Occasionally, PayPal support will claim that their FraudNet or Magnes options are needed for Seller Protection when using our module. That is indeed odd and not something we've had them mention before, nor does their documentation for Billing Agreements. This claim in particular is not true:
When you process Reference Transaction payments, the billing agreement allows buyers to make purchases without logging in to their PayPal accounts. This means we don’t receive any session data about the buyer, making it much more challenging to determine if a payment is fraudulent.
Clients are forced by PayPal to login when creating a Billing Agreement and are taken to the PayPal website to do so, and PayPal are provided with all of the available client data from WHMCS to enable them to perform fraud checking. Neither FraudNet (which is for their unrelated Checkout offering) nor Magnes (which is for Android and iOS apps) would apply here. The wording they are using is quite alarmist, but their own messaging usually confirms that neither are actually required:
Please be aware that cases arising from unauthorized activity on Reference Transaction payments without the Risk Data passed will not be covered by Seller Protection, as specified in the User Agreement (PayPal Seller Protection section).
Generally as long as you are using fraud protection in WHMCS (such as Maxmind), this shouldn't be an issue - clients would need to login at PayPal as advised above and payments should be covered as a result.