Question ID
2018_4127
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
98
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
18(2)(c)
Name of institution / submitter
European Payment Institutions Federation (EPIF)
Country of incorporation / residence
Belgium
Type of submitter
Industry association
Subject matter
Application of Transaction Risk Analysis (TRA) exemption – Real time risk analysis / monitoring
Question

Is it acceptable if a payment service provider (PSP) looking to apply the TRA exemption makes a best effort using the information available to them to identify that none of the six individual factors mentioned in Article 18(2)(c) of the Commission Delegated Regulation 2018/389 are applicable, but does not have to actually identify non-applicability of all of these factors to be able to use the TRA exemption?

 

Background on the question

A PSP looking to trigger the TRA exemption is required, in addition to other considerations, to conduct real time risk analysis and to not identify any of the six risk factors listed at Article 18(2)(c). It is not clear if a PSP looking to trigger the TRA exemption is required to take pro-active steps to identify all of these factors, or only those for which the PSP has information available to do so. While it is envisaged both payer and payee PSPs will be able to trigger the TRA exemption, these PSPs have varied access to the information required to perform real time risk analysis against each of the six individual factors. As an example, a gateway provider used by the payee may not provide relevant information to the PSPs looking to apply the TRA exemption. This leads to an uneven playing field, where some PSPs cannot apply the TRA exemption in the same way as the other PSPs given their limited view of the transaction environment and related information.

Submission date
Final publishing date
Final answer

Article 18(2)(c) of the Commission Delegated Regulation (EU) 2018/389 requires payment service providers (PSPs) not to have identified any of six specified factors as a result of performing a real time risk analysis. The identification is performed by the PSP using the transaction risk analysis tool. Recital 14 of the Delegated Regulation states that effective and risk-based requirements “should combine the scores of the risk analysis, confirming that no abnormal spending or behavioural pattern of the payer has been identified, taking into account other risk factors including information on the location of the payer and of the payee with monetary thresholds based on fraud rates calculated for remote payments”.

The PSP, in the context of the exemption, is expected to check, as far as it possibly can, whether all the six specified factors are present given that those factors are considered together with the conditions set out under Article 18(2) (a) and (b) of the Delegated Regulation, in order to identify whether or not a payment transaction is low risk for the purpose of the exemption. To enable the PSP to undertake this real time analysis to the greatest extent possible, it should consider requesting information from another PSP in the payment chain.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.