Strong customer authentication for online SEPA direct debits: BaFin’s clarification

Starke Kundenauthentifzierung bei einer online SEPA-Lastschrift | Strong customer authentication for online SEPA direct debits | PayTechLaw

You shall never ask me? But questions are useful as sometimes answers are indeed given… In one of my last posts I dealt with the problematic EBA response concerning strong customer authentication for online SEPA direct debit payments. The EBA had stated that when setting up an online SEPA mandate strong customer authentication was required. In contrast to statements provided in the past, it failed to mention that this only applies in cases where the mandate is given with the involvement of the payment services provider of the payer.

It would be very detrimental for German online merchants if strong customer authentication for online SEPA direct debits were required when setting up a mandate as so far there is no widely available technical infrastructure for this yet.

However, we can breathe a sigh of relief now as BaFin has finally provided some clarification: BaFin stated that strong customer authentication for setting up online SEPA mandates was only required in the case of e-mandates pursuant to the SEPA Rulebook. Such an e-mandate is not simply a mandate set up electronically (i.e. online) but one that follows the SEPA Rulebook. This stipulates that the payer’s bank has to be involved in the setting up of the mandate in the way that the bank identifies the payer, i.e. the bank checks if the payer who sets up the mandate is in fact its customer holding the account for which the mandate is being set up (known as “validation” in the SEPA Rulebook). In this case, strong customer authentication would be required for online SEPA direct debits. It is therefore important to distinguish between e-mandates and electronic mandates. E-mandates in accordance with the SEPA Rulebook require the involvement of payer’s bank in the setting up of the mandate. For mandates which are simply set up electronically, this is not necessarily the case.

In a clarification statement in 2013, the European Payments Counsel stated that for mandates set up electronically no qualifying electronic signature was required (which already paved the road for strong customer authentication for online SEPA direct debits) but that the member states could retain their legacy rules on how mandates are to be set up prior to the SEPA Rulebook coming into effect. This clarification had been achieved for the benefit of German online merchants and saved online direct debits, which are very popular in Germany. It seems that SEPA direct debit will also survive strong customer authentication.


Cover picture: Copyright © fotolia / Archivist

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like