Who is liable for fraud on Strong Customer Authentication (SCA) exempted transactions? Which payment service provider (PSP) is liable (payer’s or payee’s) when both PSPs choose to trigger an exemption to SCA?
The current legal text in the Directive and the Commission Delegated Regulation (EU) 2018/389 do not provide clarity on the impact (if any) on liability for fraudulent transactions in instances where an SCA exemption has been triggered. In particular, both payer and payee PSPs are able to trigger certain SCA exemptions and it is not clear if there is any impact on liability based on which PSP triggers an exemption. A lack of clarity on liability on SCA-exempted transactions that turn out to be fraudulent could lead to difficulties resolving consumer complaints around fraudulent transactions and undermine efforts to manage processes and solutions for reducing fraud.
Article 73(1) of PSD2 states that in the case of an unauthorised payment transaction the payer's payment service provider (PSP) refunds the payer the amount of that transaction. In accordance with Article 74(2) of PSD2, “Where the payer’s payment service provider does not require strong customer authentication [SCA], the payer shall not bear any financial losses unless the payer has acted fraudulently. Where the payee or the PSP of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider.” Article 74(2) PSD2 may be dis-applied if the payment service user is not a consumer (Article 61(1) PSD2).
It follows from the above that unless the payer acted fraudulently, the payer’s PSP is liable towards that payer for transactions carried out without SCA.
If the PSP of the payee triggers an SCA exemption and the transaction is carried out without an SCA, the payee's PSP will be liable towards the payer's PSP for the financial damage caused. This is without prejudice to the obligations of the payer's PSP towards the payer as referred to above.
This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.