Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Subject Matter:
Transaction Risk Analysis (TRA) exemption – Time period for calculation of initial fraud rate

What is the relevant time period to use when calculating the initial fraud rate for use when the Strong Customer Authentication (SCA) comes into force?

Background on the question:

The relevant time period for calculating the fraud rate that will determine if a Payment Service Provider (PSP) can apply the TRA exemption on the day SCA comes into force is unclear. There are 2 main options: (1) all PSPs will have a clean slate (i.e. 0%) fraud rate on day one and be able to apply the TRA exemption for the first quarter without restriction; or (2) the fraud rate on day zero is calculated based on the previous 3 months occurrences of fraud before PSPs have had the opportunity to apply SCA or the exemptions.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 19(1) of the Commission Delegated Regulation (EU) 2018/389 states that “the overall fraud rate for each type of transaction shall be calculated as the total value of unauthorised or fraudulent remote transactions, whether the funds have been recovered or not, divided by the total value of all remote transactions for the same type of transactions, whether authenticated with the application of strong customer authentication or executed under any exemption referred to in Articles 13 to 18 on a rolling quarterly basis (90 days)”. The Delegated Regulation shall apply from 14 September 2019 and there are no transitional arrangements with regard to the calculation of the fraud rate. Accordingly on day 1 of the application of the Delegated Regulation, payment service providers intending to apply the transaction risk analysis exemption, would need to have on 14 September 2019 an overall fraud rate for card payments or credit transfers below the reference fraud rates provided in the Annex to the Delegated Regulation. The rate should be calculated in accordance with Article 19 of the Delegated Regulation, namely the total value of all unauthorised or fraudulent transactions divided by the total value of all payment transactions for card payments or credit transfers respectively, irrespective of whether Strong Customer Authentication (SCA) has been applied or not, based on the data for the preceding (calendar) quarter.

Final Q&A