Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Name of institution / submitter:
European Payment Institutions Federation (EPIF)
Country of incorporation / residence:
Type of submitter:
Industry association
Subject Matter:
Application of Transaction Risk Analysis (TRA) exemption – Real time risk analysis / monitoring

Is it acceptable if a payment service provider (PSP) looking to apply the TRA exemption makes a best effort using the information available to them to identify that none of the six individual factors mentioned in Article 18(2)(c) of the Commission Delegated Regulation 2018/389 are applicable, but does not have to actually identify non-applicability of all of these factors to be able to use the TRA exemption?


Background on the question:

A PSP looking to trigger the TRA exemption is required, in addition to other considerations, to conduct real time risk analysis and to not identify any of the six risk factors listed at Article 18(2)(c). It is not clear if a PSP looking to trigger the TRA exemption is required to take pro-active steps to identify all of these factors, or only those for which the PSP has information available to do so. While it is envisaged both payer and payee PSPs will be able to trigger the TRA exemption, these PSPs have varied access to the information required to perform real time risk analysis against each of the six individual factors. As an example, a gateway provider used by the payee may not provide relevant information to the PSPs looking to apply the TRA exemption. This leads to an uneven playing field, where some PSPs cannot apply the TRA exemption in the same way as the other PSPs given their limited view of the transaction environment and related information.

Date of submission:
Published as Final Q&A:
Final Answer:

Article 18(2)(c) of the Commission Delegated Regulation (EU) 2018/389 requires payment service providers (PSPs) not to have identified any of six specified factors as a result of performing a real time risk analysis. The identification is performed by the PSP using the transaction risk analysis tool. Recital 14 of the Delegated Regulation states that effective and risk-based requirements “should combine the scores of the risk analysis, confirming that no abnormal spending or behavioural pattern of the payer has been identified, taking into account other risk factors including information on the location of the payer and of the payee with monetary thresholds based on fraud rates calculated for remote payments”.

The PSP, in the context of the exemption, is expected to check, as far as it possibly can, whether all the six specified factors are present given that those factors are considered together with the conditions set out under Article 18(2) (a) and (b) of the Delegated Regulation, in order to identify whether or not a payment transaction is low risk for the purpose of the exemption. To enable the PSP to undertake this real time analysis to the greatest extent possible, it should consider requesting information from another PSP in the payment chain.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.