraud, it is not clear whether they have increased after the entry in force of the Framework Decision. 123

Payment instruments have evolved over the years with the introduction of an increasing number of non-corporeal payment instruments, such as virtual currencies, e-money and mobile money. Techniques to commit non-cash payment fraud have evolved and they have become increasingly sophisticated. Stakeholders from different categories 124 acknowledged the increasing importance of new forms of cyber-related crime, mainly relating to card-not-present fraud, social engineering and virtual currencies, and suggested further improvement both in terms of protection and in terms of comprehensive definitions (e.g. offences linked to phishing and carding) 125 . Data breaches, malware and phishing are considered the most important means to obtain credentials to be used in fraudulent transactions (with private enterprises showing the highest level of concern).  126 There is a general consensus that several actors bear the costs of non-cash payment fraud, namely banks, financial institutions, merchants and customers. 127  

Identity theft is reported to be an emerging concern. No statistics have been provided by stakeholders. However, there is an overall concern about the relevance of the phenomenon, its expected evolution, and the limited level of protection ensured by the current legislative framework. 128 The vast majority of stakeholders agree that identity theft should be criminalised. 129 As a further confirmation of the increasing importance of identity theft, most representatives from the law enforcement confirmed that carding websites are investigated in their countries.

Criminal law framework

Most stakeholders consulted consider the current EU legal framework only partially relevant to security needs, especially concerning the definition of payment instruments and criminal offences. Some confirmed that national frameworks would need to be amended.

The Framework Decision is considered by the private sector, law enforcement authorities, associations and data protection authorities and national banking federations to be only partially relevant to current security needs, especially with regard to the definition of payment instruments and criminal offences.

As for the definition of payment instrument, the Framework Decision is considered to be not appropriate in so far as it does not cover all newer forms of electronic payments such as online banking payments, mobile payments, electronic wallets, bitcoins, and more generally internet payments. It covers means of payment that no longer exist and it is not consistent with the definition of ‘payment instrument’ included in the Payment Services Directive which goes beyond ‘corporeal’ instruments.

As for the forms of conduct that can be sanctioned in relation to non-cash payment fraud, there is a strong consensus among all categories of stakeholders that the Framework Decision is not comprehensive, and that there are emerging trends that should be better covered. These relate mainly to online fraud and more specifically to theft of credit card credentials, phishing 130 and fraud related to the use of virtual currencies. Activities such as acquisition 131 and sale 132 of credentials to be used in fraudulent transactions should be criminalised according to almost all of the stakeholders, together with fraudulent transactions with virtual currencies 133 and online transactions with stolen credentials. 134

National penalties established for the offences covered by the Framework Decision are perceived to be somewhat effective in tackling non-cash payment fraud. Private sector representatives together with representatives from the public-private partnership were most dissatisfied. Poor enforcement of penalties seems to be among the reasons for their limited satisfaction. Also, most of the stakeholders 135 agreed that it is necessary to have a more coherent level of penalties for offences related to non-cash means of payment across the EU. The Anti-Money Laundering Directive and investigations related to it have been mentioned by stakeholders from the public sector as examples to be looked at in order to determine sanctions and penalties. Also the need to look for aggravating circumstances for organised crime has been highlighted. 136

In general, there is poor knowledge of the Framework Decision among stakeholders from the private sector and law enforcement authorities. They found it difficult to identify the contribution of the Framework Decision to their national legislative frameworks, and to the evolution of the criminal phenomenon. Too many years has passed since its adoption. Other EU and international instruments have complemented the Framework Decision and partially overlap with its scope.

Procedural criminal law

Stakeholders consider the current level of cooperation between Member States for investigations and prosecutions as needing improvement.

With regard to investigations, obstacles relate mainly restrictions hampering information sharing among competent authorities: lengthy procedures, the need to collate different sources of information to have the whole picture 137 . There are also disparities between policies applied by different actors 138 . Moreover, there is a limited possibility for some law enforcement authorities (mainly due to the principle of legality) to prioritise and select non-cash payment cases to be followed up with investigations and internal resources are insufficient to analyse the information provided by the private sector. 139 These elements make non-cash payment cases a low priority in the agenda of some Member States, and therefore limit the effectiveness of investigations. This applies particularly to cross-border cases (further affected by a lack of universal communication channels). Europol also highlighted the anonymity of data exchange and financial transactions as a challenge to law enforcement.

Europol’s support in facilitating cross-border cooperation is widely acknowledged. In addition, stakeholders also appreciates European platforms for data sharing such as SIENA and the need arose for a secure system for cross-border sharing of information among stakeholders affected by non-cash payment fraud. Europol stressed the importance of a harmonised legal framework including penal laws and sanctions as well as procedural laws.

