The pain points of card accepting merchants
On 1st of March, the European Banking Authority (EBA) published an answer to a question which had been submitted by the card schemes. As of now, cards are quite often used to pay for recurring transactions such as subscription fees for social media (Linkedin, Xing), digital tv (Netflix, Amazon Prime), utility or telephone bills and insurance premiums. Also, cards are used for additional, unforeseeable charges for car rental (e.g. speeding or parking tickets, damages) or hotels (additional meals, mini bar, damages etc). In all of those cases, the payer is usually not around when the merchants triggers the payment and the amounts vary, i.e. they are not the same all the time, or the specific amount cannot be foreseen.
The answer provided by EBA
EBA has now published an answer to the question whether such card transactions, which are initiated by the merchant, i.e. the payee, and not the payer, fall within the realm of the PSD2 requirements for strong customer authentication (SCA). The answer is no, i.e. no SCA is required, if three circumstances are fulfilled: (i) the payer (cardholder) has (initially) given a mandate authorizing the payee (merchant) to initiate a transaction or a series of transactions through a card, (ii) the mandate is based on an agreement between the payer (cardholder) and the payee (merchant) for the provision of products or services and (iii) the transactions initiated by the payee (merchant) do not require to be preceded by a specific action of the payer (cardholder) to trigger their initiation by the payee (merchant).
Background under PSD2 genesis
The discussion on so called Merchant Initiated Transactions under PSD2 is not old. It has been triggered mainly by the card schemes and some larger merchants about a year ago. The EBA preparatory papers for the RTS on SCA and CSC (discussion paper of 2015, consultation paper of 2016 and final report of 2017) elaborate very shortly on payments initiated by the payee, but mention direct debit transactions as an example, not card transactions. Therefore it was unclear whether the direct debit rationale of the afore mentioned EBA papers would also apply to card transactions. In turn, the UK Financial Conduct Authority had already published in December 2018 in its Policy Statement PS18/24 that “merchant initiated card transactions” that had been initially authorized by the payer using a SCA would subsequently not necessitate such authentication if then initiated by the merchant / payee.
What does this mean for the various use cases?
Subscription models (such as linkedin or Xing) should in the future be free of SCA, even if the subscription price changes. The same should be true for video streaming offers such as Netflix or Apple TV, if video streaming is subscribed on the basis of a regular monthly, weekly or daily fee. If the subscriber chooses particular films which require payment for each film, in that case SCA should be required in each case as the subscriber / payer is involved in the transaction, i.e. a specific action is required by the payer to trigger their initiation by the payee. In turn, if a cardholder wishes to pay his regular utility or telephone bills and insurance premiums with a card the setting up of an initial mandate will require SCA, but not the subsequent regular payment initiations by the electric power company, the telephone provider or the insurance, even if the amounts vary, which is quite likely in the case of telephone or utility bills.
For car rental agencies the merchant initiated transaction would not only allow charging extra fees for exceeding the pre-agreed rental period, charges for speeding or parking tickets to the card, but also damages. From a civil law perspective this would require that the initial authorization granted by the cardholder encompasses all of those charges. Also, the payer / cardholder could request from the card issuer restitution of the amounts charged to his card if amount of the payment transaction exceeded the amount the payer could reasonably have expected. In that case the card issuer would have to demonstrate to the cardholder that his objection was not warranted.
Very similar is the case for hotels, where the guest checks out without having presented his/her card at checkout and where the hotel wishes to charge incidental amounts to the card.
Many other cases, where a cardholder mandates subsequent payment transactions initiated by the payee / merchant can be thought of. However, this would not apply to the so called “card on file” transactions where an ecommerce merchant stores his customer’s card data in a user account in order to facilitate simpler shopping for the customer. In that case the customer / cardholder would usually be involved in the checkout process and therefore this would have to be viewed as a payment initiated by the payer and would require SCA or the use of an exemption, e.g. the trusted beneficiary exemption.
And now PayPal. Its the funding of a PayPal e-money account which may be of interest here. Most people will use their credit card or direct debit to fund their PayPal account. Is the funding via credit card a merchant initiated card transaction? PayPal would be the merchant in that case and PayPal triggers the funding without the account holder’s help? I would think so. Obviously, you could question this as it is the usage of the PayPal account by the owner of this account which triggers the (second) funding transaction. And then, PayPal could always propose whitelisting (the trusted beneficiary exemption) to the account holder in order to avoid SCA for the funding transaction. So, this is not a 100% clear case.
What about the liability of the card issuer?
The general rule under PSD2 is that a card issuer bears the risk of unauthorized payments if the card issuer has not conducted SCA. This rule generally applies when SCA is required. In the case of a merchant initiated transaction EBA has published that SCA is not required. If that were the case then the increased liability of the issuer should not come into play. Unfortunately, it is neither the EBA nor the Commission nor a supervisory authority which has to judge on the liability, it’s the civil courts who may eventually have to decide on this. They may or may not decide in line with the answer published by EBA.
Last question – how does BaFin view this?
Is this all binding for national supervisory authorities or the ECB, in their supervision of credit institutions, e-money and payment institutions? It is not, I am afraid. The answer provided by EBA was not even prepared by EBA, but – as the “Disclaimer” says – by a “Directorate General of the Commission”. While BaFin has issued a public statement in February 2018 that BaFin would generally follow the opinions and Q&A of EBA, it is unclear whether this statement of BaFin also includes elaborations prepared by DG FISMA. The difference? Official EBA statements such as opinions and Q&A issued by the EBA based on Art 29 EBA-Regulation will have been made subject to the vote in the EBA board of supervisors, with all national supervisory authorities of Member States participating. They would therefore bear what is called a “high input legitimation”. This is not true for answers provided by the Commission. What is more, BaFin and Bundesbank had both been quite doubtful about merchant initiated card transactions in the past and had criticized the FCA guidance of December 2018. So, for industry players it might be good to confirm with BaFin whether they subscribe to the opinion issued in Question ID 2018_4359.