Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Name of institution / submitter:
Swedish Bankers’ Association
Country of incorporation / residence:
Type of submitter:
Industry association
Subject Matter:
Applicability of exemption under RTS Article 11 for payee’s PSPs (acquirers)

Can an exemption under Article 11 of the RTS on strong customer authentication and secure communication be applied by the payee's payment service provider (PSP) (the acquirer) for card-based payments?

Background on the question:

This question relates to what we think is a mistake made by EBA in its opinion EBA-Op-2018-04, in which it states that exemption under Article 11 for card-based payments is applicable for both the payer’s PSP (issuer) and the payee’s PSP (acquirer). In its opinion EBA-Op-2018-04, the EBA provides in Table 2 an overview of whether or the payer’s PSP (issuer) and the payee’s PSP (acquirer) can decide on each of the exemptions set out under Articles 10 to 18.

With regard to Article 11, contactless payments at POS, the table says the exemption is applicable for both the payer’s PSP (the issuer) and the payee’s PSP (the acquirer) for a card-based payment. We think this is wrong, as only the issuer can keep track of the cumulative limits for each card, and that the decision on the use of this exemption must therefore always be by the issuer, and is never applicable for the acquirers.

Although the EBA explains in a footnote to the table that the issuer always has the final say, it is still important from a liability perspective (Article 74.2 of the PSD2) to ascertain which PSP that have made use of the exemption and is therefore liable in case of fraud.

Date of submission:
Published as Final Q&A:
EBA Answer:

Yes, as clarified in the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication,EBA-Op-2018-04, the exemption under Article 11 of the Commission Delegated Regulation (EU) 2018/389 for card-based payment transactions is applicable for both the payee’s payment service provider (PSP) and the payer’s PSP on the basis that Article 11 refers to PSPs and does not limit it solely to the payer’s PSP. Further, card payment transactions are typically initiated by the payer through the payee. This EBA Opinion also clarified in table 2 “Summary table on who may apply an exemption” that the payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption. 

In the event that the payer’s PSP would not accept the contactless exemption to be applied by the payee’s PSP and wishes to apply SCA, the payer’s PSP would either apply SCA to the transaction or decline the transaction if it was not technically feasible to apply SCA.

Q&A 2018_4042 provides additional information on how the liability requirements under Article 74(2) of PSD2 would apply. 

Final Q&A