Question ID
2019_4664
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
Paragraph
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
4
Name of institution / submitter
Bundesanstalt für Finanzdienstleistungsaufsicht
Country of incorporation / residence
Germany
Type of submitter
Competent authority
Subject matter
Applicability of SCA to electronically processed SEPA Direct Debits / Interpretation of EBA Q&A 2018_4359
Question

Are mandates for direct debits which are set up without direct involvement of the payer’s PSP subject to SCA requirements?

Background on the question

With Q&A 2018_4359 it has been clarified, that a direct debit transaction is not subject to SCA, as it is defined in the PSD2 as a transaction initiated by the payee.

Furthermore, it was stated, that in cases where the mandate given by the payer to the payee to initiate one or several such transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) PSD2.

The latter statement might lead to a misinterpretation in the market regarding its scope and needs to be clarified further. This statement can only be applicable, when the payer’s PSP is directly involved in the setting up of such a mandate, which is only the case for “e-mandates” as laid down in the SEPA rulebooks.

Otherwise, Article 97 PSD2 is not applicable at all.

Submission date
Final publishing date
Final answer

Q&A 2018_4359 clarified that a direct debit transaction is not subject to strong customer authentication (SCA), as it is defined in the PSD2 as a transaction initiated by the payee. It also clarified that in cases where the mandate given by the payer to the payee to initiate one or several such transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication. In such circumstances however, pursuant to the wording of Article 97 PDS2, which only sets obligations to payment service providers (PSP), SCA is only necessary where a PSP is involved in the setting up of such a mandate. Mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.

 

Disclaimer:

This question goes beyond matters of consistent and effective application of the regulatory framework. A Directorate General of the Commission (Directorate General for Financial Stability, Financial services and Capital Markets Union) has prepared the answer, albeit that only the Court of Justice of the European Union can provide definitive interpretations of EU legislation. This is an unofficial opinion of that Directorate General, which the European Banking Authority publishes on its behalf. The answers are not binding on the European Commission as an institution. You should be aware that the European Commission could adopt a position different from the one expressed in such Q&As, for instance in infringement proceedings or after a detailed examination of a specific case or on the basis of any new legal or factual elements that may have been brought to its attention.

Status
Final Q&A
Answer prepared by
Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.