Central Bank sets new anti-fraud expectations for instant payments as scams evolve

The Central Bank of Malta has issued a detailed set of supervisory expectations aimed at strengthening fraud prevention measures across Malta’s instant payments ecosystem, as the use of real-time transfers continues to grow.

The notice, published on 23rd June, outlines 11 key expectations for payment service providers (PSPs), including banks and other institutions offering instant payment services, following the introduction of new European Union rules on instant credit transfers.

The guidance comes amid growing concerns about online scams, authorised push payment fraud and account takeover schemes, where criminals manipulate customers into approving transactions themselves.

Among the measures outlined, the Central Bank said payment providers should make it possible for customers to adjust instant payment spending limits at any time and through any payment channel, including mobile banking, internet banking and branch services. While customers must retain control over their limits, providers may apply a temporary delay of up to six hours for remotely requested limit increases where fraud risks are identified.

The bank stressed that any such delay should be risk-based rather than applied automatically and must operate around the clock, reflecting the 24/7 nature of instant payments. Requests made outside office hours should not be postponed until the next working day.

Another key focus of the notice is the registration of new devices. The Central Bank described the addition of a new device as a high-risk event from a fraud perspective and encouraged PSPs to introduce safeguards such as temporary delays before payments can be initiated from newly registered devices, as well as automatic notifications informing customers when a new device is linked to their account.

The Bank also encouraged payment providers to enhance their ability to detect remote access software, screen-sharing tools and other technologies commonly exploited by fraudsters. Where such activity is detected during a banking session, providers are expected to apply proportionate controls, including warnings, restrictions or temporary suspensions of payment functions.

Real-time transaction monitoring features prominently in the supervisory expectations. The Central Bank said providers should maintain both pre-transaction and post-transaction monitoring systems, arguing that relying solely on checks after payments have been completed is insufficient in an environment where funds can be transferred and withdrawn within seconds.

The notice also places renewed emphasis on customer awareness. PSPs are expected to conduct ongoing education campaigns about fraud risks, social engineering scams and safe payment practices through digital platforms, social media, branch networks and other communication channels.

In addition, the bank is encouraging greater collaboration between institutions to share information on suspected fraudulent accounts and emerging threats, noting ongoing European initiatives aimed at improving fraud intelligence sharing across the payments sector.

The Central Bank said payment providers should review their existing systems and conduct a gap analysis against the new expectations. Institutions have two months to submit their findings and implementation plans to the bank, with progress updates required every two months thereafter. Full alignment is expected by no later than 1st July 2027.