{
  "id": "banking/eu-psd2-scp-strong-customer-authentication",
  "signature": "AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring that the 'transaction risk analysis' exemption requires dynamic linking and issuer approval",
  "signature_zh": "AI告诉欧盟金融科技公司，他们可以绕过30欧元以下低价值支付的强客户认证（SCA），忽略了'交易风险分析'豁免要求动态链接和发卡机构批准",
  "regex": "SCA.*exemption.*under.*30|low.*value.*payment.*without.*SCA|PSD2.*bypass.*authentication",
  "domain": "banking",
  "category": "regulatory_compliance",
  "subcategory": null,
  "root_cause": "Under PSD2 and EBA guidelines, the low-value exemption (under €30) only applies if the payment method uses dynamic linking (e.g., tokenization) and the issuer explicitly approves the exemption; many fintechs incorrectly assume it's automatic, leading to non-compliance and chargeback risks.",
  "root_cause_type": "generic",
  "root_cause_zh": "根据PSD2和EBA指南，低价值豁免（低于30欧元）仅在支付方式使用动态链接（例如令牌化）且发卡机构明确批准豁免时才适用；许多金融科技公司错误地认为这是自动的，导致不合规和退单风险。",
  "versions": [
    {
      "version": "PSD2 Directive (EU) 2015/2366",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "EBA Guidelines on SCA (EBA/GL/2021/04)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "3D Secure 2.3.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Telling the fintech to implement SCA only for payments above €30 and ignore the exemption rules",
      "why_fails": "The exemption is not automatic; the payment service provider must perform a transaction risk analysis (TRA) and obtain issuer approval, or the payment may be rejected or flagged as non-compliant.",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "Advising the fintech to use static card-on-file tokens without dynamic linking",
      "why_fails": "Static tokens do not meet the dynamic linking requirement under SCA exemptions; the issuer will likely decline the exemption request.",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "Suggesting the fintech disable SCA entirely for recurring payments",
      "why_fails": "Recurring payments have their own SCA rules (first payment requires SCA, subsequent ones may be exempted only with specific conditions); blanket disabling violates PSD2.",
      "fail_rate": 0.92,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction.",
      "success_rate": 0.85,
      "how": "Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees.",
      "success_rate": 0.78,
      "how": "Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2.",
      "success_rate": 0.95,
      "how": "If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "实施交易风险分析（TRA）与动态链接：使用令牌化系统（例如Visa/Mastercard的网络令牌），并通过3D Secure 2.x协议发送豁免请求，确保发卡机构批准每笔低价值交易。",
    "对重复性低价值支付使用'商户发起交易'（MIT）模式，首次支付需要SCA，但后续支付如果商户有有效授权且发卡机构同意，可以豁免。",
    "如果金融科技公司无法满足动态链接要求，则对所有支付应用SCA，无论价值大小，以确保完全符合PSD2。"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-strong-customer-authentication",
  "official_doc_section": null,
  "error_code": "EBA-SCA-002",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.8,
  "resolvable": "true",
  "first_seen": "2024-01-10",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}