Question ID:
2018_4170
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
28
Paragraph:
5
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
17 & 18
Disclose name of institution / entity:
No
Type of submitter:
Credit institution
Subject Matter:
Home / host cooperation
Question:

Should banks notify only National Competent Authorities (NCAs) of the home Member State when they use Strong customer authentication (SCA) exemptions on Secure corporate payment processes and protocols  (Article 17 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication) and Transaction risk analysis (Article 18 of the Delegated Regulation)?

Background on the question:

Bank X, as an internationally operating bank, is developing one central infrastructure (API), based in Member State A, that services all local business units (up to 40 million customers in multiple EEA countries). Therefore it would be as efficient as possible to notify only the home member state, instead of multiple (up to 18 NCA’s) of the same information. Alignment with only the home members state would be beneficial in terms of assuring one EU wide harmonized outcome and limit organizational overhead.

Date of submission:
30/07/2018
Published as Final Q&A:
17/12/2021
Final Answer:

Article 97, part of Title IV, of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to apply strong customer authentication (SCA).

Article 100(4) of PSD2 prescribes that ‘in event of infringement or suspected infringement of the provisions of national law transposing Titles III and IV, the competent authorities referred to in paragraph 1 of this Article shall be those of the home Member State of the payment service provider, except for agents and branches conducted under the right of establishment where the competent authorities shall be those of the host Member State.”

Accordingly, the competent authority (CA) in the home Member State where the PSP is authorised is responsible for the supervision of the application of the requirements of SCA by the PSPs, including the exemptions from SCA. In the case of branches and agents operating under the right of establishment, the responsibility for the supervision lies with the CA of the host Member State where the branch or the agent are established.

In addition, Articles 17 and 18 of the Commission Delegated Regulation (EU) 2018/389 introduce exemptions from the application of SCA on ‘Secure corporate payment processes and protocols’ and ‘Transaction risk analysis’ (TRA) respectively.

In accordance with Article 17 of the Delegated Regulation, PSPs ‘shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by Directive (EU) 2015/2366’. In relation to this, the competent authority that should carry out the assessment on the equivalent level of security should be the competent authority of the home Member State where the PSP has been authorised. Nevertheless, in accordance with Article 100(4) of PSD2, in the event of infringement or suspected infringement of the provisions of national law transposing Titles III and IV of PSD2 by agents and/or branches operating under the right of establishment, the competent authorities shall be those of the host Member State.

In relation to the TRA exemption under Article 18 of the Delegated Regulation, as clarified in Q&A 4033, the calculation of the fraud rate should be carried out ‘at payment service provider (legal entity) level’. Accordingly, PSPs should notify the competent authority of the home Member State on the use of the TRA exemption. Nevertheless, in accordance with Article 100(4) of PSD2, in the event of infringement or suspected infringement of the provisions of national law transposing Titles III and IV of PSD2 by agents and/or branches operating under the right of establishment, the competent authorities shall be those of the host Member State.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA