# AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring that the 'transaction risk analysis' exemption requires dynamic linking and issuer approval - **ID:** `banking/eu-psd2-scp-strong-customer-authentication` - **Domain:** banking - **Category:** regulatory_compliance - **Error Code:** `EBA-SCA-002` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Under PSD2 and EBA guidelines, the low-value exemption (under €30) only applies if the payment method uses dynamic linking (e.g., tokenization) and the issuer explicitly approves the exemption; many fintechs incorrectly assume it's automatic, leading to non-compliance and chargeback risks. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PSD2 Directive (EU) 2015/2366 | active | — | — | | EBA Guidelines on SCA (EBA/GL/2021/04) | active | — | — | | 3D Secure 2.3.1 | active | — | — | ## Workarounds 1. **Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction.** (85% success) ``` Implement transaction risk analysis (TRA) with dynamic linking: use a tokenization system (e.g., network tokens from Visa/Mastercard) and send exemption requests via the 3D Secure 2.x protocol, ensuring the issuer approves each low-value transaction. ``` 2. **Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees.** (78% success) ``` Use the 'merchant-initiated transactions' (MIT) model for recurring low-value payments, where the first payment requires SCA but subsequent ones can be exempted if the merchant has a valid mandate and the issuer agrees. ``` 3. **If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2.** (95% success) ``` If the fintech cannot meet dynamic linking requirements, apply SCA to all payments regardless of value to ensure full compliance with PSD2. ``` ## Dead Ends - **Telling the fintech to implement SCA only for payments above €30 and ignore the exemption rules** — The exemption is not automatic; the payment service provider must perform a transaction risk analysis (TRA) and obtain issuer approval, or the payment may be rejected or flagged as non-compliant. (90% fail) - **Advising the fintech to use static card-on-file tokens without dynamic linking** — Static tokens do not meet the dynamic linking requirement under SCA exemptions; the issuer will likely decline the exemption request. (85% fail) - **Suggesting the fintech disable SCA entirely for recurring payments** — Recurring payments have their own SCA rules (first payment requires SCA, subsequent ones may be exempted only with specific conditions); blanket disabling violates PSD2. (92% fail)