New EBA‑ECB fraud report: Strong authentication helps — but fraudsters are changing tactics fast

Why the report matters to markets and payments firms today

The European Banking Authority and the European Central Bank released a joint review of payment fraud covering 2022–2024. The short version: strong customer authentication (SCA) is doing its job where it is used, but criminals are already shifting to other ways of stealing money. That matters for banks, card networks, payment processors and fintechs because it changes who eats the losses, where costs go, and how customers behave when they pay.

Investors should treat the news as mixed. Firms with deep fraud‑detection teams and broad data sets — think big card networks like Visa (V) and Mastercard (MA), or mature online players such as PayPal (PYPL) — look relatively better placed. Smaller banks and challenger fintechs that still rely on older checks or that have thin margins face higher near‑term costs and reputational risk. Markets are likely to reward clear plans to handle the evolving threat, and punish companies that lag on prevention or face supervisory action.

What the 2022–24 figures show: authentication works, crime moves elsewhere

The report’s main point is straightforward. Where SCA is applied, traditional card fraud — especially card‑not‑present scams during e‑commerce payments — has fallen. The added step of proving who you are (a second factor) raised the barrier for automated theft and stolen‑card use.

But fraud didn’t disappear. Instead, the data shows several shifting trends. First, criminals are turning to social engineering: convincing people to authorise payments themselves, or tricking them into handing over one‑time codes. These are often logged as authorised push payments (APP), and they are hard to stop because the customer appears to approve the transfer.

Second, account takeover and identity theft rose in several markets. Attackers use breaches, phishing, SIM swaps and credential stuffing to access accounts that already passed authentication methods. In some cases, fraud moved from card rails to direct bank transfers or instant payment systems, where SCA is less consistently applied.

Third, fraud patterns vary by merchant type and geography. High‑value goods, travel bookings and online marketplaces remain attractive targets because chargeback rules and cross‑border complexity make recovery difficult. Finally, the report flags that exemptions to SCA (for low‑value or recurring payments) can create weak points and are often abused by fraudsters hunting for the path of least resistance.

What banks, card networks and fintechs may face next

Operationally, expect more near‑term spending on fraud tech and customer protections. That means bigger fraud‑detection teams, more machine learning, identity verification services and tighter onboarding. Those costs hit P&L first and might pressure margins if firms can’t offset them with higher fees, better conversion, or lower losses.

Card networks benefit because their global data advantage helps spot novel patterns, but they also face merchant pushback if friction from SCA cuts conversion and sales. Large banks such as JPMorgan (JPM) and Bank of America (BAC) have scale to absorb higher compliance costs, but smaller banks or thinly capitalised challengers could see widening loss provisions and more volatile quarters.

For payment service providers and fintechs, the picture is split. Firms that sell strong fraud tools or have clear liability management may gain business. Those that act as conduits without adequate controls risk being forced into higher reserves, longer settlement times, and higher compliance costs. Reputational damage from a public breach or a surge in chargebacks can hit user growth and valuations quickly.

Regulatory backdrop and likely supervisory moves

The EU’s SCA rules come from PSD2 and have been enforced progressively. The EBA writes the technical rules and the ECB watches system‑wide risk. The joint report signals a supervisory pivot: regulators accept that SCA reduces certain fraud, but they will not tolerate firms using exemptions or weak controls as a shortcut.

Expect more guidance on how exemptions should be applied, firmer expectations for incident reporting, and supervisory checks on fraud‑loss measurement. Enforcement is likely to focus where firms repeatedly fail to apply SCA correctly, or where they don’t have adequate monitoring around APP and account takeover. That could mean fines, mandated remediation plans, or closer reporting requirements for systemic players.

Investor checklist: what to watch and which signals matter

Practical signals for investors and analysts include: fraud‑loss trends reported in quarterly statements; changes in chargeback rates; growth in operating expense tied to compliance and fraud teams; percentages of transactions processed under SCA vs. exemptions; and any regulatory notices or remediation costs disclosed by management.

Watch for catalysts that could move stocks: a surprise rise in APP losses, a large merchant or bank publicly noting conversion drops from stronger SCA, or a regulator announcing tougher rules on exemptions. Positive signs are sustained declines in fraud loss ratios, successful rollouts of new identity checks, and partnerships that expand a firm’s fraud data reach.

Red flags are rising customer complaints or chargebacks, escalating compliance costs with no drop in losses, and public supervisory action. Overall, the report tilts the landscape toward incumbents with scale and data. For investors, that looks cautiously positive for large, well‑funded networks and banks, and more challenging for smaller players without clear fraud strategies.

Sources

• eba.europa.eu