Question ID:
2018_4233
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
2
Paragraph:
4
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
1
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Swedish Bankers’ Association
Country of incorporation / residence:
Sweden
Type of submitter:
Industry association
Subject Matter:
Is the scope of the RTS on strong customer authentication (SCA) and secure communication one-leg or two-leg?
Question:

Does the PSD2 requirement on SCA, and subsequently the detailed requirements in the RTS on SCA including the practical usage of the allowed exemptions, apply also to one-leg transactions, with regards to:

  1. Transactions with the payer’s payment service providers (PSP) outside the EEA (credit transfers as well as card-based payments)?
  2. Credit transfers with the payer’s PSP inside the EEA and the payee’s PSP outside the EEA?
  3. Card-based payments with the payer’s PSP (the issuer) inside the EEA and the payee’s PSP (the acquirer) outside the EEA, when the non-EEA acquirer do support SCA?
  4. Card-based payments with the payer’s PSP (the issuer) inside the EEA and the payee’s PSP (the acquirer) outside the EEA, when the non-EEA acquirer does not support SCA?
Background on the question:

Level 1 text of the PSD2 in Article 2(4) which expands (as compared with PSD1) the scope of PSD to one-leg transactions where “only one of the payment service providers is located within the Union [EEA], in respect to those parts of the payments transaction which are carried out in the Union [EEA].”, except for a specified list of articles. As articles 97-98 are not listed among those exempted from the one-leg scope, the one-leg scope applies to articles 97-98 on SCA and the RTS.

As SCA is always performed by the PSP of the payer, for card-based payments as well as for credit transfers, the articles 97-98 cannot apply to transactions with a non-EEA PSP of the payer. It is worth noting that even if e.g. the card chip is read by and the PIN is entered into a terminal at a merchant acquired by an EEA PSP, this is only data collection on behalf of the non-EEA issuer, and the authentication is therefore always performed by the non-EEA issuer; the EEA acquirer is not in any way involved in determining the validity of the credentials being used for authentication. So, the one-leg scope extension does not cover non-EEA issued cards used at merchants acquired by EEA acquirers, and these can continue to accept e.g. magstripe and non-3D Secure transactions on non-EEA-issued cards without any interference by the law transposing PSD2.

Vice versa, the articles 97-98 and the RTS on SCA should therefore apply to EEA PSPs of the payer for credit transfers and for card-based payments, regardless of whether the PSP of the payee is inside or outside the EEA. The physical whereabouts of the payer, the card or the terminal reading the card is of no consequence to this; the actual customer authentication, the validation of the data collected, is always performed by the EEA issuer and is therefore included in “those parts of the payments transaction which are carried out in the Union [EEA].”.

For a card-based payment with a card issuer in the EEA, we then have a problem if the SCA is not supported by the non-EEA acquirer: should the EEA issuer have to decline all card transactions made in non-EEA magstripe-only terminal and all non-3DSecure remote card transactions from a non-EEA acquirer? EBA responded to this issue in connection to its “Final Report Draft RTS” of 23rd February 2017 stating that “In the case of cross-border transactions where payment instruments issued under a national legal framework that does not require the use of SCA (such as magnetic stripe cards) are used within the EU or when the PSP of the acquirer is established in a jurisdiction where it is not legally required to support the strong customer authentication procedure designed by the European issuing PSP, the European PSPs shall make every reasonable effort to determine the legitimate use of the payment instrument.“. With this interpretation EEA issuers can still accept non-SCA-supported non-EEA transactions based on a best efforts principle, wherefore it is welcome.

However, this EBA statement gives rise to new interpretation issues regarding at least the following dimensions:

1. What is the definition of “a jurisdiction where it [the acquirer] is not legally required to support … [SCA]”? Is this to be read as every non-EEA country, or could other countries with the same or similar requirements on SCA in the national law, although without any direct or formal connection to the EU legislation. E.g. what about UK (having adopted the PSD2 already) after Brexit?

2. To what extent the SCA and RTS requirements still applies to those transactions for which non-EEA acquirers do support SCA, even if not legally obliged to do so?

3. How should “every reasonable effort to determine the legitimate use of the payment instrument” be interpreted? E.g. is it to always use SCA when possible?

Different interpretations of these dimensions result in a variety of practical interpretations for card-based payments, inter alia:

A. The RTS and the SCA requirements in PSD2 only apply to two-leg transactions where both the issuer and the acquirer are based in the EEA, leaving non-EEA transactions out of scope of the RTS, even in those cases where the non-EEA acquirer do support the issuer procedure for SCA.

B. For transactions from non-EEA acquirers that do support SCA, the EEA issuer must always apply SCA without the use of any of the exemptions allowed in the RTS for two-leg transactions, in order to fulfil the principle of “every reasonable effort”.

C. The EBA cannot change the level text completely; therefore the “two-leg relief” from the RTS requirements for EEA issuers only applies when both

• The acquirer is based in a jurisdiction where it is not legally required to support SCA

AND

• The acquirer does not support SCA

Meaning that for transactions where SCA is supported (EMV terminal, 3D Secure) by the acquirer, the issuer is always obliged to follow the SCA requirements of the RTS (including the use of exemptions allowed under the RTS) – for two-leg and one-leg alike.

