6
ECB
Oversight framework for direct debit schemes
October 2010
66
fraud, since this can be defi ned as a wrongful or
criminal deception which may lead to a fi nancial
loss for one of the parties involved and may
refl ect inadequate safety arrangements. A typical
fraud risk is the unauthorised debiting of the
payment account, which could potentially have
an impact on some involuntary payers. Some
fraud risks are due to specifi c technological
choices, such as the routing and lodging of the
mandate and the verifi cation of the validity of
direct debit transactions.
Reputational risk can be defi ned as the potential
for negative publicity surrounding an institution’s
business practices – whether grounded in fact or
not – to cause a decline in the customer base,
costly litigation, decreased revenue, liquidity
constraints or signifi cant depreciation in market
capitalisation. For a direct debit scheme, the
complexity of the scheme and the high level
of automation involved in the processing of
transactions make it diffi cult for customers to
understand in detail how it functions. However,
direct debit schemes are closely linked to the
operational processes of business end-users,
who are able to assess the extent to which the
scheme is capable of satisfying their operational
needs. This is an important parameter for
end-users when choosing a scheme, together with
its reputation and cost. What makes reputational
risk diffi cult to quantify and/or identify is that
it is both a risk in itself and a derivative risk,
i.e. one which stems from other areas of risk and
vulnerability. Damage to the scheme’s reputation
might be the unexpected outcome of operational
problems or of the provision of erroneous or
insuffi cient information to end-users. In other
words, as with bank runs, reputational risk
generally results from vulnerabilities in other
risk areas. However, once it has started, it has its
own relevance and requires specifi c action.
Overall management risk generally arises owing
to a lack of strategic choices and policies for
the adequate governance and management
of the scheme. An overall management risk
usually arises if roles and responsibilities are
not properly assigned and if decisions regarding
objectives and performances are not shared by
all actors. An overall management risk often
leads to other risks (operational, legal, etc.),
since it relates to the core governing functions of
any direct debit scheme. The main consequences
of this risk are a potential confl ict of interests
among actors and an inability or unwillingness
to sustain market dynamics and innovations and
to react appropriately to crises. This risk may
also have an impact on competitiveness if access
policies are non-transparent and inappropriate.
The lack of a proper defi nition of roles and
responsibilities can hamper a prompt reaction in
the event of a crisis.
4 SCOPE OF THE FRAMEWORK
The Eurosystem will apply this framework to
the SEPA direct debit scheme. Each NCB may
also decide to apply these standards for the
oversight of other national (non-SEPA) payment
instruments, if they deem this to be appropriate.
Since the goal of the SEPA initiative is a
migration to common standards, the introduction
of oversight for national payment instruments
in countries where there is no such oversight
thus far should only be envisaged if there is
suffi cient evidence that the national systems will
not be phased out within the applicable SEPA
deadlines.
As explained in the “Harmonised oversight
approach and oversight standards for payment
instruments”, the Eurosystem intends to avoid
overlaps and duplication of work between the
oversight standards for payment instruments
and other oversight activities or regulations,
e.g. other Eurosystem oversight frameworks
(such as those for large-value and retail
payment systems) or other regulatory authorities
(such as banking supervisors). Where the direct
debit scheme uses payment systems within
the oversight scope of a Eurosystem central
bank (e.g. for clearing and settlement), the
governance authority can take this into account
in its risk assessment. The overseer may also
consider the results of Eurosystem oversight
activities, relevant assessments or activities of
supervisory bodies and include, where relevant,