- Question ID
-
2018_4415
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
5
- Type of submitter
-
Other
- Subject matter
-
Dynamic linking for batch transactions
- Question
-
In relation to payment transactions for a batch of remote electronic payments to one or several payees, please clarify whether the payer needs to be made aware of every payee in the batch?
- Background on the question
-
Paragraph 3b of Article 5 stipulates that, in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees.
Paragraph 1 of Article 5 stipulates that payment service providers shall adopt security measures to ensure that the payer is made aware of the amount of the payment transaction and of the payee.
Batch transactions might consist of a large number payments, so that it is impractical for a payer to be made aware of every payee in the batch during the payment authentication process.
- Submission date
- Final publishing date
-
- Final answer
-
Article 5(1)(a) of the Commission Delegated Regulation (EU) 2018/389 states that “where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4, they shall adopt security measures that meet”, among others, the following requirement: “a) the payer is made aware of the amount of the payment transaction and of the payee”. This means that the payer should be able to check the payees list, included in the batch of remote payment transactions, should the payer wish to do so.
Article 5(3)(b) of the Delegated Regulation, in turn, states that “in relation to payment transactions for which the payer has given consent to execute a batch of remote electronic payment transactions to one or several payees, the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees”. As clarified in Q&A 2018_4435, this means that the payment service provider should dynamically link the authentication code for a batch of remote electronic payment transactions to every single payee included in that batch.
Q&A 2019_4556 provides further details on the identification of the payee and the generation of the authentication code.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.