- Question ID
-
2020_5124
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- Paragraph
-
1
- Subparagraph
-
b
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
-
- Type of submitter
-
Credit institution
- Subject matter
-
SCA for staff assisted electronic channel
- Question
-
Please clarify where a customer is physically present and identified in branch, the strong customer authentication (SCA) requirements if that customer completes a Standing Order instruction (Setup, Amend or Cancel) or initiates a credit transfer through a staff assisted electronic channel (i.e. tablet device)?
- Background on the question
-
As per article 97.1.b (PSD 2), Payment service providers (PSPs) must apply SCA where the payer initiates an electronic payment transaction.
In order to assist non-digital and other vulnerable customers we provide an in-branch, staff assisted electronic channel where some payment instructions may be provided by inputting necessary details via a tablet device. As part of process,
1. Branch staff member must initially verify customer identity using photo identification.
2. Branch staff member will login to the tablet device using their own credentials and will locate the customer profile on the tablet.
3. Branch staff member will ask customer to provide or input the payment details in the tablet.
4. Post customer input, branch staff member will validate the payment details & also manually validate the customer signature before submitting the payment for processing.
Is this process considered the initiation of an electronic payment by the payer? Alternatively, in circumstances where the function of SCA is to authenticate a payer, can this be considered to have taken place given that the payer is physically present and has been identified? Finally, are we considered to have performed SCA on the basis of the photo ID (something the customer has - possession) and the physical presence of the customer (something the customer is – inherence)?
If SCA is considered required and not to have been satisfied, is it legitimate to deem these transactions extremely low risk and dispense with SCA on the understanding that full liability is being assumed for any issues that may subsequently arise with these payments?
- Submission date
- Final publishing date
-
- Final answer
-
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication where the payer initiates an electronic payment transaction.
Recital 95 of PSD2 clarifies that ‘all payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. There does not seem to be a need to guarantee the same level of protection to payment transactions initiated and executed with modalities other than the use of electronic platforms or devices, such as paper-based payment transactions, mail orders or telephone orders.’
Article 4(29) of PSD2 defines authentication as a ‘procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials’.
In the case described by the submitter, the payment service user is physically present at the premises of the PSP, the authentication of the payment service user is carried out by staff of the PSP and the submission of the payment order to execute a credit transfer is carried out with the assistance of staff of the PSP. Therefore, the initiation and execution of the payment transaction referred to by the submitter is similar to a paper-based payment transaction as referred to in Recital 95 of PSD2. Accordingly, the payment transaction described by the submitter does not require the application of strong customer authentication.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.