After the European Banking Authority (EBA) sparked considerable excitement with one of its answers given in the Q&A tool (see my article on the possibly dim future of online SEPA direct debit payments, and the BaFin had already published a statement (see “Strong customer authentication for online SEPA direct debit payments”), the EBA clarification has now also been published. According to this, there is no strong customer authentication required for setting up a SEPA direct debit mandate if the institution at which the payment account is held is not involved.
What happened so far
In its Final Report, the EBA had stated that no strong customer authentication was required when setting up a SEPA direct debit mandate. However, electronic mandates involving the payment service provider of the payer were exempted from this. This was interpreted to mean that it had to be an e-mandate provided for in the SEPA Regulation, which provides for technical implementation by the account servicing payment service provider.
Surprisingly, in response to the question (Q&A 2018_4359) as to whether strong customer authentication was required for mandates set up electronically, the EBA then published a response that this was required due to there being a risk of fraud. It failed to include the restriction that this is only the case if the account servicing payment service provider is involved.
After an outcry in Germany from businesses who considered the popular direct debit to be in danger, BaFin clarified that no strong customer authentication is necessary.
What does the EBA clarification say
Now we also have the EBA clarification as an answer to a question by the BaFin (!) in the Single Rule Book Q&A Tool (Q&A 2019_4664). The EBA states:
Q&A 2018_4359 clarified that a direct debit transaction is not subject to strong customer authentication (SCA), as it is defined in the PSD2 as a transaction initiated by the payee. It also clarified that in cases where the mandate given by the payer to the payee to initiate one or several such transactions is provided through a remote channel, the setting up of such a mandate is subject to strong customer authentication. In such circumstances however, pursuant to the wording of Article 97 PDS2, which only sets obligations to payment service providers (PSP), SCA is only necessary where a PSP is involved in the setting up of such a mandate. Mandates given by the payer to the payee set up without the direct involvement of the payer’s PSP are not subject to SCA.
So can we now say: ‘all’s well that ends well’? The issue of strong customer authentication has now been cleared up. However, direct debit payments continue to be under threat from other angles, e.g. if differentiation according to the payer’s place of residence also constitutes IBAN discrimination. The topic of SEPA direct debit payments will probably keep us busy for some time to come.
Cover picture: Copyright © fotolia / Archivist