On 13 June 2018 EBA has published an opinion on the interpretation of regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication (CSC). The opinion clarifies some open questions on the interpretation of the RTS.
Clarifications by EBA
Amongst others, the clarifications by EBA cover the scope and frequency as well as questions relating to the methods of carrying out SCA.
EBA clarifies the principle that AISPs and PISPs shall have the same level of access to the payment account data that the payment service user has. In particular, if there are more data available to the payment service user through a computer connection online than from a mobile app, the AISP must have access via the interface to all data available on the computer online regardless of the channel used by the payment service user to access the AISP.
In addition, PISPs shall have the right to initiate the same transactions that the ASPSPs offer to its own payment services users, such as instant payments, badge payments, international payments, recurring transactions, payments set by national schemes and future dated payments.
EBA further clarifies, that it is in each case up to the ASPSP to decide whether to apply an exemption on SCA or not.
Open issues remain
On the other hand, some issues addressed by EBA in the opinions still remain unclear. For instance, EBA takes the view that in case of one leg transactions, where only one part of the payment transaction takes place within the EEA, ASPSPs located in the EEA shall take best efforts to apply SCA. It remains unclear, what such best effort measures shall consist of.
In addition, EBA seems to indicate that in case of a card payment the exemption for low risk transactions may only be applied if the threshold for the reference fraud rate as provided for in the RTS is met by both the issuer and the merchant acquirer. It is unclear, what measures the card issuer has to take in order to ensure that the fraud rate of the merchant acquirer is below the required threshold.
Impact of the opinion
The opinion provided by EBA is based on article 29 of the EBA regulation. Other than guidelines under the EBA regulation opinions do not require competent authorities of the member states to a comply or explain principle. Thus, competent authorities may not be required to implement such opinions into their administrative practice nor explain such approach. However, given EBA’s status as an important authority competent national authorities may tend to follow EBA’s opinion.