The European Commission (EC) has recently confirmed that MITs are out of scope of SCA following arguments and discussion led by UK Finance supported by Osborne Clarke ("OC"): OC wrote a definitive document setting out the legal rationale for treating MITs as out of scope of the PSD2 SCA requirements, which the European Commission has in large part used to answer the question posed.
The EC’s view was published on 1 March 2019 in the form of answer to a question posed to and through the EBA Single Rulebook Q&A PSD2 – see Question ID: 2018_4031, which can be found here.
Here’s the answer in full (emphasis added):
“Pursuant to Article 97(1) PSD2, Member States shall ensure that a payment service provider applies strong customer authentication when the payer (a) accesses its payment account online, (b) initiates an electronic payment transaction, or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Payment transactions that are not initiated by the payer but by the payee only are therefore not subject to strong customer authentication (SCA) to the extent that these transactions are initiated without any interaction or involvement of the payer.
Card-based transactions imply an action of the payer in the initiation of the transaction, involving the use of a payment card or a similar device that has been issued to the payer and that is accepted as a payment method by the payee. Card-based transactions are therefore considered as payment transactions initiated by the payer through the payee.
However, where the payer has given a mandate authorising the payee to initiate a transaction or a series of transactions through a particular payment instrument that is issued to be used by the payer to initiate the transactions, and where the mandate is based on an agreement between the payer and that payee for the provision of products or services, the transactions initiated thereafter by the payee on the basis of such a mandate can be qualified as payee initiated transactions, provided that those transactions do not need to be preceded by a specific action of the payer to trigger their initiation by the payee.
Where the mandate of the payer to the payee to initiate these transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) of the PSD2.
The payment transactions by the payee that are based on the mandate are subject to the general provisions of PSD2 that also apply to payee initiated transactions (e.g. Articles 75 – 78 PSD2).”
From this answer, we would highlight three specific points:
Lastly, we would flag that MITs must be distinguished from “card on file” transactions to which SCA must be applied unless an exemption is available. The background to the Q&A gives as a typical example of a “card on file” payment as one where in an e-commerce scenario, the payer is triggering each individual payment by clicking on the purchase button on the merchant website or app and confirms use of a card, the details of which the cardholder has previously provided or registered with the merchant. This confirming action by the payer means that these types of transactions are not payee-initiated transactions and so SCA must be applied on each occasion unless an exemption is available.
This article was originally published in the May 2019 edition of Osborne Clarke’s EPSM Legal Research Newsletter. OC has been discussing this topic lately, among other things in this article.