Question ID
2018_4359
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
4
Paragraph
23
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Article 4, Paragraph 1
Type of submitter
Other
Subject matter
Does SCA apply to electronically processed SEPA Direct Debits ?
Question

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

Background on the question

Today, SDD does not suffer from SCA, once the mandate is signed by the clients, future transactions will go through seamlessly. If SCA applies, it would be interesting to know when, and if any exemptions could be used to prevent that.

Submission date
Final publishing date
Final answer

Pursuant to Article 97(1) PSD2, Member States shall ensure that a payment service provider applies strong customer authentication when the payer (a) accesses its payment account online, (b) initiates an electronic payment transaction, or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Strong Customer Authentication (SCA) is only required in the cases defined in Article 97 PSD2. Payment transactions that are not initiated by the payer but by the payee are not subject to SCA, as these transactions are initiated without any interaction or involvement of the payer.

A direct debit transaction is not subject to SCA as it is defined in PSD2 as a transaction that is initiated by the payee. Article 4(23) PSD2 defines a direct debit as "a payment service for debiting the payer's payment account, where the payment transaction is initiated by the payee on the basis of the consent given by the payer to the payee, the payer's PSP or the payee's PSP".

A similar definition of direct debit can be found in Regulation (EU) No. 260/2012 (SEPA end-date Regulation).

Where the mandate of the payer to the payee to initiate these transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) of the PSD2.

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status
Final Q&A
Answer prepared by
Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.