Single Rulebook Q&A

Question ID: 2018_4090
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: Article 95 - Management of operational and security risks
Paragraph: Article 95, paragraph 4
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 2 and 18
Type of submitter: Credit institution
Subject matter : Does transaction monitoring need to be real time?
Question:

Article 2(1) of the RTS stipulates that "payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions…" and Article 2(2) explains the minimum requirements.

However, Article 2 does not specify timing aspects of the transaction monitoring.

Is it correct to conclude that the transaction monitoring described in Article 2 does not need to be real time?

Background on the question:

The RTS aims at reducing the risk of payment fraud to a minimal level. The main measure to achieve this goal is to apply SCA. Article 18 allows not to apply SCA for payment transactions posing a low level of risk and describes real time risk analysis as a condition for not applying SCA for these transactions.

In this context, the real time risk analysis is understood acceptable alternative measure to SCA to mitigate the risk of payment fraud. The transaction monitoring described in Article 2 aims at detecting unauthorised or fraudulent payment transactions. The transaction monitoring is to be applied in addition to SCA.

However, article 2 does not specify timing aspects of the transaction monitoring. In combination, Articles 2 and 18 can be understood in two ways:

1) In general, the risk of payment fraud needs to be addressed by two strong measures – SCA and real time monitoring. In the exceptional case of low risk transactions, one measure (real time risk analysis) is sufficient.

2) The risk of payment fraud is to be adequately addressed. In general, this is achieved by applying SCA and supported by transaction monitoring. The transaction monitoring does not need to be real time since SCA already provides strong protection. In the exceptional case of low risk transactions, real time risk assessment is seen to be sufficient to mitigate the risk of payment fraud.

Date of submission: 10/07/2018
Published as Final Q&A: 05/10/2018
EBA answer:

Article 2(1) of the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication) requires that “Payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions” and Article 2(2) refers to “transaction monitoring mechanisms” for the purpose of the Delegated Regulation.

Further, Article 18(1) of the RTS on the transaction risk analysis exemption requires not only for PSPs to have “transaction monitoring mechanisms referred to in Article 2” in place but also Article 18(2)(c) of the RTS requires PSPs to perform a “real time risk analysis”.

Accordingly, for payments service providers to be able to benefit from the transaction risk analysis exemption under Article 18 of the RTS, they have to go beyond the general monitoring requirements required under Article 2 of these RTS and have mechanisms in place that enable “real time risk monitoring”, in other words a monitoring before the transaction is authorised. The general monitoring mechanism under Article 2 of these RTS does not require enabling ‘real time risk monitoring’ and is usually carried out “after” the execution of the payment transaction.

Status: Final Q&A
Permanent link: link