Question ID:
2019_4480
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97 and 74.2
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
12
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Italian Banking Association - Associazione Bancaria Italiana (ABI)
Country of incorporation / residence:
Italy
Type of submitter:
Industry association
Subject Matter:
Unattended terminals and Transaction Risk Analysis (TRA) exemption and related Payment Service Providers (PSP)’s liabilities rules
Question:

Provided that both the payer’s Payment Service Provider (PSP) and the payee’s PSP can apply the strong customer authentication (SCA) exemption, without prejudice to the last say of the payer’s PSP, can a payment made at highway toll booths be treated as the one performed at the unattended terminals for transport fares?

Background on the question:

According to point 40 of the EBA Opinion, it is clear that the possibility of using the TRA exemption is attributed not only to the payer’s PSP (issuer) but also to the payee’s PSP (acquirer). In addition, the table 2 of the same point and the asterisk note "The payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption; the payer’s PSP may wish to revert to applying SCA to execute the transaction if technically feasible or decline the initiation of the transaction." confirm this reading. Moreover, this general principle is stated in the liability rules set out in Article 74.2 of the PSD2, where it is written that "Where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider.".However, the same wording was not maintained at point 39 of the EBA Opinion, creating doubts about the above mentioned possibility.

Stating that, both the payer’s PSP (issuer) and the payee’s PSP (acquirer), each for their own sphere of competence, can apply the SCA exemption without prejudice to the fact that the payer’s PSP has the ultimate decision, results in the four following choices available to the payer’s PSP:

a) accept the exemption applied by the payee’s PSP, or

b) apply the exemption if the payee’s PSP does not apply it, or

c) revert to SCA, if the payee’s PSP has applied the exemption, or

d) reject the exempted transaction.

In particular, this should be applied especially with regard to those payment transactions that are carried out at unattended terminals for transport and parking, where the payer’s PSP cannot enter into the merits of the exemption. In this case it is the payee’s PSP (and not the payer’s PSP) who attributes to the merchant the category of 'transport' and of 'parking', thus allowing the payee to take advantage of the exemption. If the unattended terminal is offline, the payer's PSP can never choose decisions b) or c) above, but can only accept the exemption applied by the payee's PSP – decision a) - in order to support the general public interest for operational (e.g. to avoid queues and potential accidents at toll booths) or for security reasons (e.g. the risk of shoulder surfing).

Moreover, in this regard, it should be noted that the RTS on SCA & CSC (the final draft dated 23rd February 2017) at the Recital 8 considers relevant this type of exemptions by stating that "It is also appropriate to establish an exemption for the case of electronic payment transactions initiated at unattended terminals where the use of strong customer authentication may not always be desirable due to operational reasons (e.g. to avoid queues and potential accidents at toll gates) or safety or security risks (for instance the risk of shoulder surfing).

Date of submission:
23/01/2019
Published as Final Q&A:
19/06/2020
EBA Answer:

Article 12 of the Delegated Regulation (EU) 2018/389 prescribes that payment service providers (PSPs) shall be allowed not to apply strong customer authentication (SCA) subject to compliance with the requirements in Article 2 of the Delegated Regulation “where the payer initiates an electronic payment transaction at an unattended payment terminal for the purpose of paying a transport fee or a parking fee”. Recital 11 of the Delegated Regulation also prescribes that “it is also appropriate to establish an exemption for the case of electronic payment transactions initiated at unattended terminals where the use of strong customer authentication may not always be easy to apply due to operational reasons (e.g. to avoid queues and potential accidents at toll gates or for other safety or security risks)”. In that regard, the exemption in Article 12 of the Delegated Regulation may apply to payments initiated at highway tollbooths, if these are used for the purpose of paying a transport fee or a parking fee and the terminals are unattended.

Table 2 “Summary table on who may apply an exemption” of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication and common and secure communication (EBA-Op-2018-04) further clarified that the exemption under Article 12 is applicable to both payee’s PSP and the payer’s PSP and that the payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption. Q&A 2018_4042 provides further clarification on the application of the liability regime under Article 74(2) of PSD2.

Status:
Final Q&A