News
Home News Recommendations of the President of the OCCP for payment service providers
Back to the news

Recommendations of the President of the OCCP for payment service providers

Oskar Czerchawski Associate
29 października 2024
Recommendations of the President of the OCCP for payment service providers

On October 23, 2024, the website of the Office of Competition and Consumer Protection published Recommendations of the President of the OCCP for payment service providers. In order to develop these guidelines, the President of the OCCP established a working group (hereinafter: the Group), which included representatives of, among others, the Office of the Financial Supervisory Commission and experts from the banking sector. The result of the Group’s work was the creation of a document describing a set of 6 risk factors most frequently used by fraudsters and 16 recommendations for payment service providers.

The identified risk factors were developed by the Group based on analyses of complaints addressed to the OCC by consumers and comments provided by representatives of payment service providers, particularly from the banking sector. Features offered by payment service providers perceived by the Group as the most risky include the ability to:

1. self-increase the transaction limits on the customer’s account from the mobile application or website and customers maintain high transaction limits;

2. making a financial commitment from the mobile application or website;

3. to independently change data on a customer’s account, including, for example, changing communication methods (e.g., phone number, email address) or data affecting creditworthiness from the level of the mobile application or website;

4. independently activate additional features from the mobile application or website;

5. make an immediate transfer of funds;

6. make a card payment without physically using the card, (CNP) not requiring strong customer authentication (SCA) by the payee.

The functions indicated are undoubtedly conveniences that consumers who are customers of payment service providers are eager to use; while they will also leave ample room for abuse by criminals. As an example, the Group points out, among other things, the risk of easily incurring a financial obligation via a mobile app, in the event of unauthorized access to a customer’s account by a third party.

In turn, the catalog of recommendations for payment service providers mentioned above includes:

      1. ongoing monitoring of customer transactions and appropriate use of technical measures;
      2. cooling period, i.e. a function that delays the execution of a transaction from the time the customer submits an instruction to the system until it is executed by the provider;
      3. voice messages involving the initiation of a telephone call to the customer, during which the customer is informed of the application, instruction or payment transaction ordered from his account;
      4.  transaction limits, the change of which should involve a more complex process to ensure security, such as the initiation of a voice message , during which the customer receives the code required to confirm the instruction;
      5.  restriction of certain functionalities, including those related to consumer credit accessible from the mobile application or customer account accessible from the website;
      6.  blocking the ability to log in from a device to the mobile application or customer account accessible from the website, if the device in question remains actively connected by remote session to any other device;
      7.  Authentication of an employee of the payment service provider using, for example, PUSH messages in the mobile application informing about the initiation of contact with an employee or the use of a PIN or password previously established with the customer;
      8. The content of messages to customers, should be simple and understandable to them;
      9. . the ability of customers to reproduce the content of messages addressed to them for a recommended period of not less than 13 months, as well as the ability to download its content and save it on a durable medium;

      10. 1 The ability for a customer to quickly report an unauthorized payment transaction via a toll-free hotline dedicated exclusively to handling such reports, as well as chat on the mobile app and website;

      11.  a “panic buton”/“emergency buton” button that allows the consumer to make an immediate block on making any transactions;

      12.  the use of strong customer authentication (SCA) for card transactions without physical card use (CNP) in all cases; and

      13. credentials visible on the payment/credit card

      14.  one-time virtual cards

      15. the U2F dongle

      16.  use of systems based on artificial intelligence or behavioral biometrics

Importantly, the Office points out that the recommendations presented should not be treated as a closed catalog, while emphasizing the key role of payment service providers, who should constantly cooperate in shaping good practices in this area and implement any other countermeasures, responding immediately to emerging threats.

#UOKIK #RecommendationsUOKIK #PSP #MIP #KIP #PISP #Payments

Oskar Czerchawski | Associate
Maciej Raczynski | Partner

Raczyński Skalski & Partners
Are you interested in this topic?
Contact us to learn more
about our offer.
Contact us

Related

Friday with DORA: DORA REGULATION – PURPOSE AND BASIC ASSUMPTIONS

Friday with DORA: DORA REGULATION – PURPOSE AND BASIC ASSUMPTIONS

29 October 2024

On December 14, 2022. The European Parliament and the Council (EU) adopted Regulation 2022/2554 on…

Oskar Czerchawski Associate
Do you want to receive news?
Subscribe to Newsletter

    Wybierz listę

    Chcę być informowany e-mailowo informacjach ze strony Raczyński Skalski & Partners Kancelaria Radców Prawnych Spółka Partnerska z siedzibą w Warszawie na podany przeze mnie adres e-mail. Czytaj dalej

    Ta witryna jest chroniona przez reCAPTCHA i obowiązuje Polityka prywatności i Warunki korzystania z usługi Google.