EBA Publishes Yet More SCA Q&As

January 25, 2022
Back
From invoices to API functionality, the European Banking Authority (EBA) has updated its latest answers to questions concerning strong customer authentication (SCA).

From invoices to API functionality, the European Banking Authority (EBA) has updated its latest answers to questions concerning strong customer authentication (SCA).

The EBA has delivered a fresh spate of Q&As regarding SCA, with six new responses to questions sent in by industry representatives and regulators.

Two of them hark all the way back to June 2018, which feels a world away in these unprecedented times.

In the first of these, a credit institution asked the EBA to clarify the irrevocability of a payment order initiated by a payment information service provider (PISP).

Article 80 of the revised Payment Services Directive (PSD2) states that a payment transaction initiated by a PISP cannot be revoked by the payment services user (PSU) after giving consent.

In its response, the EBA confirmed that provided the payer consented to the initiation by the PISP, a single payment transaction initiated by the PISP for immediate execution cannot be revoked.

“This is without prejudice to Article 80(5) PSD2 which sets out in which conditions transactions can be still cancelled after the time limits in Article 80(1) to (4) PSD2."

Meanwhile, in line with the EBA’s opinion, account servicing payment service providers (ASPSPs) should ensure that the interface provided to PISPs allows for the possibility of cancelling an initiated transaction, including payment transactions for immediate execution, as well as future-dated and recurring transactions where these can be cancelled according to PSD2. For example, if agreed between the PSU and the relevant PSPs.

In the other question, the EBA was asked, again by a credit institution, about whether Article 64(2) of PSD2 limits the ability of PISPs to initiate a single payment transaction for immediate execution-only, which the EBA said was not the case.

“This provision does not contain any reference to the time within which a payment transaction shall be executed,” the Paris-based supervisor said, adding that it cannot be inferred from this provision that the article limits the ability of PISPs to initiate only payment transactions for immediate execution.

“Future dated or recurring payment transactions can therefore also be initiated via a PISP,” the EBA said.

A question submitted by an individual in 2019 asked the EBA about how Article 97 of the PSD2 applies for pay-by-invoice when the payer's funds are covered by a credit line extended by a payment service provider.

According to the EBA, this article, in particular, provides that SCA shall be applied to payer-initiated payment transactions.

A "payment transaction" is defined in Article 4 of the PSD2 as meaning “an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee”.

PSD2’s annexe also identifies a payment service as the execution of payment transactions where the funds are covered by a credit line for a payment service user, therefore clarifying that a payment transaction can entail a credit line for the user.

Meanwhile, another question submitted in March of that year by an industry association probes the EBA on what it calls the “demarcation” criteria of the term "remote payment transaction".

According to Article 97 of the PSD2, the SCA of electronic remote payment transactions should include “elements which dynamically link the transaction to a specific amount and a specific payee”.

Based on this, the industry association argued, a PSD2 definition of a remote payment transaction means every contactless card transaction and every payment transaction initiated by a mobile phone could be considered as a remote payment.

“This is obviously not the interpretation by the EBA,” the industry association said.

Article 4 of the PSD2 actually states a remote payment transaction is defined as “a payment transaction initiated via the internet or through a device that can be used for distance communication”.

Here, the EBA has said that a payment transaction is remote when it is initiated via the internet or, in the case where the transaction is initiated via a device, where the physical presence of the device is irrelevant for the initiation of the payment transaction.

In Summer 2019, the EBA was asked by a trade association what the protocol is when there is more than one transaction from a single consumer-initiated transaction.

This could happen, for example, when a consumer elects to add an additional item to their purchase at the time of checkout (a cross-sale), meaning that they are making two purchases from two different merchants in a single session.

“Is SCA required for both of these transactions? This would make the user experience very clumsy and awkward as the consumer would have to go through SCA twice in a row during a single checkout.”

The EBA said that the example provided does not come into the scope of SCA. “The scenario described by the submitter does not explicitly specify whether there are two distinct purchasing acts or two purchases that fall in the same basket,” the EBA says.

Yet, in the case of a so-called cross-sale as described by the submitter, if a payer is requested to initiate two separate payment transactions, then two SCAs need to be undertaken.

If the second purchase qualifies as a merchant initiated transaction (MIT), then SCA would be required to set up the mandate for the MIT.

The most recent of the questions submitted was sent to the EBA in February 2020 by a credit institution.

It concerned where a customer is physically present and identified in a brick and mortar store, whether the SCA requirements are needed if that customer completes a standing order instruction (to set up, amend or cancel) or initiates a credit transfer through a staff-assisted electronic channel such as a tablet device.

Here, SCA is not needed, according to the EBA, as it is similar to a paper-based transaction. “In the case described by the submitter, the payment service user is physically present at the premises of the PSP, the authentication of the payment service user is carried out by the staff of the PSP and the submission of the payment order to execute a credit transfer is carried out with the assistance of the staff of the PSP.”

As it stands, there are 44 questions related to PSD2 and/or SCA that have not been answered yet by the EBA. The authority has answered 198 so far and rejected just nine submissions.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.