2019_4796 Intermediaries and Merchant-ID | European Banking Authority

Question ID: 2019_4796
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 4
Type of submitter: Industry association
Subject matter: Intermediaries and Merchant-ID
Question: In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed? If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?
Background on the question: In the hotel industry, there is a high degree of intermediation between the hotel (merchant) and guest (customer) through Online Travel Agents (OTAs such as Booking.com), franchisor booking channels (such as hotelbrand.com, or global distribution systems (such as Sabre). These intermediaries play a key role in our booking infrastructure. In some cases, intermediaries will take credit card details on the hotel's behalf, but they do not have the facilities, nor do they bear the risk for concluding payments – this instead remains in the hands of the individual hotels.
Submission date: 19/06/2019
Final publishing date: 24/09/2021
Final answer: Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction. Article 97(2) of PSD2 provides that for electronic remote payment transactions, PSPs shall apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.

Article 5(1)(a) of the Commission Delegated Regulation (EU) 2018/389 states that where PSPs apply SCA in accordance with Article 97(2) of PSD2, ‘the payer is made aware of the amount of the payment transaction and of the payee’.

Accordingly, the payment service user should be aware of the payee (the hotel in the case described by the submitter). PSD2 and the Delegated Regulation do not specify how the interaction between the payee and parties (the intermediaries in the case described by the submitter) acting on its behalf should take place.

Finally, the payer’s consent to execute a payment transaction shall be given in accordance with the requirements of PSD2, including Article 64(2) which specifies that the payer's consent to execute a payment transaction shall be given to the PSP, or via the payee or a payment initiation service provider.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer