Question ID:
2019_4785
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Other topics
Article:
98
Paragraph:
4
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
16
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions
Question:

Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?

Background on the question:

Article 16 states that Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:


(a) the amount of the remote electronic payment transaction does not exceed EUR 30; and
(b) the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
(c) the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed 5 consecutive individual remote electronic payment transactions.


The question is if for example a specific Payment Services User (PSU) keeps getting declined, assuming it’s a fraudster, does it effect the sensors mentioned above? This will have impact on genuine user due to exceeding the thresholds defined by this article. We would like to know if only successfully completed transactions effects these counters.

Date of submission:
18/06/2019
Published as Final Q&A:
06/12/2019
EBA Answer:

Article 16 of the Delegated Regulation (EU) 2018/389 refers to the counting of low-value remote electronic payment transactions that have been successfully initiated. Accordingly, Article 16(a) specifies an individual transaction limit of €30 and Article 16(b) refers to the cumulative amount of the low-value remote electronic payment transaction that have been successfully initiated. In addition, when counting the number of consecutive individual remote electronic payment transactions for the purpose of Article 16(c), only those transactions that have been successfully initiated, need to be included.

However, if a payment service provider (PSP) wishes to include all authorised transactions, regardless of whether they have been successfully initiated or not, it is not prevented from so doing.

Q&A 2018_4230 addressed this question from the perspective of the exemption from strong customer authentication (SCA) under Article 11 of the Delegated Regulation.

Status:
Final Q&A