EBA-SCA-002 banking regulatory_compliance ai_generated true

AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring that the 'transaction risk analysis' exemption requires dynamic linking and issuer approval

ID: banking/eu-psd2-scp-strong-customer-authentication

Also available as: JSON · Markdown · 中文
80%Fix Rate
87%Confidence
1Evidence
2024-01-10First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
PSD2 Directive (EU) 2015/2366 active
EBA Guidelines on SCA (EBA/GL/2021/04) active
3D Secure 2.3.1 active

Root Cause

Under PSD2 and EBA guidelines, the low-value exemption (under €30) only applies if the payment method uses dynamic linking (e.g., tokenization) and the issuer explicitly approves the exemption; many fintechs incorrectly assume it's automatic, leading to non-compliance and chargeback risks.

generic

中文

根据PSD2和EBA指南,低价值豁免(低于30欧元)仅在支付方式使用动态链接(例如令牌化)且发卡机构明确批准豁免时才适用;许多金融科技公司错误地认为这是自动的,导致不合规和退单风险。

Official Documentation

https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-strong-customer-authentication

Workarounds

  1. 85% success Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction. 
    Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction.
  2. 78% success Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees. 
    Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees.
  3. 95% success If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2. 
    If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2.

中文步骤

  1. 实施交易风险分析(TRA)与动态链接:使用令牌化系统(例如Visa/Mastercard的网络令牌),并通过3D Secure 2.x协议发送豁免请求,确保发卡机构批准每笔低价值交易。
  2. 对重复性低价值支付使用'商户发起交易'(MIT)模式,首次支付需要SCA,但后续支付如果商户有有效授权且发卡机构同意,可以豁免。
  3. 如果金融科技公司无法满足动态链接要求,则对所有支付应用SCA,无论价值大小,以确保完全符合PSD2。

Dead Ends

Common approaches that don't work:

  1. Telling the fintech to implement SCA only for payments above €30 and ignore the exemption rules 90% fail

    The exemption is not automatic; the payment service provider must perform a transaction risk analysis (TRA) and obtain issuer approval, or the payment may be rejected or flagged as non-compliant.

  2. Advising the fintech to use static card-on-file tokens without dynamic linking 85% fail

    Static tokens do not meet the dynamic linking requirement under SCA exemptions; the issuer will likely decline the exemption request.

  3. Suggesting the fintech disable SCA entirely for recurring payments 92% fail

    Recurring payments have their own SCA rules (first payment requires SCA, subsequent ones may be exempted only with specific conditions); blanket disabling violates PSD2.