Question ID:
2018_4083
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Other topics
Article:
97
Paragraph:
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Not applicable
Article/Paragraph:
-
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Banque de France
Country of incorporation / residence:
FRANCE
Type of submitter:
Competent authority
Subject Matter:
On the application of SCA when cancelling a payment transaction
Question:

Should Account Servicing Payment Service Providers (ASPSPs) apply strong customer authentication (SCA) when cancelling recurring transactions?

Background on the question:

As the EBA’s opinion states that the API should allow for (the possibility of cancelling an initiated transaction in accordance with PSD2, including recurring transactions (table 1, line 9, p.3), ASPSPs have asked us whether they had to perform SCA in case a cancellation occurs through a Payment Initiation Service Provider (PISP), because it could be argued that cancellation of a transaction “may imply a risk of fraud or other abuses” as per Article 97.1(c) of PSD2, and therefore should require a SCA as per the same article. This is of importance for ASPSPs and TPPs as:

- It could have an impact on the workflows of online banking spaces (for ASPSPs only, ie. should ASPSPs prepare a specific workflow for SCA in case of a cancellation of a transaction?)

- it could have an impact on the workflows of the API (i.e should a complementary workflow for SCA in case of cancellation through the API be prepared or not?)

Date of submission:
04/07/2018
Published as Final Q&A:
12/03/2021
Final Answer:

The act of cancelling a recurrent transaction via a remote channel may imply a risk of fraud or other abuses pursuant to Article 97(1)(c) Directive 2015/2366/EU (PSD2).

Therefore strong customer authentication (SCA) is required to cancel a recurrent transaction, including when using a Payment Initiation Service Provider (PISP).

 

Disclaimer:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the European Commission because it is a matter of interpretation of Union law.
Image CAPTCHA