2018_4035 Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption by authorized PSPs other than the issuer and the acquirer

Question ID:

2018_4035

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Strong customer authentication and common and secure communication (incl. access)

Article:

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph:

Art. 18

Disclose name of institution / entity:

Type of submitter:

Other

Subject Matter:

Criteria for the application of the transaction risk analysis (TRA) exemption – Application of the TRA exemption by authorized PSPs other than the issuer and the acquirer

Question:

May an authorized PSP other than the issuer and acquirer apply the TRA exemption on the basis of its own fraud rate and risk analysis?

Background on the question:

The RTS allow PSPs to apply the TRA exemption. In the case of card transactions, this generically means that both issuers and acquirers are allowed to apply the TRA exemption. Card payments may involve other authorized PSPs in addition to the issuer and the acquirer. These can be, for example, wallet providers, gateways, or an acquirer’s subsidiary that is a separate legal entity from the parent acquirer and provides its acquiring services under its own PSD2 authorization.

We believe that any authorized PSP that is involved in a card transaction should be allowed to apply the TRA exemption on the basis of its own fraud rates and risk analysis.

Date of submission:

28/06/2018

Published as Final Q&A:

26/10/2018

Final Answer:

In accordance with Article 18 of the Commission Delegated Regulation (EU) 2018/389 [RTS on Strong customer authentication and secure communication] “payment service providers shall be allowed not to apply strong customer authentication where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk”. Table 2 (on page 9) of the EBA Opinion on the implementation of the RTS on Strong customer authentication and secure communication clarifies that either the payer’s or the payee’s payment service providers (PSP) may apply the transaction risk analysis exemption, taking into account the consequences of the requirements for liability for unauthorised payment transactions under Article 74(2) of PSD2. Only the payer’s and payee’s PSP may make a decision of whether or not to apply the exemption and the payer’s and payee’s PSPs apply this exemption based on their own fraud rate. Table 2 of this EBA Opinion also specifies that in the specific case of card payments, the payer’s PSP always makes the ultimate decision on whether or not to accept or apply an exemption.

In the event that the payer’s or payee’s PSP have contractual arrangements with other entities, whether or not authorised or registered by a financial regulator, this remains the
decision of the payer’s or payee’s PSP whether to apply an exemption and the reference fraud rate remains the fraud rate of the payer’s or payee’s PSP respectively.

Status:

Final Q&A

Answer prepared by:

Answer prepared by the EBA.