Some experts from the public sector 140 indicated Joint Investigations Teams as an effective way to cooperate and exchange information, while other experts stressed difficulties and administrative formalities in setting them up.

Some respondents from associations and data protection authorities consider that there are obstacles in prosecutions. Obstacles for investigations may also affect prosecutions. In particular, several stakeholders stressed that timely cooperation remains an issue, since – when involving different legislation – it may take time to gather the needed information and evidence for prosecutions.

The majority of stakeholders felt that the current rules of jurisdiction allow for effective investigation and prosecution of crime. However, some respondents from the private sector perceive that the issues connected with the international/cross-border dimension of non-cash payment fraud do not allow effective investigation and prosecution of crime. Stakeholders reported case-based evidence on criminal activities that could not be investigated or prosecuted because of jurisdictional issues and, where present, reasons relate more to operational obstacles rather than legal loopholes. Examples of obstacles encountered when involving different jurisdiction include, for instance, cooperation between private entities and victims of a crime with foreign authorities. 141  

In this context, stakeholders acknowledged the relevance of the support offered by Eurojust to solve cross-border jurisdictional issues.

Reporting to law enforcement authorities

Views on reporting to law enforcement authorities differed: some were satisfied with the current level of reporting, while others believed it should be improved. Under-reporting might be due to reputational concerns of private sector representatives when victims of non-cash payment fraud 142 .

The different categories of stakeholders agreed that future policy options on reporting need to be balanced with the actual capacities of law enforcement authorities to follow-up on cases. Europol pointed out that compulsory reporting will likely cause problems and voluntary reporting in a structured manner would be preferable while other public sector experts conveyed that reporting should be mandatory. 

Public-Private Cooperation

Stakeholders felt that cooperation between public and private entities was beneficial overall and agreed that it should be encouraged to better tackle non-cash payment fraud, particularly when it comes to prevention 143 .

Most of the stakeholders considered that public-private cooperation should be improved to combat non-cash payment fraud. Private sector representatives appeared to be the most dissatisfied. They perceive the main obstacles to cooperation to include, for instance, limitations in the possibility to share information with law enforcement authorities and in related tools used to enable the exchange.

The vast majority of stakeholders 144 agreed that in order to investigate and prosecute criminals, financial institutions should be allowed to spontaneously share with the national police or the police of another EU country some of the victim’s personal information (e.g. name, bank account, address, etc.).

Poor cooperation among private and public authorities has also been mentioned by several stakeholders 145 as an obstacle encountered when fighting non-cash payment fraud.

Legislation, misalignment of priorities and lack of trust together with practical and organisational issues are seen as obstacles by private enterprises, public authorities, trade, business or professional associations for a successful cooperation between public authorities and private entities when actors are based in different EU countries. 146  

Stakeholders from law enforcement authorities and from the private sector suggested that cooperation among Member States can be developed through both formal and informal partnerships. Successful cooperation initiatives include for instance initiatives promoted by Europol (such as the e-Commerce Working Group in 2014 and the Memorandum of Understanding between Europol-EC3 and European Bank Federation), the Italian platform OF2CEN (and the related EU project EUOF2CEN), the British DCPCU, the French GIE Carte Bancaire, a working group in Slovakia gathering national financial institution and a EL sectorial cooperation to combat fraudulent purchase of plane tickets. An increased sharing of good practices and successful cooperation initiatives is generally welcomed by private sector representatives.

Victims’ rights

Damage for victims resulting from non-cash payment fraud is perceived as including violations of the right to the protection of personal data, financial losses and theft of credentials, while stakeholders give a lower degree of importance to the impact of non-cash payment fraud on the willingness to make transactions online and the access to online services.

Stakeholders stressed the importance of protecting victims of fraud. Some of them felt that victims are not protected sufficiently. National initiatives aiming at enhancing protection are overall appreciated 147 . Victims associations have developed good cooperation mechanisms with law enforcement authorities. They aim at providing concrete assistance and encourage victims to report crimes. Countries like UK and NL have developed national helpdesks (online tools at disposal of victims of fraud) which assist victims and provide prevention materials.

The protection of victims as regards identity theft is considered an area where further improvement is needed and several representatives from associations and data protection authorities considered the level of protection of victims’ rights in these cases to be only partially effective. Overall, identity theft is perceived as affecting natural persons as well as legal persons. Therefore victims should be protected regardless of their legal statute.

Victims are also perceived to be in need for psychological support and support to recover losses, getting information on different forms of crime related to non-cash means of payments and the possibility for consumers to prove the occurrence of an unauthorised transaction.

