Understanding FCA fraudulent transaction reports

The Payment Services Regulations 2017 (the ‘Regulations’) apply to banks, building societies, card issuers, and other firms which provide payment services. These are the services set out in the Regulations and summarised on the FCA’s website, and include payment initiation services, account information services and services which allow cash to be paid into (or withdrawn from) payment accounts, amongst others. One of the requirements for firms governed by the Payment Services Regulations is to “provide to the FCA statistical data on fraud relating to different means of payment”.  

What is a fraudulent transaction? 

The FCA Handbook defines a fraudulent transaction as any payment transaction that has been executed, acquired, or initiated (if relevant to the services provided), which falls into one of the following two categories: 

  • Unauthorised payment transactions made, including as a result of the loss, theft or misappropriation of sensitive payment data or a payment instrument 
  • Payment transactions made as a result of the payer being manipulated by the fraudster to issue a payment order 

The precise means of theft, misappropriation or manipulation will vary, depending on the situation at hand. This is because a fraudster will, of course, apply different techniques to trick someone who is withdrawing cash (for example) to someone issuing an online credit transfer. This is why the FCA report requires the statistical data on fraud to be broken down according to different means of payment. This is intended to:

…help [the FCA]… understand whether PSPs [payment service providers] have appropriate systems and controls to adequately protect users against fraud and financial crime and to understand the security risks faced by the industry as a whole.

What data is required and how is it submitted? 

The Regulations do not prescribe the format of the report on fraudulent data, but simply note that it “must be provided in such form as the FCA may direct”. The form is set out in the FCA Handbook, which also includes guidance notes on the submission of statistical data on fraud. 

The data on fraud must be submitted to the FCA at least once a year, with the precise frequency varying, depending on the type of payment service provider. 

As mentioned above, the FCA requires the statistical data on fraud to be broken down according to different means of payment. Accordingly, firms must submit separate breakdowns of the total number and value of transactions involving each means of payment. This is why there are distinct parts of the form for credit transfers, direct debits and card payments (amongst other means of payment). Submitters must also provide a geographical breakdown of fraudulent transactions, noting the totals for each means of payment that took place:

  • Domestically; 
  • Cross border within the EEA; and 
  • Cross border outside the EEA 

The challenges of reporting fraudulent transactions

Submitting the actual reports is relatively straightforward, with forms sent to the FCA electronically, in the prescribed form. In addition, as mentioned above, the FCA provides guidance notes on the completion of the form. However, whilst the process of submitting data on fraudulent transactions is quite simple, firms can struggle with collecting that data. As mentioned above, the relevant period for reporting is between 6-12 months, and firms must be ready to submit data on all fraudulent transactions, broken down by means of payment, type of fraud, location and authentication method.

Firms that wait to collate this data at the end of a reporting period run the risk of receiving late or incomplete updates from staff who may have long forgotten the details of relevant transactions. This is why it is crucial for firms to collect data in real-time.

How VinciWorks can help

Fraudulent transaction report solution
Our solution includes a best-practice form that can easily be customised

VinciWorks’ FCA compliance suite operates in our data collection and reporting tool, Omnitrack, and now includes a Fraudulent Transaction form. Capturing data as soon as fraudulent transactions occur means your FCA reports can be completed with ease at the end of the relevant period. 

Although the FCA’s spreadsheet runs to hundreds of rows, most questions are irrelevant for individual transactions. It is only at the end of a reporting period that the form should be considered as a whole. Accordingly, our system’s conditional logic can be used to save staff time, as they simply answer questions relating to the transaction they are reporting.

You can use our solution to:

  • Collect: if staff have access to a link, and are aware of the need to report fraudulent transactions, all the data you need will be ready to collate at the end of the relevant period.
  • Assess: the workflow has ‘admin only’ questions, which compliance staff can use to determine whether a transaction is reportable.
  • Sort: statuses are assigned to submissions, based on users’ answers, allowing you to see which submissions need to be included in your next return. Statuses include Reportable, Not Reportable, and Reported, but both the names and automations can be customised. 
  • Review: use our customisable dashboard to see a graphical overview of the breakdown of different types of fraud or means of payment that are reportable.
  • Reminders: set rules to receive automatic reminders for incomplete submissions or submissions which are yet to be sent to the FCA.
  • Report: upload a copy of the FCA form, to keep an audit trail of all transactions reported.
How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.