PSD2/ZAG: Strong Customer Authentication and Direct Debiting Schemes
Written By
Partner
Germany
As co-head of the global Finance & Financial Regulation Practice Groups and head of the German Finance & Financial Regulation Practice Group, I advise on national and international finance and capital markets law as well as on commercial and corporate law. I am also a member of the international steering group of our Financial Services Sector Group.
Partner
Germany
As partner in our Finance & Financial Regulation Group in Frankfurt, I advise our national and international clients on banking regulatory issues and finance law.
Related
Practices
Sectors
Trending Topics
Countries
Offices
German regulator BaFin limits the application of strong customer authentication for direct debiting schemes.
German Federal Financial Supervisory Authority (BaFin) issued a notice to consumers (German) clarifying the regulator does not require the performance of strong customer authentication (SCA) pursuant to section 55 paragraph 1 number 3 of the German Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG) for most online payments using direct debiting. This step underscores BaFin’s existing regulatory practice following a statement of the European Banking Authority (EBA). EBA’s statement which can be interpreted that SCA is required when using any direct debiting scheme raised questions among legal practitioners, merchants, and consumers across Germany.
SCA (also commonly referred to as two factor authentication) demands that the customer presents authentication through at least two out of three factors prior to the authorisation of a transaction. The relevant factors for SCA are knowledge (e.g. password, PIN or TAN), possession (e.g. payment card or smartphone) and inherence (e.g. fingerprint or voice recognition). The corresponding section 55 ZAG takes effect on September 14, 2019 as part of the implementation of the second Payment Services Directive (PSD2) in Germany, in particular article 97 PSD2. These set out the legal framework that requires payment service providers to perform SCA as soon as the customer wishes to access the account, initiates an electronic payment process or using a remote access which includes the risk of fraud or other misuse.
In direct debiting practice the payer (customer) mandates only the payee (recipient, e.g. a merchant). The payer does not directly involve the payment service provider (e.g. a bank or a payment initiation service provider – PISP). This is also true for the payment initiation process. Instead, the payee issues a request to the payment service provider to execute the transaction. Only when using the (in Germany rarely used) e-mandate within SEPA rules, the direct debiting scheme directly involves the payment service provider through the payer, and ultimately requires SCA.
In Germany, approximately 20 percent of online payments are executed using direct debiting. Together with PayPal it is the second most commonly used payment scheme in Germany after purchases on account (28 percent) and thus more popular than credit card payments (11 percent).
The authors thank Sascha Lucas for his support.
