The regulatory requirement related to VOP for Payment Initiation Service Provider (PISP) initiated transactions and its implementation details is something that VOP ecosystem participants must be aware of. Here is the summary of key VOP requirements for PISP-initiated transactions.
Regulatory requirements for PISP-initiated transactions
For PISP-initiated transactions –
- Where PISP is acting on behalf Payer & the payer provides the account details to PISP, then PISP must do the VOP check. The Account Servicing PSP (ASPSP) is not expected to execute VOP check at the time of the Payer’s consent and authorization.
- Where PISP is acting on behalf Payee, Article 5c.2 & 5c.3 of IPR requires that the PISP shall ensure that the information concerning the payee is correct and maintain robust internal procedures to ensure the correctness.
- Generally, in the market, payees (merchants) provide their details to PISPs during their onboarding and the PISP validates the account information provided by the payee.
- PISP may do a VOP check during Payee onboarding in addition to other validations
- The DG FISMA Q&A clarifications on this topic make it clear:
- PISPs are responsible for ensuring the correctness of Payee information if it is NOT provided by the Payer (Q:132)
- When the PISP is not acting on behalf of the Payee, it can ensure this through a VOP check (Q: 135)
- When the PISP is acting on behalf of the Payee, it can be exempted from the VOP check if there are robust internal procedures to ensure the correctness of Payee information (Q: 135)
PISP acting on behalf of the Payer
PISP acting on behalf of the Payee
Implications of the above requirements on ASPSP
- If the Credit Transfer is initiated by a PISP, the consumer’s ASPSP shall not be responsible for, and not execute, any VOP checks for PISP-initiated payments.
- In case of fraud or misdirected payment claims involving a PISP, the PSU (customer) can request their ASPSP to immediately refund the money, and that ASPSP can then recover it from the PISP or Responding PSP whoever was at fault. (IPR Article 5c.8)
- Responding PSP must perform the eIDAS-based authentication and authorization of PISPs the same way they do for an ASPSP requestor
PISP participation and adherence to the EPC VOP scheme
- PISPs are eligible to participate in the EPC VOP Scheme as they are PSD2-regulated payment institutions. (Ref: Section 4.4 of EPC Rulebook covers participant eligibility)
- PISP’s EPC VOP scheme participation allows them to discover the responding account servicing PSPs through the EDS
- PISPs must ensure that their National Authority Number (NaN) & BIC code are maintained in the EDS to ensure that the Responder PSP can validate their authorization as required by the VOP security framework
- PISP may need to contact SWIFT to get a non-connected BIC code. Details are available here – https://www.swift.com/myswift/ordering/order-products-services/non-connected-bic-and-branch-code
- PISPs or their RVMs must present the PSD2 eIDAS certificate of the PISP to Responder PSPs/RVMs for authentication and authorization
References
Let us Connect!
Stay ahead of regulatory changes affecting PISP-initiated transactions. Get in touch with Banfico for more information or register for one of our breakfast events across Europe this February by using the link below.
Banfico periodically sends newsletters on various topics related to EPC Verification of Payee implementation. Visit this page to read the previous newsletters.