The EBA just published its draft RTS (Regulatory Technical Standards) on Strong Customer Authentication (SCA). The draft RTS depart significantly from the previous version published for consultation in August 2016. Most notably:
- the EBA has clarified that EEA-based issuers will not be requested to systematically decline transactions at non-EEA merchants that would not request SCA;
- transactions that do not exceed EUR 30 are exempted from the SCA requirements;
- a general Risk-Based Authentication (RBA) exemption is introduced for remote payments based on PSP’s fraud levels and transaction amounts;
- the exemption for "white lists" of trusted beneficiaries and recurring payments has been extended to card payments.
Please see below details on the aspects of the draft RTS that are most relevant to airlines.
Next steps – The ball is now in the camp of the EC, which has three months to either endorse the final draft RTS (in which case, they become legally binding 18 months later – i.e. in November 2018 at the earliest), or to suggest amendments and send the document back to the EBA for further work. The EBA can either amend or refuse to amend, in which case the EC can either itself adjust the RTS or reject them in their entirety.
More details on the draft EBA RTS, as relevant to airlines:
- Transactions outside the EEA: the EBA has clarified that SCA will not be required for (a) transactions at merchants outside the EEA with cards issued in the EEA (so-called "one-leg out transactions"), and (b) transactions at merchants in the EEA with cards issued outside the EEA (so-called "one-leg in transactions"). In other words, issuers and acquirers/merchants respectively are free to determine whether to accept those transactions, or not. The EC added that this is all subject to the rules of the card schemes, and given the HACR (Honour All Cards Rule) in the Visa and Mastercard rules, in practice this means that both outbound and inbound one-leg transactions will in principle have to be honoured.
- Exemptions: SCA is not be required, at the option of the PSPs (i.e. the exemptions are not mandatory), for:
a) Individual remote transactions up to EUR 30 (this limit has been increased from the EUR 10 limit of the August version of the draft RTS), with a cumulative limit of EUR 100 or 5 consecutive transactions without SCA.
b) Remote transactions between EUR 30 and EUR 500, provided RBA is applied by the PSP (PSP of the payer and/or PSP of the payee) and their fraud rates are under the following thresholds:
c) Remote transactions to white lists of trusted beneficiaries (however SCA is required for the creation and amendment of the white list). This exemption has now been extended to card payments.
Reference Fraud Rate (%) for:
||Remote card-based payments
(d) Recurring transactions of the same amount to the same payee (however SCA is required for the first payment, and for amendments to the series of payments).
- No specific exemptions are introduced for remote commercial card, virtual card and anonymous prepaid card transactions.
- The liability shift provided for in Article 74(2) of PSD2 will continue to apply after the RTS become applicable, i.e. on those transactions where the airline's PSP does not request SCA, that PSP (and therefore ultimately the airline) will remain liable for any potential fraud losses.