PURPOSE: to effectively combat fraud and counterfeiting of non-cash means of payment.

LEGISLATIVE ACT: Directive (EU) 2019/713 of the European Parliament and of the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA.

CONTENT: credit card or online shopping fraud is on the rise. It undermines consumer’s trust and makes consumers more reluctant to make online purchases. In addition, the proceeds of this type of fraud are used to finance criminal groups.

This Directive establishes minimum rules concerning the definition of criminal offences and sanctions in the areas of fraud and counterfeiting of non-cash means of payment. It facilitates the prevention of such offences, and the provision of assistance to and support for victims.

The Directive is technology-neutral and covers not only traditional non-cash means of payment, such as bank cards or cheques, but also new payment methods that have emerged in recent years, such as electronic money, mobile payments and virtual currencies.

The Directive updates and complements existing rules by including new provisions relating in particular to:

the harmonisation of definitions in the areas of fraud and counterfeiting of non-cash means of payment, including hacking into a victim's computer, to ensure a consistent approach by Member States of the application of the Directive and to facilitate the exchange of information and cooperation between competent authorities; the extension of the scope of punishable criminal offences where they are intentional to include, for example, transactions in virtual currencies, fraud relating to information systems, as well as the use or provision of a device, computer data or other means mainly designed or specifically adapted to commit an offence; harmonisation of the rules on penalties applicable to natural persons: the minimum penalties shall range from 1 to 5 years' imprisonment depending on the type of offence. For legal persons, sanctions shall include criminal or non-criminal fines, and possibly sanctions such as temporary or permanent exclusion from access to public funding, prohibition of commercial activity or closure of establishments which have been used to commit the offence; clarification of the scope of competences in order to ensure more effective treatment of cross-border fraud as well as the obligation for Member States to put in place procedures to deal promptly with urgent requests for assistance and measures to ensure that appropriate reporting channels are made available to facilitate reporting to law enforcement authorities and other competent national authorities, without undue delay; assistance and support to ensure that victims who have suffered harm as a result of offences committed through the misuse of personal data are sufficiently informed of their rights and that citizens are provided with advice on how to protect themselves against fraud. Member States are encouraged to set up single national online information tools to facilitate access to support and assistance measures for victims; the collection of statistics on, as a minimum, covering existing data on the number of offences registered by the Member States and on the number of persons prosecuted for and convicted of the offences. By 31 August 2019, the Commission shall establish a detailed programme for monitoring the outputs, results and impacts of this Directive.

ENTRY INTO FORCE: 30.5.2019.

TRANSPOSITION: no later than 31.5.2021.

The European Parliament adopted by 587 votes to 26, with 8 abstentions, a legislative resolution on the proposal for a directive of the European Parliament and of the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA.

The European Parliament's position adopted at first reading under the ordinary legislative procedure amended the Commission's proposal as follows.

Subject matter

The proposed Directive shall establish minimum rules concerning the definition of criminal offences and sanctions in the area of fraud and counterfeiting of non-cash means of payment. It shall also facilitate the prevention of such offences, assist and support victims.

This Directive shall cover virtual currencies only insofar as they can be commonly used for making payments. Member States shall be encouraged to ensure in their national law that future currencies of a virtual nature issued by their central banks or other public authorities shall enjoy the same level of protection against fraud as non-cash means of payment in general.

Digital wallets that allow the transfer of virtual currencies should be covered by this Directive to the same extent as non-cash payment instruments.

Offences

When committed intentionally, the following conduct is punishable as a criminal offence:

- the theft or other unlawful appropriation of a corporeal non-cash payment instrument;

- the fraudulent counterfeiting or falsification of a corporeal non-cash payment instrument;

- the possession of a stolen or otherwise unlawfully appropriated, or of a counterfeit or falsified corporeal non-cash payment instrument for fraudulent use;

- the procurement for oneself or another, including the receipt, appropriation, purchase, transfer, import, export, sale, transport or distribution of a stolen, counterfeit or falsified corporeal non-cash payment instrument for fraudulent use;

- the production, obtaining for oneself or others, including the import, export, sale, transport or distribution of tools used to commit the offences;

- fraud relating to IT systems, i.e. the act of performing or causing a transfer of money, thereby causing an unlawful loss of property for another person in order to make an unlawful gain for the perpetrator or a third party.

Penalties

Offences related to fraudulent use, theft, illegal procurement, counterfeiting of a payment instrument and production of tools used to commit the offences would be punishable by a maximum term of imprisonment of at least 2 years.

Offences related to the unlawful possession or obtaining for oneself or others of a stolen, usurped or otherwise unlawful or falsified payment instrument for fraudulent use would be punishable by a maximum term of imprisonment of at least one year.

Fraud related to information systems would be punishable by a maximum term of imprisonment of at least 3 years.

For legal persons, sanctions shall include temporary or permanent exclusion from access to public funding, including tendering procedures, grants and concessions.

Victim support

Natural and legal persons who have suffered harm as a result of any of the offences being committed by misusing personal data, shall be offered specific information and advice on how to protect themselves against the negative consequences of the offences, such as reputational damage; and a list of dedicated institutions that deal with different aspects of identity-related crime and victim support.

Member States are encouraged to set up single national online information tools to facilitate access to assistance and support for natural or legal persons who have suffered harm as a result of the offences being committed by misusing personal data.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Sylvia-Yvonne KAUFMANN (S&D, DE) on the proposal for a directive of the European Parliament and of the Council on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA.

The committee recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the Commission's proposal as follows.

Subject matter : the proposed Directive shall establish minimum rules concerning the definition of criminal offences and sanctions in the area of fraud and counterfeiting of non-cash means of payment. According to Members, it shall also facilitate the prevention of such offences, assist and support victims and improve cooperation between judicial and other competent authorities.

Offences : Members request that the following be made a punishable criminal offence:

theft or other unlawful appropriation of a payment instrument when committed intentionally; counterfeiting or falsification of a payment instrument, when committed intentionally, in order for it to be used fraudulently; procurement for oneself or another, including import, export, sale and transport, distribution of a payment instrument which has been stolen or otherwise unlawfully appropriated or of a payment instrument counterfeited or falsified, when committed intentionally, in order for it to be used fraudulently

· possession of a stolen or otherwise unlawfully appropriated , or of a counterfeited or falsified, payment instrument, knowing at the time of receipt that such instrument is derived from criminal activity or from an act of participation in such an activity;

· that performing or having someone else perform a transfer of money, monetary value or virtual currencies, in order to make an unlawful gain for the perpetrator or a third party, or causing an unlawful loss of property for a third party, is punishable as a criminal offence, when committed intentionally by directing or redirecting payment service users to imitation websites .

Penalties : offences related to the fraudulent use of payment instruments and those related to information systems shall be punishable by a maximum term of imprisonment of at least 4 years (rather than 3 years). Offences related to the use of devices, computer data or other means specifically designed to commit the offences shall be punishable by a maximum term of imprisonment of at least 3 years (rather than 2 years).

For legal persons, penalties shall include temporary or permanent exclusion from access to public funding, including tender procedures, grants and concessions, both at national and Union level.

The fact that an offence involves a significant aggregate financial advantage or a high number of victims shall be considered an aggravating circumstance.

The Directive shall not prevent Member States from applying stricter rules and sanctions concerning fraud and counterfeiting of non-cash means of payment.

Jurisdiction : where an offence falls within the jurisdiction of more than one Member State, the Member States concerned shall cooperate with one another in order to decide which of them will prosecute the offender with the aim of centralising proceedings in a single Member State, bearing in mind the principle of ne bis in idem . Member States shall have recourse to Eurojust in cases of conflict of jurisdiction or other difficulties.

Cooperation and exchange of information : given the cross-border nature of offences, the prevention and combat of crime, whether organised or not, must be achieved through closer cooperation between police authorities and other competent authorities in the Member States, both directly and through Europol, with a particular focus on improving the exchange of information between authorities responsible for criminal prevention and investigation.

Members proposed to facilitate the immediate reporting of offences, in particular by setting up secure national mechanisms for reporting online fraud. They also suggested the use of standardised Union reporting templates to allow for better threat assessment and to facilitate the work and cooperation of the competent national authorities.

Member States shall take the necessary measures to ensure that financial institutions report without undue delay suspected fraud to law enforcement authorities, financial intelligence units and other competent authorities, for the purpose of detecting, preventing, investigating or prosecuting offences.

Victim support : Members want to strengthen support for victims of non-cash payment fraud as the use of new payment instruments increases the possibility of fraud. Victims who have suffered prejudice as a result of offences committed by the misuse of personal data shall be entitled to free legal aid , at least those who lack sufficient resources to pay for legal aid.

