Article 18 Transaction risk analysis

  1. (1)

    Payment service providers shall be allowed not to apply strong customer authentication where the payer initiates a remote electronic payment transaction identified by the payment service provider as posing a low level of risk according to the transaction monitoring mechanisms referred to in Article 2 and in paragraph 2(c) of this Article.

  2. (2)

    An electronic payment transaction referred to in paragraph 1 shall be considered as posing a low level of risk where all the following conditions are met:

    1. (a)

      the fraud rate for that type of transaction, reported by the payment service provider and calculated in accordance with Article 19, is equivalent to or below the reference fraud rates specified in the table set out in the Appendix for ‘remote electronic card-based payments’ and ‘remote electronic credit transfers’ respectively;

    2. (b)

      the amount of the transaction does not exceed the relevant Exemption Threshold Value (‘ETV’) specified in the table set out in the Appendix;

    3. (c)

      payment service providers as a result of performing a real-time risk analysis have not identified any of the following:

      1. (i)

        abnormal spending or behavioural pattern of the payer;

      2. (ii)

        unusual information about the payer's device/software access;

      3. (iii)

        malware infection in any session of the authentication procedure;

      4. (iv)

        known fraud scenario in the provision of payment services;

      5. (v)

        abnormal location of the payer;

      6. (vi)

        high-risk location of the payee.

  3. (3)

    Payment service providers that intend to exempt electronic remote payment transactions from strong customer authentication on the ground that they pose a low risk shall take into account at a minimum, the following risk-based factors:

    1. (a)

      the previous spending patterns of the individual payment service user;

    2. (b)

      the payment transaction history of each of the payment service provider's payment service users;

    3. (c)

      the location of the payer and of the payee at the time of the payment transaction in cases where the access device or the software is provided by the payment service provider;

    4. (d)

      the identification of abnormal payment patterns of the payment service user in relation to the user’s payment transaction history.

    The assessment made by a payment service provider shall combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authentication.