European Banking Authority (EBA) rules on transaction monitoring for internet payments are on the way. Is your organisation aware of what’s expected and the timetable for implementation?

In this post, Nikolaus D. Bayer, Managing Director at IRIS Analytics, unpicks some of the implications of the new regulations for the industry.

The guidelines come into force on 1 August 2025 and will affect all payment service providers (PSPs), i.e. all players involved in providing payment services and not only so-called e-commerce payment gateways in the European Union. Among other things it covers online banking services and any form of shopping on the internet.

The action is aimed at clamping down on internet fraud which is steadily growing. For instance, card fraud committed on the internet jumped by 21.2% from 2011 to 2012 – a statistic that makes uneasy reading for increasingly jittery consumers.

Personally, I welcome the new guidelines and I am encouraged to see that customer authentication is right at the heart of the legislation. The guidelines are not just another compliance burden, they are also an opportunity for improving the consumers’ payment experience. The good news for the consumer, as well as the industry, lies in the following statement:

"PSPs offering acquiring services should require their e-merchant to support solutions allowing the issuer to perform strong authentication of the cardholder for card transactions via the internet. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. based on a transaction risk analysis"

As consumers and bank customers, we all love online banking and internet shopping for its sheer convenience. At the same time, we do not like lengthy, complicated checkout procedures. The use of alternative authentication measures instead of 3D-Secure, for instance, means that merchants and issuers can provide quick and convenient payment processes for low risk purchases, resulting in reduced shopping cart abandonment rates during checkout.

But we also want to feel that our payment information is fully protected and that we can trust our bank to see to it. Real-time transaction monitoring systems provide that additional layer of security to detect behavioural patterns (financial and non-financial) that are not easily detected through traditional methods. The following clause speaks directly to acquirers:

"Transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions should be operated before the PSP's final authorisation; suspicious or high risk transactions should be subject to a specific screening and evaluation procedure. [...]"

The new guidelines should be seen as a positive step forward in the fight against internet fraud. If the payment industry can deal with it and manage to restore trust with consumers, there are additional opportunities – for issuers to offer a wider range of products and services beyond the bricks-and-mortar infrastructure; for merchants to increase sales and customer satisfaction; and for payment gateways and acquirers to differentiate themselves from the competition through value-added services including information that enable their merchants to launch targeted offers, loyalty programmes, location-based promotions, to name but a few.

Nikolaus D. Bayer, Managing Director, IRIS Analytics