Single Rulebook Q&A

Question ID: 2018_4359
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 4
Paragraph: 23
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 4, Paragraph 1
Type of submitter: Other
Subject matter : Does SCA apply to electronically processed SEPA Direct Debits ?
Question:

When processing SEPA Direct Debits electronically (assuming that the Direct Debit mandate has been signed digitally), does SCA apply to transactions? If not, what is the legal basis for this exemption?

Background on the question:

Today, SDD does not suffer from SCA, once the mandate is signed by the clients, future transactions will go through seamlessly. If SCA applies, it would be interesting to know when, and if any exemptions could be used to prevent that.

Date of submission: 06/11/2018
Published as Final Q&A: 22/02/2019
EBA answer:

Pursuant to Article 97(1) PSD2, Member States shall ensure that a payment service provider applies strong customer authentication when the payer (a) accesses its payment account online, (b) initiates an electronic payment transaction, or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Strong Customer Authentication (SCA) is only required in the cases defined in Article 97 PSD2. Payment transactions that are not initiated by the payer but by the payee are not subject to SCA, as these transactions are initiated without any interaction or involvement of the payer.

A direct debit transaction is not subject to SCA as it is defined in PSD2 as a transaction that is initiated by the payee. Article 4(23) PSD2 defines a direct debit as "a payment service for debiting the payer's payment account, where the payment transaction is initiated by the payee on the basis of the consent given by the payer to the payee, the payer's PSP or the payee's PSP".

A similar definition of direct debit can be found in Regulation (EU) No. 260/2012 (SEPA end-date Regulation).

Where the mandate of the payer to the payee to initiate these transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) of the PSD2.

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

 

Status: Final Q&A
Permanent link: link