PSD2/ZAG: Strong Customer Authentication and Direct Debiting Schemes
Written By
German regulator BaFin limits the application of strong customer authentication for direct debiting schemes.
German Federal Financial Supervisory Authority (BaFin) issued a notice to consumers (German) clarifying the regulator does not require the performance of strong customer authentication (SCA) pursuant to section 55 paragraph 1 number 3 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) for most online payments using direct debiting. This step underscores BaFin’s existing regulatory practice following a statement of the European Banking Authority (EBA). EBA’s statement which can be interpreted that SCA is required when using any direct debiting scheme raised questions among legal practitioners, merchants, and consumers across Germany.
SCA (also commonly referred to as two factor authentication) demands that the customer presents authentication through at least two out of three factors prior to the authorisation of a transaction. The relevant factors for SCA are knowledge (e.g. password, PIN or TAN), possession (e.g. payment card or smartphone) and inherence (e.g. fingerprint or voice recognition). The corresponding section 55 ZAG takes effect on September 14, 2019 as part of the implementation of the second Payment Services Directive (PSD2) in Germany, in particular article 97 PSD2. These set out the legal framework that requires payment service providers to perform SCA as soon as the customer wishes to access the account, initiates an electronic payment process or using a remote access which includes the risk of fraud or other misuse.
In direct debiting practice the payer (customer) mandates only the payee (recipient, e.g. a merchant). The payer does not directly involve the payment service provider (e.g. a bank or a payment initiation service provider – PISP). This is also true for the payment initiation process. Instead, the payee issues a request to the payment service provider to execute the transaction. Only when using the (in Germany rarely used) e-mandate within SEPA rules, the direct debiting scheme directly involves the payment service provider through the payer, and ultimately requires SCA.
In Germany, approximately 20 percent of online payments are executed using direct debiting. Together with PayPal it is the second most commonly used payment scheme in Germany after purchases on account (28 percent) and thus more popular than credit card payments (11 percent).
The authors thank Sascha Lucas for his support.
