The EBA published its final draft RTS on SCA on 22 Feb 2017*. This followed a consultation period with industry to respond. The EBA received an unusually high volume of responses (more than 224) from stakeholders before the deadline in Oct 2016. In particular concerns were raised about the added check out friction that the SCA procedure would create for e-commerce merchants. In response, the final draft RTS (download the document here) includes the following key changes to the exemptions section.
Key Changes – Exemptions From SCA (Chapter 3)
The final RTS introduces a new section permitting PSPs to use “transaction risk analysis” to identify transactions with a low level of risk and not apply SCA for those specific transactions. This is permitted for payments up to €500. A key condition is that the PSP keeps fraud rates at an acceptable level as set out in RTS screen grab below. So for transaction values up to €100, PSPs will be required to show fraud rates below 13bps on a rolling Qrly basis. PSPs are required to notify the regulator of their intention to use “transaction risk analysis” and submit fraud rate data. Exemptions will be withdrawn if “monitored fraud rate exceeds for two consecutive quarters the EUR 100 ETV (Exemption Threshold Value) reference fraud rate applicable”. The EBA may decide to review and update the fraud rates within 18 months after the RTS enter into force.
Other changes to the Exemptions Chapter include:
- Exemptions for ‘unattended terminals’ used for transport or parking fares
- An increase in SCA threshold for remote transactions from €10 to €30
- Clarification and confirmation that no exemptions will be available for corporate payments
Whilst these changes go some way to addressing concerns about check out friction, the Reference Fraud Rates are low and may be challenging – particularly at an aggregate level across all merchant categories. The €500 limit also effectively prevents exemptions for higher value transactions (such as flight tickets). It will be interesting to see if these rates do in the end get reviewed within the 18 month time window the EBA has set itself.
In terms of next steps, the EU Commission will now carry out a legal review before adopting the RTS. The EU Council and EU Parliament will have scrutiny rights during this process. In theory changes could still be made to the RTS during this period. The regulatory standards will then become law across the EU in Sept 2018 at the earliest.
* The revised EU Directive on payment services, otherwise known as PSD2, entered into force on 12 January 2016 and will apply as of 13 January 2018. PSD2 has conferred 11 mandates on the European Banking Authority (EBA). One of these relates to the development of draft Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure and common communications (Article 98 of the PSD2) which covers the introduction of tough new security standards for electronic payments.