As part of information campaigns, Member States shall develop a permanent online information tool with practical examples of fraudulent practices.

Transposition and reporting : Members proposed to reduce the transposition deadline to one year after the entry into force of the directive and to oblige the Commission to submit an evaluation of the directive after four years.

PURPOSE: to effectively combat fraud and counterfeiting of non-cash means of payment.

PROPOSED ACT: Directive of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure and on an equal footing with the Council.

BACKGROUND: fraud and counterfeiting of non-cash means of payment (including payment cards) is a threat to security:

as it represents a source of income for organised crime and is therefore an enabler for other criminal activities such as terrorism, drug trafficking and trafficking in human beings; as it is also an obstacle to the digital single market . In 2013, fraud using cards issued in the Single European Payment Area (SEPA) reached EUR 1.44 billion, representing growth of 8% on the previous year. 42% of users are concerned about the security of online payments.

The European Agenda on Security acknowledges that Framework Decision 2001/413/JHA insufficiently addresses new challenges and technological developments such as virtual currencies and mobile payments.

Currently:

certain crimes cannot be prosecuted effectively because offences committed with certain payment instruments (in particular non-corporeal) are criminalised differently in Member States or not criminalised; too much time is taken to provide information in cross-border cooperation requests, hampering investigation and prosecution; information sharing gaps in public-private cooperation hamper prevention and criminals exploit the lack of awareness of victims.

Framework Decision 2001/413/JHA therefore needs to be updated and complemented by new provisions on offences, penalties and cross-border cooperation.

This proposal has three specific objectives that address the problems identified:

ensure that a clear, robust and technology neutral policy/legal framework is in place; eliminate operational obstacles that hamper investigation and prosecution; enhance prevention.

Furthermore, revising the present rules will enhance cooperation between the police and judicial authorities as well as between law enforcement agencies and private entities and will contribute to achieving the objectives of the 2001 Council of Europe Cybercrime Convention (Budapest Convention), which represents the international legal reference framework for the EU.

IMPACT ASSESSMENT: since the problem is essentially due to a regulatory loophole , the preferred option is to introduce a new legislative framework and to facilitate self-regulation for public-private cooperation and encourage reporting for public-private cooperation instead of self-regulation, and new provisions on raising awareness.

CONTENT: the proposal for a Directive seeks to establish minimum rules concerning the definition of criminal offences and sanctions in the area of fraud and counterfeiting of non-cash means of payment . While abrogating Framework Decision 2001/413/JHA, the proposal updates most of its current provisions.

Specifically, this proposal:

defines payment instruments in a broader way , including also 'digital exchange instruments', i.e. any electronic money within the meaning of Directive 2009/110/EC of the European Parliament and of the Council, and virtual currencies; criminalises not only the fraudulent use of payment instruments by means of stolen or falsified payment authenticators but also the possession, sale, obtaining for use, importing, distribution or any other form of making a false or falsified, stolen or appropriate payment instrument available by other illegal means. It covers all offences involving payment instruments, whether they are corporeal or not, and therefore also applies to behaviour such as trade in stolen credentials (‘carding’) and phishing; criminalises acts such as hacking a victim’s computer or a device in order to re-direct the victim’s traffic to a forged online banking website, thus causing the victim to make a payment to a bank account controlled by the offender; introduces rules on the level of penalties : it sets a minimum level for maximum penalties (at least three years imprisonment) and provides for more severe penalties (at least five years imprisonment) for aggravated offences, namely: (i) situations where criminal acts are committed within the framework of a criminal organisation; (ii) situations where crime is conducted on a large scale causing considerable overall harm or where a crime involves an aggregate advantage for the offender of at least EUR 20 000; clarifies the scope of the jurisdiction regarding the offences referred to in the proposal by ensuring that Member States have jurisdiction in situations where the offender and the information system that the offender uses to commit the crime are located in different territories; obliges Member States to ensure that victims of non-cash payment fraud are offered information and channels to report a crime and advice on how to protect themselves; introduces measures to improve Union-wide criminal justice cooperation by strengthening the existing structure and use of the operational contact points; stresses the need to raise awareness and thus reduce the risk of becoming a victim of fraud by means of information and awareness-raising campaigns, and research and education programmes.

The Commission shall assess the effects of the Directive six years after the deadline for its implementation.