The TRA exemption – transaction risk (or terribly refined) analysis

Under the TRA (transaction risk analysis) exemption, payment service providers (PSPs) are allowed to not apply strong customer authentication (SCA) measures to the initiation of remote payment transactions that they identify as posing a low risk of fraud.

To qualify as low risk for the purposes of the TRA exemption, a payment transaction must meet several (cumulative) conditions:

  • The overall fraud rate for that type of transaction, calculated at the PSP level on a rolling quarterly basis, must not exceed the reference fraud rates for the same type of payment transactions as defined in the EBA RTS on SCA
  • The amount of the relevant payment transaction is equal to or less than the relevant exemption threshold specified in the EBA RTS on SCA, up to €500
  • After taking into account specific risk criteria, the transaction does not present characteristics that indicate a higher risk of fraud (such as abnormal behaviour of the payer, abnormal location of the payer, etc.).

The implementation of the TRA exemption raises numerous practical issues, as evidenced by the number of questions submitted to the EBA within the framework of its Q&A on payment services. Some of these were recently answered by the EBA and hopefully others will be in the following weeks.

Based on those clarifications, when assessing whether it can apply the TRA exemption, a PSP should review the conditions below.

1. Is the payment transaction a remote payment transaction and is the PSP in a position to decide whether to apply the TRA exemption?

According to recent guidance provided by the EBA, only the following PSPs are allowed to apply the TRA exemption to the following transactions:

  • In the case of remote electronic credit transfers: the PSP of the payer
  • In the case of remote electronic card-based payments: the issuer and the acquirer, it being understood that if the acquirer decides to apply the TRA exemption, the issuer remains free to decide whether to authorise a transaction initiated without SCA.

2. Does the PSP qualify for the TRA exemption based on its overall fraud rates for the relevant type of payment transaction?

In order to be allowed the TRA exemption, the PSP must verify that the overall fraud rates of the remote payment transactions executed by that PSP during the last three months (‘on a rolling quarterly basis’) are equal to or lower than the reference fraud rates specified in the EBA RTS on SCA. These reference fraud rates vary according to the type of payment transaction (remote electronic card-based payments vs. remote electronic credit transfers).

The PSP must calculate the applicable fraud rate by category of payment transaction (remote electronic card-based payments on the one hand, remote electronic credit transfers on the other hand); the fraud rate is the result of dividing the total value of unauthorised and fraudulent remote transactions (including fraudulent transactions resulting from the manipulation of the payer) by the total value of the payment transactions of the same type, whether authenticated with SCA or not, on a quarterly rolling basis.

No other granularity is allowed when calculating the fraud rate, so there could be no different fraud rate for different customer segments or payment card types within an issuer, a specific brand, payment scheme or merchant (no fraud rate specific per merchant or category of merchants, etc.).

3. Is the transaction amount within the relevant exemption threshold value specified in the EBA RTS on strong customer authentication?

The TRA exemption can only be applied to remote transactions below the specific monetary thresholds specified in the EBA RTS on SCA. These thresholds vary depending on the PSP’s fraud rate for the relevant type of payment transaction (for instance, for remote electronic card-based payments, if the PSP’s overall fraud rate is equal or inferior to 0.01%, the TRA exemption may be applied to remote electronic card-based payments up to €500; where the fraud rate is higher than 0.01% but equal or inferior to 0.06%, the TRA exemption may be applied to transactions up to €250, etc.).

In practice, the lower the PSP’s fraud rate for a type of payment transaction, the higher the amount of the payment transaction qualifying for the TRA exemption.

4. Has the PSP confirmed that the transaction does not have any of the characteristics indicating higher risks of fraud as specified in the EBA RTS on SCA by taking into account certain risk factors?

Even if the PSP and the transaction meet all other conditions, the PSP may not apply the TRA exemption if, following a real time analysis, it has identified circumstances indicating potentially higher risks. These circumstances are listed in the EBA RTS on SCA (abnormal spending pattern of the payer, abnormal location of the payer, etc.). When verifying the absence of those circumstances, the PSP must take into account at least the mandatory minimal risk factors listed.

This article was originally published in the December 2018 edition of Osborne Clarke’s EPSM Legal Research Newsletter.