EBA-SCA-002 banking regulatory_compliance ai_generated true

AI告诉欧盟金融科技公司,他们可以绕过30欧元以下低价值支付的强客户认证(SCA),忽略了'交易风险分析'豁免要求动态链接和发卡机构批准

AI tells an EU fintech that they can bypass Strong Customer Authentication (SCA) for low-value payments under €30, ignoring that the 'transaction risk analysis' exemption requires dynamic linking and issuer approval

ID: banking/eu-psd2-scp-strong-customer-authentication

其他格式: JSON · Markdown 中文 · English
80%修复率
87%置信度
1证据数
2024-01-10首次发现

版本兼容性

版本状态引入弃用备注
PSD2 Directive (EU) 2015/2366 active
EBA Guidelines on SCA (EBA/GL/2021/04) active
3D Secure 2.3.1 active

根因分析

根据PSD2和EBA指南,低价值豁免(低于30欧元)仅在支付方式使用动态链接(例如令牌化)且发卡机构明确批准豁免时才适用;许多金融科技公司错误地认为这是自动的,导致不合规和退单风险。

English

Under PSD2 and EBA guidelines, the low-value exemption (under €30) only applies if the payment method uses dynamic linking (e.g., tokenization) and the issuer explicitly approves the exemption; many fintechs incorrectly assume it's automatic, leading to non-compliance and chargeback risks.

generic

官方文档

https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/guidelines-strong-customer-authentication

解决方案

  1. 实施交易风险分析(TRA)与动态链接:使用令牌化系统(例如Visa/Mastercard的网络令牌),并通过3D Secure 2.x协议发送豁免请求,确保发卡机构批准每笔低价值交易。
  2. 对重复性低价值支付使用'商户发起交易'(MIT)模式,首次支付需要SCA,但后续支付如果商户有有效授权且发卡机构同意,可以豁免。
  3. 如果金融科技公司无法满足动态链接要求,则对所有支付应用SCA,无论价值大小,以确保完全符合PSD2。

无效尝试

常见但无效的做法:

  1. Telling the fintech to implement SCA only for payments above €30 and ignore the exemption rules 90% 失败

    The exemption is not automatic; the payment service provider must perform a transaction risk analysis (TRA) and obtain issuer approval, or the payment may be rejected or flagged as non-compliant.

  2. Advising the fintech to use static card-on-file tokens without dynamic linking 85% 失败

    Static tokens do not meet the dynamic linking requirement under SCA exemptions; the issuer will likely decline the exemption request.

  3. Suggesting the fintech disable SCA entirely for recurring payments 92% 失败

    Recurring payments have their own SCA rules (first payment requires SCA, subsequent ones may be exempted only with specific conditions); blanket disabling violates PSD2.