In August of this year, the European Banking Authority (EBA) published the draft of the Regulatory Technical Standards (RTS) specifying – amongst others – the requirements on Strong Customer Authentication (SCA) under PSD2. Several parties already published their consultation responses (EPIF, EPC and a joint Payments UK, FFA UK & UK Cards Association Response). Those parties also address the ‘conflict’ between SCA under Article 97(1) PSD2 and the liability shift of Article 74(2) PSD2.
Article 97(1) PSD2 provides that Member States shall ensure that a PSP applies SCA in certain circumstances. Article 74(2) PSD2 on the other hand makes SCA optional for payees and PSPs of payees, but with a liability shift.
According to Article 74(2) PSD2, the liability for an unauthorized payment transaction is shifted to the payee or the PSP of the payee that failed to accept SCA. Article 74(2) PSD reads as follows: Where the payer’s payment service provider does not require strong customer authentication, the payer shall not bear any financial losses unless the payer has acted fraudulently. Where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider.
In the draft RTS, the EBA expressed the following ‘understanding’: “considering remote card payment transactions, card acquiring PSPs should require payees to support strong customer authentication for all payment transactions, in order to allow the payer’s PSP to perform SCA in compliance with PSD2. The EBA understands that Article 74(2) of PSD2, which allows the payee or the payee’s PSP the option not to accept SCA, only applies during the short-time transitional period between the application date of PSD2 (13 January 2018) and the application date of the RTS under consultation (in October 2018 the earliest). During this transitional period, “where the payee or the payment service provider of the payee fails to accept strong customer authentication, it shall refund the financial damage caused to the payer’s payment service provider”.
This view is interesting. The EBA does acknowledge that Article 74(2) PSD2 gives payees and PSPs of payees the option not to apply SCA. The EBA on the other hand sees a time-limitation. Article 74(2) PSD2 would, according to the EBA, only apply during the transitional period between 13 January 2018 and the application date of the RTS.
It can first be argued that the EBA is not mandated for its ‘understanding’. See the response of the EPC. Second, it is not clear what the material legal basis for EBAs ‘understanding’ is. Article 115(4) PSD2 does provide that Member States shall ensure the application of the security measures of – amongst others – Article 97 PSD2 from 18 months after the date of entry into force of the RTS, but this article does not state that from that moment Article 74(2) PSD2 shall remain without effect.
A payee or PSP of the payee could thus argue that, without a time-limitation, SCA remains optional for them under PSD2. The question is then of course how this relates to Article 97(1) PSD2, which provides that SCA is mandatory for PSPs in certain circumstances.
An interpretation could be that Article 97(1) PSD2, where it refers to PSPs, only applies to issuers of payment instruments and account servicing PSPs (ASPSPs), but not to do PSPs of the payees. See also the joint Payments UK, FFA UK & UK Cards Association Response. A logical interpretation would then further be that where SCA remains optional for payees and PSPs of the payees, the obligation of issuers and ASPSPs under Article 97(1) PSD2 can automatically not extend further than to only support (and not always apply) SCA. This would of course be a broad interpretation of the words ‘applies SCA’ in Article 97(1) PSD2, but if ‘applies’ would mean that SCA should always be applied for each and every payment transaction in scope of Article 97(1) PSD2, the ‘right’ of payees and PSPs of payees to not apply SCA would remain ineffective.