Question ID:
2018_4031
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
1
Type of submitter:
Other
Subject Matter:
Applicability of SCA to ‘card payments initiated by the payee only’
Question:

Are card payments that are initiated by the payee only on the basis of (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services, subject to the RTS SCA requirements?

Background on the question:

‘Card payments initiated by the payee only’ are transactions initiated by the payee without interaction of the payer. They are characterized by a lack of involvement of the payer in triggering each individual payment.

These payments are based on (1) an initial mandate by the payer authorizing the payee to initiate the periodic payments and (2) a pre-existing agreement between the payer and the payee for the provision of products or services.

‘Card payments initiated by the payee only ‘include, for example:

- Utilities bill payments (e.g. electricity bills), pay-TV and mobile phone subscriptions;

- Car/bike sharing transactions;

- Digital services subscriptions;

- Insurance premium payments.

In our view, ‘card payments initiated by the payee only’ are out of scope of the RTS SCA requirements. The PSD2 requires SCA “where the payer [...] initiates an electronic payment transaction” (Article 97(1)(b) PSD2). This means that the SCA requirements apply only to:

- Transactions initiated by the payer (e.g. credit transfers); and

- Transactions initiated by the payer through the payee (e.g. card transactions initiated by the payer at a POS, online or in-app).

The EBA confirmed that transactions initiated by the payee only, such as direct debits, are excluded from the SCA requirements (page 7, point 13 of the EBA final draft RTS of February 2017). The PSD2 also expressly recognizes that there exist ‘card payments initiated by the payee only’ (Article 75 PSD2). Their functioning is identical to that of direct debits:

- With direct debits, the payer gives a mandate to a payee to initiate periodic payments. Subsequent direct debit transactions are then initiated by the payee only, without any interaction by the payer. Like direct debits, ‘card payments initiated by the payee only’ are also based on a mandate by the payer to a payee to initiate periodic payments. Subsequent card transactions are then initiated by the payee only, without any interaction by the payer;

- Like direct debits, ‘card payments initiated by the payee only’ happen when the payer is ‘off-session’ (e.g., is asleep) as opposed to ‘on-session’ (e.g., is sitting in front of the computer or is using a smartphone). For this reason, the payer cannot technically authenticate the transaction;

- Like direct debits, ‘card payments initiated by the payee only’ are essential for those use cases where the payer is charged after using a service (e.g., electricity consumption, car-sharing service, transport, movie or music download). In all these cases, the payer has agreed to the provision of services through a pre-existing agreement with the merchant and has expressly authorized the payee to initiate each periodic payment;

- Like direct debits, ‘card payments initiated by the payee only’ are very secure and enjoy minimal fraud levels. In addition, in order to eliminate fraud risks connected to possible data breaches, ‘card payments initiated by the payee only’ will increasingly rely on tokenization. Tokenized card data cannot be used, if stolen through a data breach, to commit fraud;

- Both for direct debits and for ‘card payments initiated by the payee only’ the PSD2 provides identical protection to the payer for unauthorized and fraudulent payments (Articles 73 and 74 PSD2). The PSD2 provisions on the payer’s refund right for fraudulent transactions apply equally to card payments and direct debits. These provisions provide that the payer’s PSP is liable for fraudulent transactions (Article 73 PSD2). The payer can be held liable up to EUR 50 under certain circumstances (Article 74(1) PSD2). As SCA is aimed at reducing frauds and these liability rules apply regardless of whether the payment is made with a card or a direct debit, there is no reason to discriminate between direct debits and ‘card payments initiated by the payee only’ in relation to the application of SCA.

- For authorized payments, the PSD2 provides for a refund right for a period of 8 weeks from the date on which the funds were debited if the following conditions are met:

o The authorization did not specify the exact amount of the payment when the authorization was made;

o The amount of the payment exceeded the amount the payer could reasonably have expected taking into account the previous spending pattern, the conditions in the framework contract and relevant circumstances of the case (Articles 76(1) and 77(1) PSD2).

This refund right is applicable to authorized payments “initiated by or through a payee”. Thus, it is valid both for card payments and direct debits. The only difference is that, with SEPA direct debits, the payer’s refund right is ‘unconditional’ (i.e., it is on a ‘no-questions-asked’ basis). This refund right is only for authorized payments and has nothing to do with frauds, fraudulent payments, and the reasons why SCA should or should not be applied.

- Like for direct debits, the initial act of authorizing the subsequent ‘card payments initiated by the payee only’, if performed electronically through a remote channel (online or in-app), will similarly require SCA under Article 97(1)(c) PSD2.

Since the PSD2 and RTS provisions are based on the principle of technical neutrality, transactions ‘initiated by the payee only’ that are out of scope of the RTS SCA requirements should include both direct debits and ‘card payments initiated by the payee only’. Thus, also ‘card payments initiated by the payee only’ are excluded from the SCA requirements.

This interpretation would ensure a level playing field in the industry between ‘card payments initiated by the payee only’ and direct debits. We believe that national competent authorities across Europe should adopt a common position to recognize that ‘card payments initiated by the payee only’ are outside the scope of application of the PSD2 and RTS SCA requirements. This is of paramount importance for the continued emergence and use of digital services and products in the European Digital Single Market. A lack of harmonization would result not only in an uneven playing field between payment instruments, which is contrary to PSD2, but also in significant differences and negative consequences for merchants and cardholders.

Finally, please note that ‘card payments initiated by the payee only’ do not include card payments initiated with cards for which the card data has been registered on file with the merchant and the payer is triggering each individual payment (so-called ‘Card-on-File’ payments). A typical example of ‘Card-on-File payment’ where the payer is triggering each individual payment is an e-commerce transaction initiated by a cardholder on the merchant’s website after having registered the card data on merchant’s file. ‘Card-on-file payments’ where the payer is triggering each individual payment are card payments characterized by the involvement of the payer in initiating each individual payment. For these payments, each time the payer initiates the payment by clicking on the purchase button on the merchant website or app. These are therefore card payments initiated by the payer ‘through the payee’ and not ‘card payments initiated by the payee only’. The RTS SCA requirements apply to these ‘Card-on-File payments’ where the payer is triggering each individual payment.

Date of submission:
28/06/2018
Published as Final Q&A:
01/03/2019
EBA Answer:

Pursuant to Article 97(1) PSD2, Member States shall ensure that a payment service provider applies strong customer authentication when the payer (a) accesses its payment account online, (b) initiates an electronic payment transaction, or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Payment transactions that are not initiated by the payer but by the payee only are therefore not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer.

Card-based transactions imply an action of the payer in the initiation of the transaction, involving the use of a payment card or a similar device that has been issued to the payer and that is accepted as a payment method by the payee. Card-based transactions are therefore considered as payment transactions initiated by the payer through the payee.

However, where the payer has given a mandate authorising the payee to initiate a transaction or a series of transactions through a particular payment instrument that is issued to be used by the payer to initiate the transactions, and where the mandate is based on an agreement between the payer and that payee for the provision of products or services, the transactions initiated thereafter by the payee on the basis of such a mandate can be qualified as payee initiated transactions, provided that those transactions do not need to be preceded by a specific action of the payer to trigger their initiation by the payee.

Where the mandate of the payer to the payee to initiate these transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) of the PSD2.

The payment transactions by the payee that are based on the mandate are subject to the general provisions of PSD2 that also apply to payee initiated transactions (e.g. Articles 75-78 PSD2).

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status:
Final Q&A