A new response by the EBA in their Q&A tool may have a huge impact on the future of online SEPA direct debit payments. When asked if strong customer authentication (SCA) has to be applied to the electronic processing of online SEPA direct debit payments, the EBA responded that the setting up of such a mandate is subject to strong customer authentication, as this action may imply a risk of payment fraud or other abuses within the meaning of Article 97(1)(c) of the PSD2. In the latest episode of PayTechTalk, my colleague Christian and I already took a look into the potential impacts of the EBA opinion on online direct debits. In this article, I review in more details what the EBA’s response means for online SEPA direct debit payments.
What does this mean for online SEPA direct debit payments?
If a buyer wants to pay in an online shop by online SEPA direct debit via a payment service provider of the merchant, the buyer would need to authenticate himself by satisfying two out of the three elements of knowledge, possession, or inherence. The only question is – how can the buyer do this?
In contrast to credit cards, where 3D Secure has – after some years – become a standard feature or in contrast to the log-in process implemented for the access to online bank accounts, there is no such authentication process commonly available for SEPA direct debits.
Who is affected?
As a consequence, online SEPA direct debit payments may not be offered online by payment service providers anymore. This affects payment wallet providers and mobile payment providers that use SEPA direct debit as one of their funding sources as well as online merchants using a PSP to accept direct debits. Since the PSD2 only applies to payment institutes and e-money institutes, online merchants that process SEPA direct debit themselves are not affected and are therefore not required to apply SCA. However, if a merchant employs the help of a PSP to manage the risks involved in SEPA direct debits, SCA will need to be implemented. Quite an absurd outcome.
Change of mind of the EBA?
In addition to the consequence that SEPA direct debit payments can no longer be used as funding sources for wallets or mobile payments that require a mandate being set up online, or for online purchases if a merchant involves a PSP, the response by the EBA is also not in line with its previous guidance.
According to the EBA’s Final Report on the Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2), point 13, SCA does not apply to electronic payments initiated by the payee only (such as direct debits). The EBA further sets out:
Given Article 97(1)(c), an exception is a transaction where the payer’s consent for a direct debit transaction is given in the form of an electronic mandate with the involvement of its PSP.
This important requirement, i.e. that the setting up of an electronic mandate is subject to SCA only if the mandate is granted involving the PSP of the payer, is missing in the recent response of the EBA. And this makes all the difference. If the payer’s PSP offers a way to set up an electronic mandate, the PSP will also be able to apply SCA. However, in the current state of things where the overwhelming majority of banks does not offer any form of electronic mandate with their involvement, it is practically impossible to apply SCA .
It is open for speculation if the response provided by the EBA inadvertently omitted the requirement of the involvement of the PSP or if the EBA changed its mind. This would be quite a change very late in the game, given that on 14 September 2019 SCA will become mandatory.
What’s in it for the consumer?
Nothing – which is another surprising factor regarding the EBA’s response. The purpose of SCA is to prevent fraud and abuse of payment instruments by use of a remote channel. Where a payment card is stolen and used unauthorized the card holder risks losing money. SCA raises the bar for a thief to be able to use a stolen card online. However, in case of online SEPA direct debit payments, the payer may reverse the payment 8 weeks after the debit without providing reasons. The risk of losing the money may be big for the payee but not for the payer. The direct debit reversal can be submitted irrespective of SCA, which is different in the card scenario where SCA changes the burden of proof.
Is the EBA’s response binding?
Generally, the national regulators have a choice to either comply with the EBA’s guidance or to explain if they deviate. For reasons of harmonization across the EU, BaFin usually complies with the EBA’s guidance, including the interpretation given in the EBA’s Q&A tool. In case BaFin dissents with the guidance given, this is published on BaFin’s website.
Accordingly, unless BaFin explains why it does not want to comply with the guidance, the EBA’s interpretation will become binding also on German PSPs.
The widespread use of online SEPA direct debit payments is a German (and Austrian) thing. Thus, in other countries the effect of this change may not be met with as much concern. This brings back memories of the time when SEPA direct debits where introduced by the SEPA Regulation, requiring a written mandate or an electronic mandate with qualified electronic signature. This could have been the death knell of online mandates if it had not been for the fact that a SEPA direct debit coalition formed and successfully lobbied for lighter requirements. This resulted in a qualified electronic signature no longer being required and a press release by the Ministry of Finance and the Bundesbank stating that banks were allowed to continue processing mandates provided online. And what has been done once can be done again.
Cover picture: Copyright © fotolia / Archivist