Single Rulebook Q&A

Question ID: 2018_4439
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: (b)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 19
Name of institution / submitter: Nordea Bank Abp
Country of incorporation / residence: Finland
Type of submitter: Credit institution
Subject matter : Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

Background on the question:

In its response to question id 2018_4033, EBA provides its response to the question “May a PSP calculate its fraud rate at the level of individual brand, product or scheme?”; the answer is clearly “No” and EBA further states: “The calculation should be at payment service provider (legal entity) level.” We understand that this principle holds also for other potential dimensions, not men-tioned in the questions, that some PSPs potentially might have wished to discriminate on, e.g. product category (credit cards, debit cards etc) or customer category (consum-er, corporate etc). However, the arguably most important dimension for a potential split of fraud rate is missing from the question: the member state. Due to the special circumstances around this dimension, and the tight connection between the fraud rate calculation in Article 19 in the RTS on SCA and the EBA Guidelines on fraud reporting, we would like EBA to consider this dimension specifically. Furthermore, we understand the EBA principle of legal entity level provides a choice for PSP groups with wholly owned subsidiaries, between these two alternatives: • Either, the wholly owned subsidiary PSP could calculate its own fraud rate separate from its parent PSP, and the subsidiary PSP fraud rate and volumes are then not included in the parent PSPs fraud rate calculation. The wholly owned subsidiary PSP and the parent PSP would then each apply its individual fraud rate accordingly to Annex 1 to identify the possibility and correct level of using the TRA exemption in Article 18. • Or, the Group could decide to calculate an aggregate fraud rate for the whole group and apply this fraud rate to the whole groups potential and correct level of using the TRA exemption in Article 18. In many cases, wholly owned subsidiaries in a group structure are country-based. In relation to a PSP that is one legal entity with branches in several member states, there are two different ways to interpret this: 1.The principle of one legal entity should be strictly applied, also over different Member States. The PSP must calculate one fraud rate aggregated for all the member states it operates in, and apply this fraud rate to find out potential and correct level of using the TRA exemption in Article 18. 2. There is a very close connection with EBA Guidelines for fraud reporting to the RTS on SCA. As Guideline 5.3 of these guidelines states that “an established branch of an EEA’s payment service provider should report to the competent authority of the host Member State where it is established, separately from the reporting data of the payment service provider in the home Member State.” this should also be guiding for the fraud rate calculation in Article 19 and its application to the use of the TRA exemption in Article 18. Of these two interpretations, we think the arguments for the latter out-weighs the former, i.e. the main principle for calculation of fraud rate in Article 19 of the RTS for the application of Article 18, should be the same as for fraud reporting, i.e. that it is performed separately per each host Member State. However, if we have correctly understood the previous EBA statement on legal entity, that it provides the possibility for groups with wholly owned subsidiaries, to choose to calculate the fraud rate on aggregated group level as an alternative to the parent/subsidiary (basic legal entity) level, the same possibility of choosing an aggregated fraud rate should be provided also to legal entities with subsidiaries.

Date of submission: 27/12/2018
Published as Final Q&A: 12/04/2019
EBA answer:

Article 19(1) of the Commission Delegated Regulation (EU) 2018/389 states that “for each type of transactions referred to in the table set out in the Annex, the payment service provider shall ensure that the overall fraud rates covering both payment transactions authenticated through strong customer authentication and those executed under any of the exemptions referred to in Articles 13 to 18 are equivalent to, or lower than, the reference fraud rate” and that the overall fraud rate “shall be calculated as the total value of unauthorised or fraudulent remote transactions divided by the total value of all remote transactions for the same type of transactions”. Also Q&A 2018_4033 states that the fraud rate “should be calculated at the level of remote electronic card-based payments or remote electronic credit transfers and not split further into other categories or subcategories” and that it should be calculated “at the legal entity level”

The calculation should therefore be for each type of transaction referred to in the Annex to the Delegated Regulation at legal entity level. Fraud rates cannot be calculated at branch level given that branches do not have separate legal personality as highlighted in Article 4(39) of PSD2 and point 17 of Article 4(1) of Regulation No 575/2013.

This differs to Guideline 5.3 of the EBA Guidelines on fraud reporting under PSD2, GL-2018-05, that refers to the calculation of fraud rates at branch level for statistical purposes in order to align to the ECB regulations on statistics and ensure the aggregate information obtained by the EBA and ECB at country level are representative.

Subsidiaries conversely have separate legal personality and therefore, for the purpose of Article 19 of the Delegated Regulation, fraud rates should be calculated at subsidiary level.


Status: Final Q&A
Permanent link: link