Question ID
2019_4484
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
Paragraph
1
Subparagraph
b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Not applicable
Article/Paragraph
N/A
Type of submitter
Individual
Subject matter
Strong customer authentication requirement on pay-by-invoice payment transactions
Question

Does Article 97(1)(b) PSD2 apply for pay-by-invoice when the payer's funds are covered by a credit line extended by a payment service provider?

Background on the question

When a payer pays by credit card, the payer's funds which are transferred to the payee are covered by a credit line extended by the credit card issuer. (In the three party model the funds are transferred straight from the payer's credit line to the payee whereas in the four party model the funds are transferred from the payer's credit line with the issuer to the acquirer and then from the acquirer to the payee.) In addition to physical credit cards, there are also virtual credit cards on the market that work in the same way but due to them being virtual (no physical plastic card is issued to the payer), they can only be used for remote payment transactions. For both physical and virtual credit cards Article 97(1)(b) PSD2 applies on each individual card transaction initiated by the payer and not only on the payment transaction from the payer that settles the payer’s outstanding monthly credit bill since Annex I(4) PSD2 includes payment transactions where the funds are covered by a credit line. There exist also credit-line based payment services on the market in the form of "pay-by-invoice". They work as the virtual three party credit card model where the payee receives funds from the payment service provider and those funds are covered by a credit line extended to the payer by the PSP. By the end of the month or when the purchased items have been received by the payer, the payer is sent an invoice to settle the outstanding credit. Since these pay-by-invoice payment service providers transfers funds to the payee based on the purchase action of the payer (and not based on whether the future invoice has de facto been paid by the payer), an electronic payment transaction as referred to in Article 97(1)(b) PSD2 has been initiated by the payer, with the funds covered by a credit line, and as such the pay-by-invoice payment service provider should apply strong customer authentication of the payer at the time of purchase. The equality between pay-by-invoice and virtual credit cards is also illustrated by the fact that the pay-by-invoice PSPs willingness to approve a transaction (extend the credit line) for a payer is affected by the same payer's previous transactions through the pay-by-invoice payment service provider (aggregated outstanding amount, number of transactions, etc.). That is, the payer holds a de facto virtual account with the payment service provider and multiple pay-by-invoice transactions can be combined on the same invoice sent to the payer for settling the total outstanding credit. There's also the situation when the payee itself issues credit to the payer and later sends an invoice. For example, a carpenter might first perform the agreed work and after that send an invoice to the payer. In those situations Article 97(1)(b) PSD2 should not apply when the carpenter "issues" credit to the payer since A) the carpenter is not a PSP, and B) the carpenter only receives funds when the invoice is paid. That is, there's only one payment transaction, the payment of the invoice, and that invoice payment is subject to SCA. Annex I(4) PSD2 is not limited to only card based payment transactions. Similar devices, credit transfers and direct debits are also included. In order to create a level playing field between virtual credit card issuers and pay-by-invoice services, Article 97(1)(b) should apply equally to both.

Submission date
Final publishing date
Final answer

Article 97(1), point (b), of Directive 2015/2366/EU (PSD2) provides that strong customer authentication (SCA) shall be applied to payer-initiated payment transactions. According to Article 4(5) PSD2, a ‘payment transaction’ means ‘an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee’. Article 4(3) read in conjunction with point 4 of Annex I PSD2 identifies as a payment service the ‘Execution of payment transactions where the funds are covered by a credit line for a payment service user’ and by this clarifies that a payment transaction can entail a credit line for the user. It follows that in accordance with Article 97(1), point (b), PSD2 PSPs shall apply SCA regardless of whether the funds are covered by a credit line or not

Disclaimer:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.

Status
Final Q&A
Answer prepared by
Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.