- Question ID
-
2023_6873
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
80
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
36(1)(b)
- Name of institution / submitter
-
Bank of Spain
- Country of incorporation / residence
-
España
- Type of submitter
-
Competent authority
- Subject matter
-
PISP payment order cancellation due to fraud prevention reasons
- Question
-
Due to fraud prevention reasons, could an ASPSP block a payment order initiated through a PISP despite having informed the PISP immediately upon authentication, that the payment was going to be executed (i.e., after having provided the PISP with the code ACSC under the Berlin Group Standard)? In that scenario who should bear the liability if the payment is not executed but, nonetheless, the payee delivered the good or service promptly after being informed by the PISP of the successful initiation of the payment?
Would the answer be different if the ASPSP had simply confirmed the sufficiency of funds as stated in the EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04)
- Background on the question
-
We would like to consider four relevant use cases where, a SEPA D+1 credit transfer is initiated through a PISP and SCA is successfully applied. A description of each use case is given below:
a) After having the ASPSP provided to the PISP the confirmation that the payment will be executed (code ACSC), the payer claims to be a victim of a fraud and requests the ASPSP to cancel the payment. As the request takes place before the execution of the payment, the latter does not take place.
b) After having the ASPSP provided to the PISP the confirmation that the payment will be executed (code ACSC), during the payment processing, ASPSP's anti-fraud controls, based on objectively justified and duly evidenced reasons, provides an early warning about the possibility of an unauthorized or fraudulent payment transaction initiation. Consequently, the ASPSP decides, in a preventive manner, to block the payment account and cancel any other pending payments, irrespective of having being initiated through a PISP or other channels.
c) +d) Either of the cases above but after having the ASPSP provided to the PISP with only a YES answer regarding the sufficiency of funds or with a code reflecting such a sufficiency
Article 66(4)(b) of PSD2 establishes that “The account servicing payment service provider shall immediately after receipt of the payment order from a payment initiation service provider, provide or make available all information on the initiation of the payment transaction and all information accessible to the account servicing payment service provider regarding the execution of the payment transaction to the payment initiation service provider”.
Furthermore, Commission Delegated Regulation (EU) 2018/389 and, in particular, EBA’s Opinion EBA-Op-2018-04, develops the provisions of the abovementioned article concluding that the ASPSPs shall provide the PISP, immediately after receipt of the payment order, the necessary information to initiate the payment, including a confirmation (yes/no) of the availability of funds; this information should help the PISP to manage the risk it may face if, following the initiation of the payment, it transpires that the payment cannot be executed.
Additionally, in accordance with Recital 29 PSD2, payment initiation services enable the payment initiation service provider to provide comfort to a payee that the payment has been initiated in order to provide an incentive to the payee to release the goods or to deliver the service without undue delay.
However, there are no provisions about the possibility of a duly (in principle) justified not execution of a payment, after the AISP has provided to the PISP the confirmation that the payment will be executed.
On the other hand, article 80.2 of PSD2 establishes that “Where the payment transaction is initiated by a payment initiation service provider […] the payer shall not revoke the payment order after giving consent to the payment initiation service provider to initiate the payment transaction […]”. Then according to article 80.5 “After the time limits laid down in paragraphs 1 to 4, the payment order may be revoked only if agreed between the payment service user and the relevant payment service providers. In the case referred to in paragraphs 2 and 3, the payee’s agreement shall also be required”.
However, in the exposed cases there is not a proper revocation since the payer assures it was not him who ordered the payment transaction.
The described cases could lead to an undesirable situation in the event the PISP had already informed about the successful initiation of the payment to the payee who immediately afterwards delivered the corresponding goods or services.
- Submission date
- Status
-
Question under review
- Answer prepared by
-
Answer prepared by the European Commission because it is a matter of interpretation of Union law.