Single Rulebook Q&A

Question ID: 2019_4664
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 1
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 4
Name of institution / submitter: Bundesanstalt für Finanzdienstleistungsaufsicht
Country of incorporation / residence: Germany
Type of submitter: Competent authority
Subject matter : Applicability of SCA to electronically processed SEPA Direct Debits / Interpretation of EBA Q&A 2018_4359
Question:

Are mandates for direct debits which are set up without direct involvement of the payer’s PSP subject to SCA requirements?

Background on the question:

With Q&A 2018_4359 it has been clarified, that a direct debit transaction is not subject to SCA, as it is defined in the PSD2 as a transaction initiated by the payee.

Furthermore, it was stated, that in cases where the mandate given by the payer to the payee to initiate one or several such transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) PSD2.

The latter statement might lead to a misinterpretation in the market regarding its scope and needs to be clarified further. This statement can only be applicable, when the payer’s PSP is directly involved in the setting up of such a mandate, which is only the case for “e-mandates” as laid down in the SEPA rulebooks.

Otherwise, Article 97 PSD2 is not applicable at all.

Date of submission: 10/04/2019
Published as Final Q&A: 07/06/2019
EBA answer:

Q&A 2018_4359 clarified that a direct debit transaction is not subject to strong customer authentication (SCA), as it is defined in the PSD2 as a transaction initiated by the payee. It also clarified that in cases where the mandate given by the payer to the payee to initiate one or several such transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication. In such circumstances however, pursuant to the wording of Article 97 PDS2, which only sets obligations to payment service providers (PSP), SCA is only necessary where a PSP is involved in the setting up of such a mandate. Mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status: Final Q&A
Permanent link: link