Is Strong Customer Authentication (SCA) required if the series of recurring transactions was initiated before the date of application of the RTS?
The RTS set out an exemption for recurring transactions (Article 14 RTS). In particular, SCA is not required for series of transactions with the same amount and payee. SCA is, however, required “when a payer creates, amends, or initiates for the first time, a series of recurring transactions”.
The RTS do not clarify how this exemption will apply to existing recurring payments solutions once the RTS become applicable. In particular, the RTS do not clarify whether SCA is required for the first recurring transaction carried out after the date of RTS application if the series of recurring transactions was initiated before the date of RTS application.
We believe that a sensible approach would be that recurring payments solutions already in place on the day of RTS application (e.g. existing subscription arrangements) will not require SCA. This is because it is unpractical and technically very difficult to perform SCA for subsequent transactions, as the cardholder is not ‘on-session’. In addition, these transactions have proven to be low-risk.
In accordance with Article 14(1) of the Commission Delegated Regulation (EU) 2018/389, payment service providers shall apply strong customer authentication (SCA) when a payer creates, amends, or initiates for the first time, a series of recurring transactions with the same amount and with the same payee.
Accordingly, for a series of recurring transactions created before the application of the Delegated Regulation, SCA should be required only when there is an amendment to these recurring transactions.