Content Options:

Content Options

View Options:


You are viewing the version of the document as on 2021-01-01.

Chapter 3 Exemptions from strong customer authentication

Article 10 Payment account information

  1. (1)

    Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:

    1. (a)

      the balance of one or more designated payment accounts;

    2. (b)

      the payment transactions executed in the last 90 days through one or more designated payment accounts.

  2. (2)

    For the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following conditions are met:

    1. (a)

      the payment service user is accessing online the information specified in paragraph 1 for the first time;

    2. (b)

      more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied.

Article 11 Contactless payments at point of sale

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:

  1. (a)

    the individual amount of the contactless electronic payment transaction does not exceed £45; and

  2. (b)

    the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed £130; or

  3. (c)

    the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

Article 11 Contactless payments at point of sale

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:

  1. (a)

    the individual amount of the contactless electronic payment transaction does not exceed £45; and

  2. (b)

    the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed £130; or

  3. (c)

    the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

Article 12 Unattended terminals for transport fares and parking fees

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates an electronic payment transaction at an unattended payment terminal for the purpose of paying a transport fare or a parking fee.

Article 13 Trusted beneficiaries

  1. (1)

    Payment service providers shall apply strong customer authentication where a payer creates or amends a list of trusted beneficiaries through the payer’s account servicing payment service provider.

  2. (2)

    Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the general authentication requirements, where the payer initiates a payment transaction and the payee is included in a list of trusted beneficiaries previously created by the payer.

Article 14 Recurring transactions

  1. (1)

    Payment service providers shall apply strong customer authentication when a payer creates, amends, or initiates for the first time, a series of recurring transactions with the same amount and with the same payee.

  2. (2)

    Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the general authentication requirements, for the initiation of all subsequent payment transactions included in the series of payment transactions referred to in paragraph 1.

Article 15 Credit transfers between accounts held by the same natural or legal person

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a credit transfer in circumstances where the payer and the payee are the same natural or legal person and both payment accounts are held by the same account servicing payment service provider.

Article 16 Low-value transactions

Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:

  1. (a)

    the amount of the remote electronic payment transaction does not exceed £25; and

  2. (b)

    the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed £85; or

  3. (c)

    the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed five consecutive individual remote electronic payment transactions.

Article 17 Secure corporate payment processes and protocols

Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the FCA is satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by the Payment Services Regulations 2017 (SI 2017/752).

Article 18 Transaction risk analysis

  1. (1)

    Payment service providers shall be allowed not to apply strong customer authentication where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk according to the transaction monitoring mechanisms referred to in Article 2 and in paragraph 2(c) of this Article.

  2. (2)

    An electronic payment transaction referred to in paragraph 1 shall be considered as posing a low level of risk where all the following conditions are met:

    1. (a)

      the fraud rate for that type of transaction, reported by the payment service provider and calculated in accordance with Article 19, is equivalent to or below the reference fraud rates specified in the table set out in the Appendix for ‘remote electronic card-based payments’ and ‘remote electronic credit transfers’ respectively;

    2. (b)

      the amount of the transaction does not exceed the relevant Exemption Threshold Value (‘ETV’) specified in the table set out in the Appendix;

    3. (c)

      payment service providers as a result of performing a real-time risk analysis have not identified any of the following:

      1. (i)

        abnormal spending or behavioural pattern of the payer;

      2. (ii)

        unusual information about the payer's device/software access;

      3. (iii)

        malware infection in any session of the authentication procedure;

      4. (iv)

        known fraud scenario in the provision of payment services;

      5. (v)

        abnormal location of the payer;

      6. (vi)

        high-risk location of the payee.

  3. (3)

    Payment service providers that intend to exempt electronic remote payment transactions from strong customer authentication on the ground that they pose a low risk shall take into account at a minimum, the following risk-based factors:

    1. (a)

      the previous spending patterns of the individual payment service user;

    2. (b)

      the payment transaction history of each of the payment service provider's payment service users;

    3. (c)

      the location of the payer and of the payee at the time of the payment transaction in cases where the access device or the software is provided by the payment service provider;

    4. (d)

      the identification of abnormal payment patterns of the payment service user in relation to the user’s payment transaction history.

    The assessment made by a payment service provider shall combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authentication.

Article 19 Calculation of fraud rates

  1. (1)

    For each type of transaction referred to in the table set out in the Appendix, the payment service provider shall ensure that the overall fraud rates covering both payment transactions authenticated through strong customer authentication and those executed under any of the exemptions referred to in Articles 13 to 18 are equivalent to, or lower than, the reference fraud rate for the same type of payment transaction indicated in the table set out in the Appendix.

    The overall fraud rate for each type of transaction shall be calculated as the total value of unauthorised or fraudulent remote transactions, whether the funds have been recovered or not, divided by the total value of all remote transactions for the same type of transactions, whether authenticated with the application of strong customer authentication or executed under any exemption referred to in Articles 13 to 18 on a rolling quarterly basis (90 days).

  2. (2)

    The calculation of the fraud rates and resulting figures shall be assessed by the audit review referred to in Article 3(2), which shall ensure that they are complete and accurate.

  3. (3)

    The methodology and any model used by the payment service provider to calculate the fraud rates, as well as the fraud rates themselves, shall be adequately documented and made fully available to the FCA, upon its request.

Article 20 Cessation of exemptions based on transaction risk analysis

  1. (1)

    Payment service providers that make use of the exemption referred to in Article 18 shall immediately report to the FCA where one of their monitored fraud rates, for any type of payment transactions indicated in the table set out in the Appendix exceeds the applicable reference fraud rate and shall provide to the FCA a description of the measures that they intend to adopt to restore compliance of their monitored fraud rate with the applicable reference fraud rates.

  2. (2)

    Payment service providers shall immediately cease to make use of the exemption referred to in Article 18 for any type of payment transactions indicated in the table set out in the Appendix in the specific exemption threshold range where their monitored fraud rate exceeds for two consecutive quarters the reference fraud rate applicable for that payment instrument or type of payment transaction in that exemption threshold range.

  3. (3)

    Following the cessation of the exemption referred to in Article 18 in accordance with paragraph 2 of this Article, payment service providers shall not use that exemption again, until their calculated fraud rate equals to, or is below, the reference fraud rates applicable for that type of payment transaction in that exemption threshold range for one quarter.

  4. (4)

    Where payment service providers intend to make use again of the exemption referred to in Article 18, they shall notify the FCA in a reasonable timeframe and shall before making use again of the exemption, provide evidence of the restoration of compliance of their monitored fraud rate with the applicable reference fraud rate for that exemption threshold range in accordance with paragraph 3 of this Article.

Article 21 Monitoring

  1. (1)

    In order to make use of the exemptions set out in Articles 10 to 18, payment service providers shall record and monitor the following data for each type of payment transaction, with a breakdown for both remote and non-remote payment transactions, at least on a quarterly basis:

    1. (a)

      the total value of unauthorised or fraudulent payment transactions in accordance with Regulation 67(2) of the Payment Services Regulations 2017 (SI 2017/752), the total value of all payment transactions and the resulting fraud rate, including a breakdown of payment transactions initiated through strong customer authentication and under each of the exemptions;

    2. (b)

      the average transaction value, including a breakdown of payment transactions initiated through strong customer authentication and under each of the exemptions;

    3. (c)

      the number of payment transactions where each of the exemptions was applied and their percentage in respect of the total number of payment transactions.

  2. (2)

    Payment service providers shall make the results of the monitoring in accordance with paragraph 1 available to the FCA upon its request.