A recent statement by the EBA that the setting up of a SEPA direct debit mandate provided through a remote channel is subject to strong customer authentication has caused concerns in the payment services market. BaFin has now clarified that it does not consider strong customer authentication to apply where payment service providers are not involved in the process of issuing the mandates. What are the implications of these statements?
The EBA statement
On 22 February 2019, the EBA published a statement via its Q&A tool (questions-ID 2018_4359) on the application of strong customer authentication (SCA) to direct debit transactions. First, the EBA confirmed the view, which was also widely held by payment market players and certain local authorities (such as BaFin), that payment transactions that are not initiated by the payer but by the payee are not subject to SCA. The reason for this position is that these transactions are initiated without any interaction or involvement of the payer, whereas SCA would only apply where the payer carries out an action.
However, the EBA takes the view that where the mandate of the payer to the payee to initiate direct debit transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication. The EBA argues that according to Article 97(1) PSD2, SCA applies where (amongst other things) the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. The EBA concludes that setting up a direct debit mandate through a remote channel implies such risk of payment fraud or other abuses.
This statement has raised significant concerns in the payment market (although the EBA has indicated before that it might adopt this position). The EBA’s statement does not clearly say whether the EBA would only consider direct debit mandates given with the involvement of the bank being subject to SCA, or also mandates given with the involvement of an e-commerce-shop only. However, it seems that the EBA is taking the latter position, as direct debit mandates given to the e-commerce-shop directly would be given through a remote channel.
Currently, in the e-commerce market, consumers, that want to pay via direct debit, normally provide the mandate electronically to the merchant, but do not conduct SCA. Therefore, the EBA’s approach would have the result that all e-commerce shops would need to implement SCA procedures in order to obtain new direct debit mandates from their customers. It goes without saying that this would lead to significant costs and internal effort for e-commerce shops and payment service providers. In addition, customers might abort sales or switch to other payment methods.
The BaFin statement
On 17 April 2019, BaFin published a statement that SCA is only required for direct debit payments on the Internet if the mandate is given by the payer with the direct involvement of the payer’s payment service provider. According to BaFin, this would only be the case for e-mandates within the meaning of the SEPA rules and regulations. Such e-mandates are, however, currently not generally applicable in Germany. Online mandates directly given by the payer to an e-commerce shop will, however, not be subject to SCA.
Comment and forecast
What does this mean in practice? First, e-commerce shops and payment service providers involved in direct debit business will welcome this statement, as it protects a broadly accepted payment method from significant obstacles. Second, BaFin is not bound to adopt interpretative statements by the EBA (or the European Commission). Therefore, German payment service providers may execute direct debit transactions without SCA if a mandate has not been given with the involvement of the payer’s bank.
However, the statement by BaFin only applies to German payment service providers. Whereas this statement seems to be the final word for the local German market, the situation may be different in other EEA countries or in cross-border direct debit transactions, provided local authorities follow the EBA’s approach.
Finally, the question remains open whether BaFin will extend their statement to MITs as the EBA published a statement recently that SCA is required where the mandate of the payer to the payee to initiate card transactions is provided through a remote channel.
 To be noted: In this statement, EBA has clarified that this is an unofficial opinion of the European Commission that the EBA publishes on its behalf. As EBA is the publishing channel, we refer to this statement as EBA’s statement in this article.