In the Fraud Reporting, how should payment service providers (PSPs) report card transactions without Strong Customer Authentication (SCA) that are out of scope of the requirement for SCA, i.e. one-leg transactions and merchant-initiated transaction?
There are three levels of card transactions that will not require strong customer authen-tication (SCA):
1. Transactions outside the scope of PSD2 (and already PSD1):
a. Non-electronic card transactions:
i. Pure mail and telephone order transactions
ii. Transactions generated through a deduction on paper of imprinted card information
b. Transactions on card products that are exempted under Article 3 (k) for limited networks, e.g. merchant chain-specific cards.
2. Transactions within the scope of PSD2 but outside the scope of the SCA re-quirement:
a. One-leg transactions, where the second payment service provider is outside the EEA
b. Merchant-initiated transactions (MIT) that are initiated by the payee and thus, like the direct debit / direct debit, are not met by the require-ment for SCA.
3. Transactions (which are within the scope of both PSD2 and RTS on SCA, where the card issuer or card acquirer chooses to apply one of the exemptions specified in the RTS.
With regard to fraud reporting, we perceive that the EBA Guidelines stipulate that transactions of type 1b, i.e. transactions with payment instruments exempted from PSD2 under Article 3 (k), shall not be reported.
All other categories of transactions above must be reported according to the Guidelines, including transactions of type 1a, even though this category is actually outside the scope of the directive and it therefore seem to be no legal support from the PSD2 to mandate reporting on these transactions. Reporting of transactions of category 1a, however, does not pose a problem since they have got their own rows in the templates (3.1 in the C template and 4.1 in the D template), and we support the basic idea that all transactions with general payment instruments should be reported to give fair statistics.
However, a problem arises as to how transactions of category 2 should be reported. These transactions must be included in the totals for all transactions without SCA – “Of which authenticated via non-strong customer authentication”:
• 184.108.40.206 (remote, issuer),
• 220.127.116.11 (non-remote, issuer),
• 18.104.22.168 (remote, acquirer) and
• 22.214.171.124 (non-remote, acquirer).
But these totals will then be further broken down under the heading "of which broken down by reason for non-strong customer authentication" under which the exemptions allowed by the RTS are listed. However, for the transactions in category 2, none of these exemptions under the RTS applies, as these transactions are completely outside the scope of the RTS. Thus, they cannot be reported in any of these rows. Thus, the sum of the rows under the heading "of which broken down by reason for non-strong customer authentication" will not equal the total of “Of which authenticated via non-strong customer authentication”, which it is mandated under Validation that it should. If there is an automated control in the reporting facilities in the form that makes it impossible to submit the report when the lower level rows do not equal the higher-level total, then the reporting PSP will not be able to carry the reporting through at all. If there are no such If there are no such automated controls, the Payment Service Provider will be able to submit a report with higher-level totals that do not equal the sum of the lower-level rows, but the receiving supervisory authority will not be able to validate the data. In addition, for transactions outside the EEA, one cannot deduce the reason behind the gap between the totals and the reported exemptions, as this gap will consist of both one-leg transactions and (two-leg) merchant-initiated transactions.
In accordance with the EBA Guidelines on fraud reporting under PSD2 (EBA/GL/2018/05) as amended by the EBA Guidelines EBA/GL/2020/01, “Merchant initiated transactions”, as defined in the EBA/GL/2020/01, that are initiated and executed from 1 July 2020 onwards, without the application of strong customer authentication (SCA), should be reported under the category “Merchant initiated transactions”, introduced through the EBA/GL/2020/01, in row 126.96.36.199.9 of Data Breakdown C, row 188.8.131.52.7 of Data Breakdown D or, as applicable, row 184.108.40.206 of Data Breakdown F.
Similarly, card-based payments initiated and executed from 1 July 2020 onwards where either the payer’s payment service provider (PSP) (the issuer) or the payee’s PSP (the acquirer) is located outside the Union (the so-called ‘one-leg’ transactions), to which SCA is not applied for reasons other than an exemption to SCA in Articles 11 to 18 of the Commission Delegated Regulation (EU) 2018/389, should be reported under the category “Other” in rows 220.127.116.11.10 and 18.104.22.168.8 of Data Breakdown C, rows 22.214.171.124.8 and 126.96.36.199.7 of Data Breakdown D and rows 188.8.131.52 and 184.108.40.206 of Data Breakdown F.
Given that the amendments introduced through the EBA/GL/2020/01 apply only to payment transactions initiated and executed from 1 July 2020 onwards, merchant initiated transactions and one-leg payment transactions that are initiated and executed before 1 July 2020, for which SCA is not applied for reasons other than an exemption in Articles 11 to 18 of the Commission Delegated Regulation, should be reported only under the higher-level category “Of which authenticated via non-strong customer authentication” in the relevant Data Breakdowns in Annex 2, and not in the breakdowns relating to the different exemptions to the SCA. This will affect the validation rules under the relevant Data Breakdowns in Annex 2 of the Guidelines, as the total of the transactions reported under the higher-level category “Of which authenticated via non-strong customer authentication” could be higher than the total of the transactions reported under the breakdowns relating to the different exemptions to SCA.