The applicability of the rules of strong customer authentication ("SCA") to direct debit transactions has been subject to various statements by the EBA and the BaFin. On 7 June 2019, the EBA published another statement via its Q&A-tool (Question ID 2019_4664) on the application of SCA to direct debit transaction. It appears that the application of SCA rules on direct debit payments is now clear at an EU-level.
The “history” of direct debit related statements
The “history” of direct debit-related statements in connection with SCA began on 22 February 2019 (although some comments to direct debit can be found in the draft SCA RTS provided by the EBA), when the EBA published a statement via its Q&A-tool (Question ID 2018_4359) in which the EBA took the view that where the mandate of the payer to the payee to initiate direct debit transactions is provided through a remote channel, the setting up of such mandate is subject to SCA. The statement has raised significant concerns in the payment market, as we have pointed to in our May 2019 issue of the EPSM Legal Research Newsletter.
On 17 April 2019, BaFin published a statement, that SCA is only required for direct debit payments on the internet if the mandate is given by the payer with the direct involvement of the payee’s payment service provider (“PSP”). That would have the consequence that online mandates directly given by the payer to an ecommerce shop would not be subject to SCA. By publishing this statement, BaFin had appeared to take a view differing from that of the EBA with respect to SCA.
However, a few days prior to the publication of its statement, BaFin had submitted the question, whether giving a direct debit mandate without the involvement of a PSP would be subject to SCA, to the EBA. The EBA has recently, on 7 June 2019 (Question ID 2019_4664) confirmed BaFin’s view, that SCA is only required, when the payer’s PSP is directly involved in the setting up of such mandate, which should only be the case for “e-mandates” as laid down in the SEPA rule books.
Comment
First, it is good news that the payment market now has clarity with respect to the applicability of online direct debit mandates on a European level.
EBA stated on 7 June 2019 that Article 97 PSD2 only sets obligations to payment service providers and that therefore mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.
The statement of the EBA was in fact referring to “a mandate of the payer to the payee to initiate these transactions […] through a remote channel” without distinguishing between mandates given with or without the involvement of the PSP of the payee. A possible and not unlikely interpretation of this statement is that the EBA was referring to all direct debit mandates, including online mandates, that are typically given without the involvement of PSPs. That would have raised the question whether PSP’s would have had to ensure that the payee had given a mandate in accordance with SCA rules (e.g. to the online shop) prior to executing a direct debit transaction. Therefore, the statement of EBA was at least likely to cause misinterpretation. However, the clarification of the EBA in the direct debit context raises the subsequent question, whether (and to what extent) PSPs can design their payment products without being directly involved in the authentication process in situations described in Art. 97 PSD2 and without providing for SCA processes in accordance with PSD2.
Direct debit transactions based on online mandates form part of the payment market in large numbers and have already done so prior to the entry into force of PSD2. The EBA and BaFin have now provided clarification with respect to the SCA to such mandates about three months prior to the entry into force of rules of SCA. It was known in practice for a long time that online mandates would in most cases not fulfil the requirements of SCA. Applying SCA would have had a significant impact on the acceptance of the payment method in practice. Although it has to be appreciated that the EBA has now provided clarity with respect to this question, it would be preferable for the market to have clarity of the applicability of the rules of SCA with respect to common payment methods at a much earlier stage, in order to have the chance to take the relevant measures to comply with new applicable rules.
This article was originally published in the June 2019 edition of Osborne Clarke’s EPSM Legal Research Newsletter.