If this is not explicitly evident from the EBA text, it should at least be implicitly given that “any reasonable effort” must mean – at a minimum – to apply the SCA requirements (including possible exemptions) in accordance with the RTS.

To illustrate the practical consequences for one-leg transactions with EEA-issued cards where SCA is supported by the non-EEA-acquirer:

•           For e-commerce transactions, where the non-EEA acquirer applies 3D-Secure:

-           Interpretation A: The RTS does not apply. The issuer can do a risk-based decision and chose not to apply SCA even on transaction amounts higher than 500 EUR.

-           Interpretation B: The issuer must apply SCA on all 3D-secure transactions from a non-EEA acquirer, without possibility to apply exemptions

-           Interpretation C: The RTS applies. The issuer can choose to apply SCA or use an exemption in accordance with the RTS. If the low value exemption for remote transactions under 30 EUR (article 16) is used, the non-EEA transaction would be added to the counter for the cumulative limit of the issuer’s choice (100 EUR or 5 transactions).

•           For contactless transactions, supported by an EMV contactless-enabled terminal with PIN-pad:

-           Interpretation A: The RTS does not apply. If allowed by scheme rules the issuer can allow contactless transactions on higher amounts than 50 EUR. Contactless transactions without SCA from a non-EEA acquirer would not add to the contactless counter for the cumulative limit of the issuer’s choice (150 EUR or 5 transactions).

-           Interpretation B: The issuer must apply SCA (PIN, biometrics) on all contactless transactions from a non-EEA acquirer.

-           Interpretation C: The RTS applies.  For contactless transactions under 50 EUR, the issuer can apply the exemption from SCA, and the non-EEA transaction would then be added to the cumulative counter of the issuer’s choice.

In its later opinion EBA-Op-2018-04, the EBA reiterated its position with a slightly different formulation:

“32. As explained in the final report on the draft RTS published in February 2017, the EBA’s view, after discussing it with the European Commission, is that SCA applies to all payment transactions initiated by a payer, including to card payment transactions that are initiated through the payee, within the EEA and apply only on a best-effort basis for cross-border transactions with one leg out of the EEA.”

When comparing this with the earlier EBA statement of February 2017, three things should be noted:

1.             In this statement EBA refers to “a payer” and not to the payer’s PSP, which could inspire additional interpretation issues. As stated above, we think the physical whereabouts of the payer should be of no consequence to the interpretation, the authentication of a card-based transaction on a card issued in the EEA is always performed in the EEA. Article 2.4 of PSD2 is clearly addressing payment service providers only, not payment service users. We therefore think this is a simple mistake, and it should read “initiated with a payer’s PSP within the EEA”.

2.             Direct reference to legal requirements under non-EEA jurisdictions is avoided, and so could then the interpretation issues that follow from that wording be.

3.             We think that the formulation that for one-leg transactions, SCA “applies only on a best-effort” makes it clear that: yes, SCA do apply also for one-leg, when it is possible for the EEA issuer to perform SCA, i.e. when the non-EEA acquirer do support SCA.

Date of submission:
06/09/2018
Published as Final Q&A:
06/09/2019
EBA Answer:

Article 2(1) PSD2 states that the Directive applies to payment services provided within the Union. According to Article 2(4) PSD2 Title IV, including Article 97 PSD2, applies to payment transactions in all currencies where only one of the payment service providers (PSPs) is located within the Union, in respect to those parts of the payment transactions which are carried out in the Union.

It follows that for payment transactions where more than one PSP is involved, if one of the PSPs is located within the Union, strong customer authentication (SCA) has to be applied in accordance with Article 97 PSD2 and the Commission Delegated Regulation (EU) 2018/389 to those parts of the transactions which are carried out within the Union.

In the case of card-based payments where the payee’s PSP (the acquirer) is located outside the Union (the so-called “one-leg out transactions”), the acquirer is not subject to PSD2. Where the payer wishes to make a card-based payment at the point of sale (POS) or in an online environment of a merchant whose acquirer is located outside the Union and the issuer cannot technically impose the use of SCA, the issuer shall make its own assessment whether to block the payment or be subject to the liability requirements under Article 73 PSD2 vis-à-vis the payer in the event that the payment has been unauthorised.

In the case of card-based payments where the payer's PSP (the issuer) is located outside the Union (the so-called “one-leg in transactions”), the issuer is not subject to PSD2. Where the payer wishes to make a card-based payment at a POS or in an online environment of a merchant whose acquirer is located in the Union, the acquirer is subject to PSD2 as it offers its services in the Union. As such, it is required to be in a position to accept SCA and thus has to put in place mechanisms that allow for SCA.

As regards the application of the rules on SCA in relation to “one-leg out” credit transfers, the payer's PSP that is located within the Union has to apply SCA and does not need to rely on the payee's PSP to apply SCA as credit transfers are initiated by the payer with its own PSP.

As regards the application of the rules on SCA in relation to “one-leg in” credit transfers, since the payer’s PSP is located outside the Union it is not subject to PSD2 and does not have to comply with the rules on SCA.

With regard to the so-called “two-leg transactions”, please see QA 2018_4030.

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status:
Final Q&A