- Question ID
-
2019_4785
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
4
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
16
- Type of submitter
-
Other
- Subject matter
-
Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions
- Question
-
Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?
- Background on the question
-
Article 16 states that Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:
(a) the amount of the remote electronic payment transaction does not exceed EUR 30; and
(b) the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
(c) the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed 5 consecutive individual remote electronic payment transactions.
The question is if for example a specific Payment Services User (PSU) keeps getting declined, assuming it’s a fraudster, does it effect the sensors mentioned above? This will have impact on genuine user due to exceeding the thresholds defined by this article. We would like to know if only successfully completed transactions effects these counters. - Submission date
- Final publishing date
-
- Final answer
-
Article 16 of the Delegated Regulation (EU) 2018/389 refers to the counting of low-value remote electronic payment transactions that have been successfully initiated. Accordingly, Article 16(a) specifies an individual transaction limit of €30 and Article 16(b) refers to the cumulative amount of the low-value remote electronic payment transaction that have been successfully initiated. In addition, when counting the number of consecutive individual remote electronic payment transactions for the purpose of Article 16(c), only those transactions that have been successfully initiated, need to be included.
However, if a payment service provider (PSP) wishes to include all authorised transactions, regardless of whether they have been successfully initiated or not, it is not prevented from so doing.
Q&A 2018_4230 addressed this question from the perspective of the exemption from strong customer authentication (SCA) under Article 11 of the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.