Single Rulebook Q&A

Question ID: 2018_4048
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Art. 14
Type of submitter: Other
Subject matter : Applicability of Strong Customer Authentication (SCA) to existing recurring payments solutions
Question:

Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?

Background on the question:

The RTS set out an exemption for recurring transactions (Article 14 RTS). In particular, SCA is not required for series of transactions with the same amount and payee. SCA is, however, required “when a payer creates, amends, or initiates for the first time, a series of recurring transactions”.

The RTS do not clarify how this exemption will apply to existing recurring payments solutions once the RTS become applicable. In particular, the RTS do not clarify whether SCA is required for the first recurring transaction carried out after the date of RTS application if the series of recurring transactions was initiated before the date of RTS application.

We believe that a sensible approach would be that recurring payments solutions already in place on the day of RTS application (e.g. existing subscription arrangements) will not require SCA. This is because it is unpractical and technically very difficult to perform SCA for subsequent transactions, as the cardholder is not ‘on-session’. In addition, these transactions have proven to be low-risk.

Date of submission: 28/06/2018
Published as Final Q&A: 14/12/2018
EBA answer:

In accordance with Article 14(1) of the Commission Delegated Regulation (EU) 2018/389, payment service providers shall apply strong customer authentication (SCA) when a payer creates, amends, or initiates for the first time, a series of recurring transactions with the same amount and with the same payee.

Accordingly, for a series of recurring transactions created before the application of the Delegated Regulation, SCA should be required only when there is an amendment to these recurring transactions.

 

Status: Final Q&A
Permanent link: link