In this regard, representatives from associations and data protection authorities, private sector and national banking federations mentioned some examples of good practices including, for instance, dedicated websites, educational and awareness campaigns as well as brochures and guidelines.

Other results

The effects on SMEs have been described in the qualitative assessment part of the report, both in section (5.1) and in annex 4.

In terms of minority views, the most relevant cases of minority/dissenting views have been described in the relevant sections of the report. These include:

·The dissenting views concerning the deterrence effect and the general effectiveness of a common minimum level of maximum penalties (section 1.3.1. on problem drivers);

·The different views concerning the creation of an EU database on fraud data.

Some stakeholders from the private sector raised this possibility during the expert meetings, but others questioned its viability (see section 4.2.2 on policy measures discarded).

Synthesis of the contributions provided in the open public consultation

1.Contribution from a law enforcement agency:

A national law enforcement agency supports the adoption of a new legal framework for facilitating investigations of non-cash payment fraud, which would make the procedures in obtaining evidence from other countries less time-consuming. The main problem identified is that investigating authorities do not receive timely responses and information exchange between the affected countries should be improved.

2.Contribution from a consumers’ association:

A consumers’ association points out possible shortcomings in the implementation of the revised Payment Services Directive, which introduces too many derogations to strong customer authentication requirements.

3.Contribution from a national banking federation:

A national banking federation calls for a more harmonised framework for fighting non-cash payment fraud as fraudsters and organized crime groups target consumers and banks without regard to borders. They also highlight the fact that victims of so called “push payment” fraud, or common fraud scams and swindles, have little or no recourse for reimbursement.

With current means, law enforcement authorities face considerable workload due to the long time needed to complete the fraud trail, in order to initiate investigation, attribution, possible arrest and prosecution.

This banking federation calls for facilitated exchanges of information and intelligence between banks, national law enforcement agencies and Europol at both national and EU level in order to enable the tracing and freezing of stolen assets.

The existing current data protection law is perceived as constraining information exchange and hampering the ability to detect financial fraud compared with other EU member states.

They support the revision the Framework Decision and wish that the revised legislation contains clearer guidance regarding the sharing of information and intelligence.

4.Contribution from a private company providing and distributing prepaid services

This private company clarifies that prepaid means of payment cover the following instruments:

·social vouchers (corporeal and non-corporeal), which allow to dedicate funds to a specific usage in one Member State, as determined by a social framework;

·anonymous prepaid cards, which permit anonymous transactions but with a restricted framework. They can be of different types depending on whether they allow for an access to cash, have product limits and can be used outside the Member State territory.

This company highlights that prepaid e-money cards are covered by the PSD2 and so are then subject to rules of strong authentication. However, social vouchers and limited prepaid instruments are excluded from the scope of the PSD2 but their characteristics extremely limit possible fraudulent usages.

Thus, they believe that the use of prepaid instruments, and in particular social vouchers and limited prepaid instruments, present insignificant risk of fraudulent use and of counterfeiting.

ANNEX 3: WHO IS AFFECTED BY THE INITIATIVE AND HOW

Summary of costs and benefits for the preferred option

The tables below summarize the costs and benefits for the preferred option. Given the limitations in the impact assessment created by the lack of available data, the tables have been filled to the extent possible:

Costs:

As discussed in section 5.2. (quantitative assessment), the costs for national administrations (direct) include:

·One-off costs:

oTransposing EU legislation in Member States.

·Continuous costs:

oImplementing and enforcing the new legislation, in particular when it leads to an increase in the number of cases to be investigated.

oFacilitating cross-border cooperation, including collection of statistics, operation of contact points (also for reporting purposes) and cooperation with Europol and Eurojust.

oImplementation of awareness raising campaigns.

No costs were identified for citizens/consumers and businesses.

Benefits:

As explained in section 5.2. (quantitative assessment), given the limitations caused by the lack of data, the calculation of benefits was carried for the main purpose of comparing the options. Therefore, the total value of benefits must be interpreted in relation to the other options, rather than as an accurate estimate of the actual reduction of fraud that the preferred policy option would actually cause.

REFIT potential

With regard to the REFIT potential of the preferred option, it can only be assessed from a qualitative point of view, as explained in section 5.3. (REFIT potential).

ANNEX 4: ANALYTICAL MODELS USED IN PREPARING THE IMPACT ASSESSMENT

A4.1. Qualitative assessment

A4.1.1. Qualitative assessment of the policy measures

The qualitative assessment of the retained policy measures (including which stakeholders are mostly concerned by each measure) is the following: