Question ID:
2019_4702
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
19
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Transaction risk analysis (TRA) exemption – Calculation of fraud rate – Impact of unauthorized transactions on issuers and acquirers
Question:

In the case of card-based transactions, shall issuers include in their fraud rate calculation only the unauthorized transactions for which they apply strong customer authentication (SCA) or an exemption?  Or, shall issuers also include unauthorised transactions for which the acquirer applies an exemption?

Shall acquirers include in their fraud rate calculation only the unauthorised transactions for which they apply an exemption?  Or shall acquirers also include unauthorised transactions for which the issuer applies an exemption?

Background on the question:

The EBA’s Opinion on the implementation of the RTS on SCA and CSC, EBA-Op-2018-04, June 2018 clarifies that Payment Service Providers (PSPs) should not only include in the calculation of their fraud rates the unauthorized transactions for which they are liable, but also those they have not prevented: “[i]n the case of transactions processed by more than one PSP (e.g. card transactions), the EBA would also like to clarify that the fraudulent transactions included in the calculation for a given PSP’s fraud rate should be based on (i) the unauthorised transactions for which the given PSP has borne liability, as determined in accordance with Article 74 of PSD2, and (ii) other fraudulent transactions which have not been prevented by that PSP.” (point 46, page 10). 

Under a literal interpretation, this would mean that unauthorized transactions would always impact the issuer’s fraud rates.  This is because the issuer has the ‘final say’, i.e., it is technically able to decline transactions or to step-up and request SCA.   

This interpretation would, however, unduly penalize issuers that are relying on exemptions applied by acquirers.  In addition, it would incentive issuers not to accept the exemptions applied by acquirers, as this would increase the issuer’s fraud rate and ultimately its ability to apply the TRA exemption.  As a consequence, this interpretation would limit the possibility for both issuers and acquirers to apply exemptions.  This would be contrary to the spirit and wording of PSD2 and the RTS (Article 98(1)(b) and (3) PSD2 and Recital 9 RTS).

Acquirers should also exclude from their fraud rate calculation the unauthorized transactions for which the issuer applies an exemption.  Otherwise, the acquirer would be penalized for an issuer’s conduct that falls outside the acquirer’s control. 

We therefore believe that a more sensible approach would be that unauthorized transactions should impact only the fraud rate of the PSP that applies an exemption (be it issuer or acquirer).

Date of submission:
09/05/2019
Published as Final Q&A:
24/07/2020
EBA Answer:

Article 19(1), second paragraph of the Commission Delegated Regulation (EU) 2018/389 provides that, for the purpose of the transaction risk analysis exemption in Article 18 of the Delegated Regulation, payment service providers (PSPs) shall calculate “the overall fraud rate for each type of transaction […] as the total value of unauthorised or fraudulent remote transactions […] divided by the total value of all remote transactions for the same type of transactions, whether authenticated with the application of strong customer authentication (SCA) or executed under any exemption referred to in Articles 13 to 18 on a rolling quarterly basis (90 days)”.

It follows from the above that the payer’s Payment Services Provider (PSP) (the issuer) should include in the calculation of its fraud rate, all unauthorised or fraudulent remote payment transactions, which includes those transactions authenticated with the application of SCA and those where any exemption from SCA as referred to in Articles 13 to 18 of the Delegated Regulation were applied by the issuer or the PSP of the payee (the acquirer).

Similarly, acquirers should include in the calculation of its fraud rate, all acquired unauthorised or fraudulent remote payment transactions, which includes those transactions authenticated with the application of SCA and those where any exemption from SCA as referred to in Articles 13 to 18 of the Delegated Regulation were applied either by the acquirer or the issuer.

Q&A 2018_4034 provides further details on the application of the transaction risk analysis exemption from SCA. Further, Q&A 2018_4042 clarified the liability for fraud when an exemption from SCA is applied.

Status:
Final Q&A