- Question ID
-
2020_5070
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Fraud reporting
- Article
-
96
- Paragraph
-
6
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- EBA/GL/2018/05 - Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
- Article/Paragraph
-
14
- Name of institution / submitter
-
National Bank of Belgium
- Country of incorporation / residence
-
Belgium
- Type of submitter
-
Competent authority
- Subject matter
-
Reporting of e-commerce card-based payment transactions falling within the scope of EBA Opinion EBA-Op-2019-06 for which no strong customer authentication was applied
- Question
-
Should e-commerce card-based payment transactions – falling within the scope of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and for which no strong customer authentication was applied – be reported under the higher-level category “Of which authenticated via non-strong customer authentication”?
- Background on the question
-
EBA/GL/2018/05 requires that the data relating to the exemptions to the requirement to use strong customer authentication provided for in Commission Delegated Regulation (EU) 2018/389 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, should be reported in each of the following lines of the respective Breakdowns A (1.3.1.2.4 to 1.3.1.2.9 and 1.3.2.2.4 to 1.3.2.2.8), C (3.2.1.3.4 to 3.2.1.3.8 and 3.2.2.3.4 to 3.2.2.3.7), D (4.2.1.3.4 to 4.2.1.3.6 and 4.2.2.3.4 to 4.2.2.3.6) and F (6.1.2.4 to 6.1.2.9 and 6.2.2.4 to 6.2.2.7) as detailed in Annex 2.
However, EBA Opinion on the elements of strong customer authentication under PSD2, EBA-Op-2019-06, acknowledges that national competent authorities (NCAs) may provide limited additional time for e-commerce card-based payment transactions to allow card-issuing Payment service providers (PSPs) to migrate to authentication approaches that are compliant with Strong Customer Authentication (SCA) and acquiring PSPs to migrate their merchants to solutions that support SCA.
Given that EBA/GL/2018 do not refer to the above-mentioned migration period, and no specific categories were included in the reporting tables for non-strong customer authentication e-commerce card-based payment transactions falling within the scope of EBA-Op-2019-06, lack of clarity exists as to where these transactions ought to be reported.
- Submission date
- Final publishing date
-
- Final answer
-
In accordance with the EBA Guidelines on fraud reporting under PSD2 (EBA/GL/2018/05) as amended by the EBA Guidelines EBA/GL/2020/01, e-commerce card based transactions initiated and executed from 1 July 2020 onwards that are subject to the supervisory flexibility allowed under the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and the EBA Opinion on the deadline for the migration to SCA for e-commerce card-based payment transactions (EBA-Op-2019-11), and for which strong customer authentication (SCA) is not applied for reasons other than an exemption in Articles 11 to 18 of the Commission Delegated Regulation (EU) 2018/389, should be reported under the category “Other”, in row 3.2.1.3.10 / 3.2.2.3.8 of Data Breakdown C, row 4.2.1.3.8 / 4.2.2.3.7 of Data Breakdown D and/or, as applicable, row 6.1.2.11/ 6.2.2.8 of Data Breakdown F.
By contrast, e-commerce card based transactions initiated and executed before 1 July 2020, that are subject to the above-mentioned supervisory flexibility and for which SCA is not applied for reasons other than an exemption in Articles 11 to 18 of the Delegated Regulation, should be reported only under the higher-level category “Of which authenticated via non-strong customer authentication”, and not under the breakdowns underneath relating to the different exemptions to the SCA. However, this will affect the validation rules under the relevant Data Breakdowns in Annex 2, as the total of the transactions reported under the higher-level category “Of which authenticated via non-strong customer authentication” could be higher than the total of the transactions reported under the breakdowns relating to the different exemptions to SCA.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.