Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Art. 1
Disclose name of institution / entity:
Type of submitter:
Subject Matter:
Transactions initiated via Interactive Voice Response (IVR) solutions

Do transactions initiated via Interactive Voice Response (IVR) solutions qualify as telephone orders and are therefore excluded from the scope of the RTS SCA requirements?

Background on the question:

Mail Orders and Telephone Orders (MO-TO) transactions are excluded from the PSD2/RTS SCA requirements (Question 46 page 73; Question 90, page 94 of the non-binding Feedback Table annexed to the EBA final draft RTS of February 2017).

We believe that Telephone Orders include also transactions initiated via Interactive Voice Response (IVR) solutions. These transactions are carried out with the payer giving the card details through the telephone to an automated system that interacts with the caller, without the need for human interaction from the merchant’s side.

For this reason, we believe that transactions initiated via Interactive Voice Response (IVR) solutions should be excluded from the scope of the RTS SCA requirements.

Date of submission:
Published as Final Q&A:
Final Answer:

In accordance with Article 97(1) of PSD2, “…Payment Services Provider (PSP) applies strong customer authentication (SCA) where the payer:

(a) accesses its payment account online;

(b) initiates an electronic payment transaction;

(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”.

These conditions are not cumulative, i.e. SCA should apply when one or more are fulfilled.

In accordance with recital 95 of PSD2, payment transactions initiated or executed outside electronic platforms or electronic devices, such as mail orders or telephone orders do not seem to necessitate the same level of guarantees regarding safe authentication as electronic payments. Recital 95 of PSD2 further specifies that “payment services offered via internet or via other at-distance channels, the functioning of which does not depend on where the device used to initiate the payment transaction or the payment instrument used are physically located, should include the authentication of transactions through dynamic codes, in order to make the user aware, at all times, of the amount and the payee of the transaction that the user is authorising."

Payment transactions initiated through a telephone order with the use of an automated solution such as Interactive Voice Response seem to be similar to a regular telephone order. However, where such technology is used to initiate an electronic payment transaction through internet or any other at-distance channels, the provisions on strong customer authentication apply.   



This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Final Q&A
Answer prepared by:
Answer prepared by the European Commission because it is a matter of interpretation of Union law.