- Question ID
-
2020_5534
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- Paragraph
-
1
- Subparagraph
-
c
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
N/A
- Name of institution / submitter
-
Sebastian Nielsen
- Country of incorporation / residence
-
Sweden
- Type of submitter
-
Individual
- Subject matter
-
Bill-payment via postal service
- Question
-
Does bill-payment via snail-mail (postal service) fall into the definition of Article 97 1(c) and thus are subject to strong customer authentication (SCA) requirements?
- Background on the question
-
Many banks in Member State A permit "bill payment via postal service" where you send in the bills to be paid in a envelope, along with a "cover sheet". In the cover sheet you write the total amount to be paid, so nobody can add bills into the envelope secretly.
Mostly ederly people use this service, as it is a service that originates pre internet.
The problem with the service, is that it does not provide any security against fraud, if the pad with the serialized "cover sheet" (where you tear off a cover sheet when you are going to pay your bills) gets stolen. There is no authentication, PIN code, verification or anything that prevents a unauthorized individual from using someone else's cover sheet.
Note that even if you sign the cover sheet with your physical signature, there is no verification, the signature is just there for auditing and traceability. Since the envelope can be put in any postal box on the street, there is also no ID check during submission.
The only security that is provided by the bank, is that if you lose your pad with cover sheets, you can call in and block them (report them stolen) so the serial numbers become blacklisted and cannot be used for bill payment.
If there would be a ID check during submission, for example if there was a requirement to give the envelope to the postal services clerk desk, and then show ID card, and then they write the social security number on the envelope along with a stamp that ID check has been done - then it would be somewhat secure with regards to today's security standards.
- Submission date
- Final publishing date
-
- Final answer
-
This question is related to several other Q&As: 4058, 4788, 5124, and 6315.
Under Article 97(1)(b) of Directive (EU) 2366/2015 (PSD2), payment services providers shall carry out strong customer authentication where the payer initiates an electronic payment transaction.
The services of “bill payment via postal services” however, as prescribed by the questioner, do not fall under the requirements as set out in Article 97(1)(b) PSD2.
As described by the questioner, the payee provides its payment services provider with the bill, together with a “cover sheet” with the total amount to be paid in an envelope, and sends this to its payment service provider via a postal service. When the payment service provider receives the envelope, it will settle the bill. This appears to be similar as a Mail-Order payment.
In accordance with Recital 95 PSD2, payment transactions initiated and executed outside electronic platforms or electronic devices, such as mail orders or telephone orders do not seem to necessitate the same level of guarantees regarding safe authentication as electronic payments.
Accordingly, a payment transaction initiated through the described postal service is not initiated and executed electronically and thus can be considered as outside the scope of the SCA requirement.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the European Commission because it is a matter of interpretation of Union law.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.