Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?
We, as a financial institution, are very clear that online transaction monitoring is mandatory when a PSU connects to his/her payment account to either access its payment account online, initiates an online payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud or other abuses (according to Article 97 or PSD2). Also, it is very clear for us that, if the online monitoring results on a low level of risk for the operation are to be performed by the PSU, an exemption to the SCA may be applied.
However, it is not very clear for us what the rule is when the PSU directly connects to its payment account via the online banking webpage or the mobile application provided by the bank, and where no third party processor intervenes. In such case, it is not very clear for us if, that as a general rule, SCA is mandatory, and if online transaction monitoring resulting on low level of risk for the operation to be performed by the PSU may be used as an exemption to apply SCA to the operation.
As a security best practice, we understand that online transaction monitoring is necessary, but we do not know if that monitoring is not only a best practice but a mandatory requirement (by PSD2 and the RTS on SCA) also for the transactions performed by the PSU when he/she directly connects to his/her payment account via the online banking webpage or mobile application provided by the bank.
Article 97(1) of PSD2 states that “a payment service provider applies strong customer authentication where the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”. PSD2 does not distinguish between payment transactions that may have been made using a payment initiation service provider or not.
Similarly the Commission Delegated Regulation (EU) 2018/389 does not distinguish whether a payment transactions has been made using a payment initiation service provider or not for the purpose of applying an exemption. In addition paragraph 36 in the EBA Opinion on the implementation of the regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication (CSC) (EBA-Op-2018-04, June 2018) further explains that “SCA has to be applied to access to payment account information and to every payment initiation, including within a session in which SCA was performed to access the account data, unless an exemption under the RTS applies”, irrespective of whether or not a payment initiation service provider has been used. Moreover, this EBA Opinion explains in paragraph 39 that “only the ASPSP can apply SCA or decide whether or not an exemption applies to a PSU’s payment account in the context of AIS and PIS”.
This means that whilst an exemption may apply to a payment transaction that has been initiated through a payment initiation service provider, the payment initiation service provider cannot decide whether or not an exemption applies. In the specific case of the exemption based on transaction risk analysis, the fraud rate therefore refers to the fraud rate of the Account Servicing Payment Service Providers (ASPSP). If that fraud rate is below the applicable threshold as described in Annex 1 of the Delegated regulation, the ASPSP may apply the exemption providing the other conditions set out in Article 18 of the Delegated Regulation are met.