Is it acceptable to calculate the fraud rate for the application of the TRA exemption per ETV band?
There are contrasting views as to how the reference rate for the application of the TRA exemption should be calculated in relation to the ETVs. This creates significant confusion for PSPs and may inhibit their ability to apply the TRA exemption and provide a smooth service to consumers. One view is that to unlock the TRA exemption for low risk transactions up to EUR100, the gross fraud level for all transactions of all values must be less than 13 bps. Subsequently, to unlock the TRA exemption for low risk transactions up to EUR250 the gross fraud rate for all transactions must be less than 6bps, and so on for transactions up to EUR500. This would significantly decrease the likelihood that any PSP would be able to apply the TRA exemption to higher value transactions.
In accordance with Article 19(1) of the Commission Delegated Regulation (EU) 2018/389, “the payment service provider shall ensure that the overall fraud rates covering both payment transactions authenticated through strong customer authentication and those executed under any of the exemptions referred to in Articles 13 to 18 are equivalent to, or lower than, the reference fraud rate for the same type of payment transaction indicated in the table set out in the Annex”. The Annex to this Delegated Regulation distinguishes between reference fraud rates for card payments and those for credit transfers. The reference fraud rates also differ depending on the exemption threshold value (ETV). Further, in accordance with Article 18(2)(b) of this Delegated Regulation, “the amount of the transaction [shall] not exceed the relevant ETV specified in the table set out in the Annex”. Accordingly, to apply the exemption under Article 18 of this Delegated Regulation to a remote electronic card-based payment transaction of a value of EUR 100 or less, the payment service provider will need to have a fraud rate for card payments of 0.13 % or less. To apply the exemption for a remote electronic card-based payment transaction with a value up to EUR 250, the payment service provider (PSP) will need to have a fraud rate for card payments of 0.06 % or less. The same principle applies to transactions of a value up to EUR 500.
The relevant fraud rate for the PSP to calculate, which is to be compared with the reference fraud rate, is not calculated per band but instead at the level of each type of transaction, referred to in the Annex of the Delegated Regulation as either “remote electronic card-based payments” or “remote electronic credit transfers”.
This means that if a payment service provider has a fraud rate of 0.10 % or less for all remote electronic card based payments (regardless of the transaction amounts), only remote electronic card based payment transactions up to EUR 100 will be able to be exempted from the obligation to apply Strong customer authentication (SCA).