Question ID:
2018_4030
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
1
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Geographical scope of application of the RTS on strong customer authentication (SCA) and secure communication requirements – ‘Two-leg’ transactions
Question:

Is it necessary that issuer, acquirer, cardholder and merchant be all located in the EEA for the RTS on SCA requirements to apply to two-leg transactions?

May the issuer use the merchant’s location as a proxy (in lieu of the acquirer’s location)?

Background on the question:

The PSD2 applies to payment transactions where both the issuer and the acquirer are located within the EEA (‘two-leg’ transactions).  The location of the cardholder and the merchant is not relevant. 

This is because only the location of the ‘payer’s payment service provider’ (i.e., in the case of card transactions, the issuer) and of the ‘payee’s payment service provider’ (i.e., in the case of card transactions, the acquirer) is relevant to determine whether a transaction is subject to the PSD2 requirements (Article 2 PSD2).

Other industry players argue that the location of the cardholder and the merchant is relevant and the RTS apply only if all the parties involved in the transaction (i.e., not only the issuer and the acquirer, but also the cardholder and the merchant) are located in the EEA. 

In our view, the location of the merchant may only be taken into account if the issuer is technically unable to determine the location of the acquirer.  In this case, the issuer should be allowed to take the location of the merchant as a proxy (in lieu of that of the acquirer).

Date of submission:
28/06/2018
Published as Final Q&A:
06/09/2019
EBA Answer:

Article 2(1) PSD2 states that the Directive applies to payment services provided within the Union. According to Article 2(2) PSD2 Title IV, including Article 97 PSD2, applies to payment transactions in the currency of Member State where both the payer's payment service provider (PSP) and the payee's PSP are, or the sole PSP in the payment transaction is, located within the Union (two-leg transaction).

It follows that where both PSPs are, or the sole PSP in a payment transaction is, located within the Union, strong customer authentication (SCA) has to be applied in accordance with Article 97 PSD2 and the Commission Delegated Regulation (EU) 2018/389.

In regards to the geographical scope as defined in Article 2(2) PSD2 the location of the payer and/or the payee is not relevant. The PSPs are the obliged entities in regards to SCA.

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status:
Final Q&A