Question ID
2018_4058
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Art. 1
Type of submitter
Other
Subject matter
Transactions initiated via Interactive Voice Response (IVR) solutions
Question

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

Background on the question

Mail Orders and Telephone Orders (MO-TO) transactions are excluded from the PSD2/RTS SCA requirements (Question 46 page 73; Question 90, page 94 of the non-binding Feedback Table annexed to the EBA final draft RTS of February 2017).

We believe that Telephone Orders include also transactions initiated via Interactive Voice Response (IVR) solutions. These transactions are carried out with the payer giving the card details through the telephone to an automated system that interacts with the caller, without the need for human interaction from the merchant’s side.

For this reason, we believe that transactions initiated via Interactive Voice Response (IVR) solutions should be excluded from the scope of the RTS SCA requirements.

Submission date
Final publishing date
Final answer

In accordance with Article 97(1) of PSD2, “…Payment Services Provider (PSP) applies strong customer authentication (SCA) where the payer:

(a) accesses its payment account online;

(b) initiates an electronic payment transaction;

(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”.

These conditions are not cumulative, i.e. SCA should apply when one or more are fulfilled.

In accordance with recital 95 of PSD2, payment transactions initiated or executed outside electronic platforms or electronic devices, such as mail orders or telephone orders do not seem to necessitate the same level of guarantees regarding safe authentication as electronic payments. Recital 95 of PSD2 further specifies that “payment services offered via internet or via other at-distance channels, the functioning of which does not depend on where the device used to initiate the payment transaction or the payment instrument used are physically located, should include the authentication of transactions through dynamic codes, in order to make the user aware, at all times, of the amount and the payee of the transaction that the user is authorising."

Payment transactions initiated through a telephone order with the use of an automated solution such as Interactive Voice Response seem to be similar to a regular telephone order. However, where such technology is used to initiate an electronic payment transaction through internet or any other at-distance channels, the provisions on strong customer authentication apply.   

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status
Final Q&A
Answer prepared by
Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.