.svg)
Payments companies at both ends of fraudulent transactions must report them to the European Banking Authority (EBA), and must maintain separate security authentication for different processes they offer, the regulator has said in an answer to questions from regulated companies about the Payment Services Directive (PSD2).
Mastercard submitted the first question to the EBA from its Polish office, asking how to treat transactions initiated by payment service providers (PSPs), such as refunds and chargebacks, that are related to cardholder actions.
Mastercard's April 2023 submission states: "As per guidelines 3.1/7.11, transactions should be reported by the initiator to avoid duplication by multiple entities."
Mastercard also expressed doubts about whether the issuer is the initiator of direct transfers like MoneySend (a Mastercard refund type), reversals, chargebacks and second presentments.
“Hence we are looking for legitimate confirmation,” the company says.
The EBA has responded stating that Guidelines 2.11, 7.11 and 7.12 of the EBA Guidelines on fraud reporting under PSD2 require reporting of payment transactions and fraudulent transactions involving payment cards by both the payer’s and payee’s PSP.
The banking authority further clarified that the payer’s PSP (issuer) reports under Data Breakdown C in Annex 2 of the guidelines, while the payee’s PSP (acquirer) reports under Data Breakdown D in Annex 2 of the guidelines.
The EBA has also directed Mastercard to Q&A 4855, which clarifies that a refund initiated by a merchant, acting as a payer, is considered an electronic payment transaction initiated by the payer.
Therefore, refunds by a merchant using a payment card and chargebacks to the issuer must be reported according to Guidelines 2.11, 7.11 and 7.12.
Mobile banking
A question submitted by an unnamed consultancy firm in June 2023 related to using in-app strong customer authentication (SCA).
“We use a mobile app, software installed in a separate sandbox on a multi-purpose device, for the elements of strong customer authentication. Is it correct to assume that Article 9 (in Commission Delegated Regulation (EU) 2018/ 389) does not prevent us from offering mobile banking services through the same app?” the consultancy firm asked.
Here, the EBA said that Article 9(1) of the regulation requires PSPs to ensure that the elements of SCA from Articles 6, 7 and 8 remain independent.
A breach in one element must not compromise the others, in terms of technology, algorithms and parameters, and Article 9(2) mandates PSPs to adopt security measures for SCA elements or authentication codes used on multi-purpose devices, mitigating risks from device compromise.
Article 9 ensures the independence and security of authentication elements but does not prohibit PSPs from offering mobile banking services and payment transaction authentication through the same mobile apps.
In addition, Article 9(3)(a) requires PSPs to comply with the specified requirements for the two authentication elements, ensuring their authentication methods meet these standards.
Q&As
The Paris-based regulator answered the questions on June 14.
The EBA's interventions can have mixed outcomes. Some entities may find relief in confirming that their practices comply with EU regulations.
Others, however, may discover that their standard procedures do not meet PSD2 requirements, with one payments advisory player in Brussels having once joked to Vixio that they advise clients to be cautious about what they ask the regulator.
To date, the EBA has answered 243 PSD2-related questions, rejected 20 and has 18 under review, including four submitted as far back as October 2021.
In addition, it has answered three questions related to the Electronic Money Directive (EMD) and has three under review, with two submitted in 2022 and one in 2023.
