Is only the Payment Service Provider (PSP) applying the TRA exemption required to have a fraud level below the reference fraud rate?
Each PSP can apply the TRA exemption on the basis of its own fraud rates, regardless of the fraud rates of the other PSPs involved in the transaction.
This is because, for example, the issuer is not expected to know the acquirer’s fraud rates. The RTS do not provide that national competent authorities and/or schemes share fraud rates of each issuer and acquirer.
Yes, only the payment service provider (PSP) wishing to apply the transaction risk analysis (TRA) exemption should have fraud level below the reference fraud rates specified in the table set out in the Annex to the Commission Delegated Regulation (EU) 2018/389.
In accordance with Article 18(1) of the Delegated Regulation, a PSP may apply the exemption if a given transaction is identified “as posing a low level of risk”. Further, in accordance with Article 19 of this Delegated Regulation, the PSP shall ensure that its overall fraud rate shall be “equivalent to, or lower than, the reference fraud rate for the same type of payment transaction”.
In the case where the fraud level of the issuer is below the reference fraud rate but the acquirer’s fraud rate is above, only the issuer would decide whether to apply the TRA exemption or not.
In the case where the fraud level of the acquirer is below the reference fraud rate but the issuer’s fraud rate is above, the acquirer can decide whether to apply the TRA exemption or not. However, in line with the clarifications provided in table 2 “Summary table on who may apply an exemption” of the EBA Opinion on the implementation of the RTS on Strong customer authentication and secure communication (EBA-Op-2018-04), the payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption. This means that the payer’s PSP (the issuer) may accept the TRA exemption to be applied by the acquirer. However, in the event that the issuer would not accept the TRA exemption to be applied by the acquirer and wishes to apply strong customer authentication (SCA), the issuer would either apply SCA to the transaction or decline the transaction if it was not technically feasible to apply SCA.
Q&A 2018_4042 provides additional information on how the liability requirements under Article 74(2) of PSD2 would apply in the cases described above.