2018_4083 On the application of SCA when cancelling a payment transaction

Question ID: 2018_4083
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Other topics
Article: 97
Paragraph: 1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Not applicable
Article/Paragraph: -
Name of institution / submitter: Banque de France
Country of incorporation / residence: FRANCE
Type of submitter: Competent authority
Subject matter: On the application of SCA when cancelling a payment transaction
Question: Should Account Servicing Payment Service Providers (ASPSPs) apply strong customer authentication (SCA) when cancelling recurring transactions?
Background on the question: As the EBA’s opinion states that the API should allow for (the possibility of cancelling an initiated transaction in accordance with PSD2, including recurring transactions (table 1, line 9, p.3), ASPSPs have asked us whether they had to perform SCA in case a cancellation occurs through a Payment Initiation Service Provider (PISP), because it could be argued that cancellation of a transaction “may imply a risk of fraud or other abuses” as per Article 97.1(c) of PSD2, and therefore should require a SCA as per the same article. This is of importance for ASPSPs and TPPs as:
- It could have an impact on the workflows of online banking spaces (for ASPSPs only, ie. should ASPSPs prepare a specific workflow for SCA in case of a cancellation of a transaction?)
- it could have an impact on the workflows of the API (i.e should a complementary workflow for SCA in case of cancellation through the API be prepared or not?)
Submission date: 04/07/2018
Final publishing date: 12/03/2021
Final answer: The act of cancelling a recurrent transaction via a remote channel may imply a risk of fraud or other abuses pursuant to Article 97(1)(c) Directive 2015/2366/EU (PSD2).

Therefore strong customer authentication (SCA) is required to cancel a recurrent transaction, including when using a Payment Initiation Service Provider (PISP).

Disclaimer:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.
Status: Final Q&A
Answer prepared by: Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer