Does a refund, which is considered as an electronic payment transaction, be subject to strong customer authentication (SCA)? Does a merchant that initiates a refund request be considered as a payer? If so, does a Payment service provider (PSP), that holds the payment account of a Merchant, have to set up SCA each time his Merchant is doing a refund from its payment account?
The PSD2 & RTS do not specify whether a PSP needs to implement the SCA to his merchant in case of refunds. It will negatively influence the merchant experience, if each time the merchant asks for a refund (whether via an Application Programming Interface (API) call or directly from the PSP's back office), the SCA has to be setup.
Most of the time, the refunds are made via an API call (remote payment transaction), as a consequence, the merchant does not connect to the PSP's back office (and to his payment account) but carries it out directly from his own back office. All the process is done via API.
Article 97(1) of Directive 2015/2366/EU (PSD2) states that payment service providers (PSPs) “shall apply strong customer authentication (SCA) where the payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.”
Article 4(5) of PSD2 defines a payment transaction as ‘an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee’. Article 4(6) of PSD2, in turn, defines a remote payment transaction as ‘a payment transaction initiated via internet or through a device that can be used for distance communication’.
Accordingly, the refund initiated by a merchant, which in this case acts in its capacity as a payer, is an electronic payment transaction initiated by the payer. Therefore, this would require the PSP of the merchant to apply SCA, unless an exemption from SCA under the Commission Delegated Regulation (EU) 2018/389 applies, including the exemption under Article 17 of the Delegated Regulation on secure corporate payment processes and protocols.
In the specific case of a refund via a remote electronic payment transaction, in accordance with Article 97(2) of PSD2, the PSP of the merchant should apply SCA that includes elements, which dynamically link the transaction to a specific amount and a specific payee. In this case, the requirements of Article 5 of the Delegated Regulation apply also to the respective payment transaction.