Question ID:
2018_4242
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
Paragraph:
1
Subparagraph:
(b)
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
16
Name of institution / submitter:
Swedish Bankers’ Association
Country of incorporation / residence:
Sweden
Type of submitter:
Industry association
Subject Matter:
Applicability of exemption under RTS Article 16 for payee’s PSPs (acquirers)
Question:

Can an exemption under Article 16 of the RTS on strong customer authentication and secure communication be applied by the payee’s payment service provider (PSP) (the acquirer) for card-based payments?

Background on the question:

This question relates to what we think is a mistake made by EBA in its opinion EBA-Op-2018-04, in which it states that exemption under Article 16 for card-based payments is applicable for both the payer’s PSP (issuer) and the payee’s PSP (acquirer).

In its opinion EBA-Op-2018-04, the EBA provides in Table 2 an overview of whether or the payer’s PSP (issuer) and the payee’s PSP (acquirer) can decide on each of the exemptions set out under Articles 10 to 18.

With regard to Article 16, low value remote payments, the table says the exemption is applicable for both the payer’s PSP (the issuer) and the payee’s PSP (the acquirer) for a card-based payment. We think this is wrong and that the decision on the use of this exemption is always by the issuer, and never applicable for the acquirer.

Although the EBA explains in a footnote to the table that the issuer always has the final say, it is still important from a liability perspective (Article 74.2 of the PSD2) to ascertain which PSP that have made use of the exemption and is therefore liable in case of fraud.

Date of submission:
06/09/2018
Published as Final Q&A:
11/10/2019
EBA Answer:

Yes, as clarified in the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, the exemption under Article 16 of the Commission Delegated Regulation (EU) 2018/389 for remote card-based payment transactions is applicable for both the payee’s PSP and the payer’s PSP on the basis that Article 16 of the Delegated Regulation refers to PSPs and does not limit it solely to the payer’s PSP. Further, card payment transactions are typically initiated by the payer through the payee. The EBA Opinion also clarified in table 2 “Summary table on who may apply an exemption” that the payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption. In the event that the payer’s PSP would not accept the low-value transactions exemption to be applied by the payee’s PSP and wishes to apply SCA, the payer’s PSP would either apply SCA to the transaction or decline the transaction if it was not technically feasible to apply SCA.

Further, Q&A 2018_4241 clarifies that an exemption under Article 11 of the Delegated Regulation can be applied by the payee’s payment service provider (PSP) for card-based payment transactions.

Q&A 2018_4042 also provides additional information on how the liability requirements under Article 74(2) of PSD2 would apply.

Status:
Final Q&A