PSD2 and Draft EBA RTS – Outstanding Questions

Article written by Scott McInnes – Brussels Partner of Bird & Bird LLP, specialises in competition law, as well as the regulation of financial services and in particular payments.

The purpose of this article is to highlight some of the questions that are still open on the topic of SCA (Strong Customer Authentication) and Third Party Provider (TPP) access to the payment account after the draft Regulatory Technical Standards published by the EBA on 23 February 2017.

Low-value payments (LVP)

The EBA proposed an exemption for contactless low-value payments in the face-to-face world, as well as low-value remote (e.g. online) payments. Those exemptions are based on the value of each individual payment (below 50 EUR for face-to-face contactless payments, below 10 EUR for remote payments), but also a cumulative value or number of previous contactless payments without SCA (150 EUR or five contactless transactions5) and previous remote payments without SCA (100 EUR or five remote transactions).

The problem is that the PSP (Payment Service Provider) of the merchant (the „acquirer” in relation
to card payments) is unable to keep track of the cumulative value or the cumulative number of transactions without SCA (only the PSP of the payer, i.e. the „issuer” in relation to card payments, is able to keep track of that cumulative value or cumulative number of transactions).

For example, in the case of remote payments, if I want to shop online at a particular web merchant, how is the PSP of that web merchant supposed to know that I already spent X Euros at other web merchants without performing SCA, or that this would be my 6th remote transaction without SCA?

In practice, it is impossible for the acquirer to know – and therefore acquirers face a dilemma in relation to the LVP exemption:

1. either implement a „no risk approach”, i.e. always request for the issuer to perform SCA even for LVP transactions since there is always a risk that the cumulative value/number of transactions limit will be exceeded; and let the issuer determine whether the conditions for the LVP exemption are met, and therefore allow the transaction to take place without SCA? or

2. adopt the „risky approach”, i.e. never request SCA in relation to LVP transactions, but therefore take the risk that, once in a while, the acquirer will violate the RTS since the acquirer should legally be requesting SCA given that the limit on the cumulative value or number of previous transactions has already been reached. The acquirer would also take the risk that, if the issuer realises that the transaction does not benefit from the LVP exemption/cannot take place without SCA, the issuer will decline the transaction – and the acquirer will have to re-submit the transaction, but this time requesting the issuer to perform SCA.

Transaction Risk Analysis (TRA) – how is the „ping pong” between the acquirer and the issuer expected to work in practice?

The draft EBA RTS contains the concept of TRA (generally referred to as RBA/Risk-Based Assessment or Risk-Based Authentication), i.e. the possibility for the PSP of the payee (the „acquirer” in the case of card payments) and the PSP of the payer (the card „issuer” in the case of card payments) to determine that a transaction is „low risk” and therefore not request (for the acquirer) or perform (for the issuer) SCA – subject to certain requirements (e.g. having fraud transaction monitoring mechanisms in place, having fraud levels below certain thresholds, etc.). However, it is not obvious in practice how the TRA „ping pong” between acquirers and issuers is supposed to take place. Below is the author’s simplified understanding of what the draft EBA RTS seem to provide for:

1. If the acquirer does not meet the conditions to do TRA (e.g. transaction above 500 EUR, or transaction below 500 EUR but the acquirer does not meet the fraud thresholds), the acquirer will request the issuer to perform SCA. If the issuer doesn’t meet the conditions for TRA, or if he does but considers that the transaction is high-risk, the issuer will perform SCA. If the issuer meets the conditions for TRA and concludes that the transaction is low-risk, the issuer could move to the next stage of the payment process (i.e. the authorisation stage) without performing SCA.

2. If the acquirer meets the conditions to do TRA (e.g. transaction below 500 EUR and basis points of fraud below the required thresholds), performs its TRA and:

. concludes that the transaction is high risk, the acquirer needs to request the issuer to perform SCA – see point 1 above

.  concludes that the transaction is low-risk, the acquirer will not request the issuer to perform SCA – and therefore, technically, the issuer will not be able to perform SCA. If the issuer agrees that the transaction is low-risk, the issuer will authorise the transaction with no SCA taking place.

However if the issuer considers that the transaction is high-risk, or if the issuer realises that the acquirer should have requested SCA (e.g. the transaction is above 500 EUR6), the issuer is apparently expected to decline/not authorise the transaction (presumably this is what the EBA means in their draft RTS when they refer to the fact that the issuer always has „the last say”7); in which case the acquirer may decide to re-submit the transaction to the issuer, but this time requesting the issuer to perform SCA (see point 1 above).

Read the full article here