Prevention of payment instrument fraud
With Law no. 166 of 17 August 2005 ("Institution of a system to prevent payment card fraud"), Italy legislated an up-to-date system for a continually changing sector that requires a dynamic capacity to adapt prevention tools, both with respect to the specific business of payment cards and, more in general, with respect to payment instruments. From an administrative perspective, UCAMP is at the centre of this system.
With Law no. 166, Italian lawmakers established that "administrative prevention" measures to be adopted in this specific sector fall within the framework of the public interest obligations that the State is required to fulfil for the benefit of the community. From a general perspective, it is useful to emphasise that administrative prevention precisely entails:
- identifying the critical points within the security systems of the companies that issue payment cards;
- developing (including through legislative initiatives) solutions capable of gradually eliminating fraud through strong public-private collaboration;
- establishing the minimum security standards with which the issuer companies must comply.
The reasons underlying this precise regulatory strategy can be summarised as follows:
- the need to stem the phenomenon of cloning payment cards;
- the need to ensure the public's confidence in non-cash payment instruments;
- the urgency to monitor the phenomenon of fraud so as to evaluate its impact on the economic-financial system.
In specifying the responsibilities and organisation of UCAMP, the Ministerial Decree no. 112 of 30 April 2007 (regulations for the implementation of Law no. 166/2005) establishes the criteria for identifying the reporting companies, specifies the individual items to be reported as data and information, the terms and means for the communication and management thereof, the means for identifying the risk parameters, the make-up and rules for the running of an interdisciplinary work group (GIPAF), the structure of a digital archive (SIPAF), including access levels, and the definition of the means and terms for its integration with data held by the Bank of Italy.
- Agreement between Ministry of the Economy and Finance (MEF) and Ministry of the Interior
Another instrument adopted by the MEF in 2012 as part of the overall system of the administrative prevention of payment card fraud is the agreement for electronic access to the SIPAF which was signed by the MEF and the Ministry of the Interior. More specifically, electronic access to the data and information contained in the digital archive managed by the Central Means of Payment Antifraud Office is granted to authorised users of the police force, in accordance with the provisions contemplated and established by Law no. 166 of 17 August 2005, and the Ministerial Decree no. 112 of 30 April 2007. The police force's access to the databank is, in full respect of privacy regulations, expressly limited to the purposes of preventing and suppressing crimes connected with or related to the use of credit cards or other payment instruments. By interrogating the Department of the Treasury, Directorate V system ("Preventing the use of the financial system for illegal purposes"), the police can now access real-time data and information useful for preventing and suppressing fraud in payments effected through the use of payment cards.
- Methodological approach
For years, UCAMP has continually worked with private security companies in order to secure precise information from those who are dealing with all types of fraud and technological changes on a daily basis. This dialogue with the experts, together with the daily contacts with card issuer companies and other companies, makes it possible to clearly outline a prevention strategy based on various considerations, including:
- the physical cloning of the payment card is the most often reported cause of fraud, even though cloning has continued to decrease, partly due to the almost completed process of migrating to microcircuit cards;
- the best strategy for tackling fraud is to speed up the identification of transactions susceptible of presenting the risk of actual, imminent and detectable fraud;
- in order to increase the speed of identification, it is necessary to pool information regarding the "suspect" transactions that is held by the individual card issuer companies, and the consequent repercussions on the points accepting the payment instruments, whether they are commercial establishments (POS) or ATMs.
With the professional expertise developed in the sector, UCAMP has been able to equip itself with the operational instruments on which the entire system rests: the aforementioned data archive (SIPAF) and interdisciplinary work group (GIPAF).
Laws and regulations