Question ID:
2019_4703
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Fraud reporting
Article:
96
Paragraph:
6
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
Article/Paragraph:
Not applicable
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Report of fraud rates by issuers and acquirers
Question:

For card-based transactions: 

- When the issuer reports frauds under the EBA Guidelines on fraud reporting (EBA/GL/2018/05), shall the issuer provide information on the unauthorised transactions for which the acquirer has applied an exemption? If so, shall the issuer provide a break-down according to the different exemptions applied by the acquirer?

- When the acquirer reports frauds under the EBA Guidelines on fraud reporting, shall the acquirer provide information on the unauthorised transactions for which the issuer has applied an exemption? If so, shall the acquirer provide a break-down according to the different exemptions applied by the issuer?

Background on the question:

The Feedback Table annexed to the EBA Guidelines on fraud reporting reads:

“[Question:] If a transaction where the payee’s PSP used the TRA exemption turns out to be fraudulent, the payer’s PSP should not count that transaction in its fraud levels. By the same token, it should be clarified that, if it is the payer’s PSP using the TRA exemption and the transaction turns out to be fraudulent, the payee’s PSP’s fraud levels should not be impacted.

[Answer:] The EBA is of the view that all fraudulent transactions should be reported. Section 3.2 of the Final Report also clarifies that, in the case of transactions processed by more than one PSP (e.g. card transactions), the fraudulent transactions included in the calculation for a given PSP’s fraud rate should be based on (i) the unauthorised transactions for which the PSP has borne liability, as determined in accordance with Article 74 PSD2, and (ii) the fraudulent transactions that have not been prevented by the PSP.”

(Question 209, page 140). Issuers are required to provide a break-down of the exemptions they apply (Sections 3.2.1.3.4-3.2.1.3.8 and 3.2.2.3.4-3.2.2.3.7 of the reporting form under Annex 2(C) of the EBA’s Guidelines).

The Guidelines, however, do not clarify whether issuers shall only provide a break-down of the exemptions they apply or also a break-down of this information according to the different exemptions applied by the acquirer.

Annex 2(C) does not contain a break-down of this information according to the different exemptions applied by the acquirer. Also acquirers are required to provide a break-down of the exemptions they apply (Sections 4.2.1.3.4-4.2.1.3.6 and 4.2.2.3.4- 4.2.2.3.6 of the reporting form under Annex 2(D) of the EBA’s Guidelines).

The Guidelines, however, do not clarify whether acquirers shall only provide a break-down of the exemptions they apply or also a break-down of this information according to the different exemptions applied by the issuer.

Annex 2(D) does not contain a break-down of this information according to the different exemptions applied by the issuer.

In our view:

- The issuer shall only report a break-down of the exemptions it has applied. It should not be required to provide also a break-down of the acquirers’ exemptions. This is upon each acquirer to do.

- The acquirer shall only report a break-down of the exemptions it has applied. It should not be required to provide also a break-down of the issuers’ exemptions. This is upon each issuer to do, as the acquirer does not even have information on which exemption the issuer has applied. This is also confirmed by the fact that the reporting form under Annex 2(D) contains only information on exemptions that are available for acquirers and not on those exemptions that are available only for issuers (e.g., white-listing under Article 13 RTS).

In other words, it is sufficient that issuers and acquirers provide a break-down of their fraud according to the exemptions they have respectively applied.

Date of submission:
09/05/2019
Published as Final Q&A:
24/07/2020
EBA Answer:

In accordance with Guidelines 2.11, 7.11 and 7.12 of the EBA Guidelines on fraud reporting under PSD2 (EBA/GL/2018/05) as amended by the EBA Guidelines EBA/GL/2020/01, card payment transactions should be reported both by the payer’s payment service provider (PSP) (the issuer), and by the payee’s PSP acquiring the payment transaction (the acquirer), as follows:

  • from the issuer’s perspective, under the Data Breakdown C in Annex 2 of the Guidelines; and
  • from the acquirer’s perspective, under the Data Breakdown D in Annex 2 of the Guidelines.

The reporting PSP (in its issuing or acquiring capacity) should report all card based payments transactions for which strong customer authentication (SCA) was not applied under the relevant category “Of which authenticated via non-strong customer authentication” under Data Breakdowns C or D of Annex 2, as applicable, and assign each of these transactions to one of the relevant breakdowns regarding the reason for not applying SCA, depending on the exemption to SCA that was applied, and irrespective of whether it was the issuer or the acquirer who triggered the application of that exemption.

As regards transactions executed before 1 July 2020, if the issuer applied the exemption under Article 13 of the Commission Delegated Regulation (EU) 2018/389 the acquirer should report the relevant transaction only under the category “Of which authenticated via non-strong customer authentication” and not in the breakdowns relating to the different exemptions to SCA in Data Breakdown D given that these breakdowns do not cover this exemption. For transactions executed after 1 July 2020, the acquirer should report these transactions under the breakdown “Other” in row 4.2.1.3.8, or, as applicable, row  4.2.2.3.7 of the Data Breakdown D in Annex 2 of the Guidelines, as amended by the EBA Guidelines EBA/GL/2020/01.

Status:
Final Q&A