SEPA Kicks Off in EU—With Unintended Fraud Risk

The first stage of the Single European Payments Act (SEPA) takes effect this week—and introduces an inadvertent security threat, an ATM fraud expert tells BS&T.

Although bank card transactions won't become SEPA compliant——meaning no distinction is made between domestic and cross-border transactions within the EU—until at least next year, fraud experts are readying themselves for a new threat SEPA poses, says Tero Toivonen, detective sergeant with Finland's National Bureau of Investigation.

The issue is that many smaller nations, such as Finland, have had ATM cards that worked nationally only, making them unappealing targets for international crime gangs, he explained. "Many small countries have cards that work nationally only, but when SEPA comes into effect they must work internationally," Toivonen says. This shift is part of SEPA's broad thrust to standardize all payments across the EU zone.

The typical pattern of international crime gangs is to steal ATM data in relatively wealthy European countries, then clone cards based on that information and withdraw funds in other countries, particularly in Eastern Europe. That offered some protection to ATM cards that could only be used in the home country.

In Finland, Toivonen says, "More than half of our bank cards work nationally only, which makes them unattractive to criminals." That has been a factor in Finland's enviably low fraud rate,— which is only 10 basis points of the ATM fraud rate in Germany, for example.