Strong Customer Authentication (SCA)
Further Information
warning
DISCLAIMER: ANY INFORMATION OR STATEMENT UNDER THIS SECTION MUST NOT CONSIDERED LEGAL ADVICE. IN PARTICULAR, YOU MUST REVIEW YOUR CONTRACTUAL TERMS IN THE LIGHT OF THE JUDGMENT HEREINAFTER INDEPENDENTLY. RATEPAY CANNOT HOLD LIABLE FOR ANY LOSSES OR DAMAGES OCCURED IN CONNECTION WITH JUDGMENT HEREINAFTER. RATEPAY RECOMMENDS TO SEEK ALWAYS QUALIFIED LEGAL ADVICE IN THE EVENT OF LEGAL UNCERTAINTY.
In its final report, the EBA had stated that SCA was not necessary when issuing a SEPA direct debit mandate. An exception to this was an electronic mandate involving the payer's payment service provider. This was understood to mean that it had to be an e-mandate according to the SEPA Regulation, which requires technical implementation by the account-holding institution (the “payer’s PSP”).
Now there is also the EBA clarification as an answer to a question by the German Federal Financial Supervisory Authority (BaFin) in the Single Rule Book Q&A Tool (Q&A 2019_4664, https://eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2019_4664). Ratepay’s understanding of the way the question was posed by BaFin and EBA’s answer, is that nothing has changed on that position, meaning that the payer’s PSP has to be directly involved in the setup of such a mandate, which is only the case for e-mandates as laid down in the SEPA rulebooks.
In conclusion, SCA does not apply to SEPA DD transactions as Ratepay offers it. This view is also supported by the BaFin.
What is an e-mandate?
An e-mandate service must first be set up by the customer himself in the online banking portal of the payment service provider of the customer. There are certain formal requirements for the setup, including the QES standard. The payment checkout of the respective online merchant then requires an (technical) interface to the online banking portal of the customer's payment service provider, where the e-mandate service is stored and the e-mandate can be initiated via that interface by the customer at the payment service provider to pay for the specific basket items. In order to be able to access the e-mandate service via the interface, SCA is required.
In short: E-Mandates use the customer's login information in online banking and are therefore set up differently from paper-based and electronic mandates (the latter is not the same as an e-mandate).
E-mandates are a voluntary service specified in the SEPA Regulations. The e-mandate scheme could offer security advantages over paper-based and electronic mandates (e.g. Ratepay Direct Debit product), but there is still a considerable lack of e-mandate providers in the market. As of Q1 2020, there is currently no bank offering the e-mandate service in Germany (to best of our knowledge). This is probably not least due to the high security requirements, e.g. SCA.