How should payment service providers (PSPs) apply the cumulative limits set in Articles 11 and 16 of the RTS on strong customer authentication and secure communication?
(For the purpose of simplicity we will only refer to Article 11 here. The same applies to Article 16 just changing the relevant amounts).
Article 11 indicates that PSPs are allowed not to apply SCA if the amount of the transaction does not exceed 50 Euros and either the cumulative amount of previous transactions from the date of the last application of SCA does not exceed 150 Euros, or the number of consecutive transactions since the last application of SCA does not exceed 5.
In point 43 of EBA’s opinion on the implementation of the RTS, dated June 13th, it is confirmed that only one of the two cumulative limits needs to be met in order for the PSPs to be allowed not to apply SCA.
However, it is then suggested that PSPs decide at the outset which of the two cumulative limits they use. This suggestion has created some confusion regarding whether or not PSPs can change the limit applied at will, on a transaction-by-transaction basis.
The Commission Delegated Regulation (EU) 2018/389 does not specify how payment service providers (PSPs) should apply the counters for the purpose of deciding whether an exemption under Articles 11 and 16 of the Delegated Regulation may apply or not. The EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication and common and secure communication, EBA-Op-2018-04, states in paragraph 43 that “it may be preferable for PSPs to decide at the outset which cumulative limit they use (rather than on a transaction-by-transaction basis), as it may otherwise be confusing for consumers”. This has also been clarified in Q&A 2018_4225.
Nevertheless, in the event that PSPs decide to apply the exemptions on a transaction-per-transaction basis, they would need to simultaneously check whether either of the limits under Article 11(b) and Article 11(c) of the Delegated Regulation (or Article 16(b) and Article 16(c) respectively) has been reached and apply strong customer authentication (SCA) as soon as either or both limits are reached.
The application of the exemptions under Articles 11 and 16 is without prejudice to the possibility for PSPs, based on their fraud management procedures, to request the application of SCA before any of the limits is reached.