(1) An Authorised Firm must have in place transaction monitoring systems and controls to detect and prevent unauthorised or fraudulent Payment Transactions.
(2) The systems referred to in (1) must be designed to take into account the following fraud risk factors:
(a) compromised or stolen authentication elements;
(b) the amount of each payment transaction;
(c) known fraud scenarios in the provision of the particular Payment Service;
(d) analysis of Payment Transactions typical of the type of Users;
(e) signs of malware infection in any sessions of the authentication procedure; and
(f) if the firm provides the access device or software (the Payment Instrument), a log of the use of the access device or software and abnormal use.