What is a TRA exemption and how can an exemption engine help?

The conversation around the Payment Services Directive (PSD2) often focuses on the impact the additional fraud review will have on the checkout process, and rightfully so. The new directive will increase the friction consumers experience by requiring Strong Customer Authentication (SCA), inevitably routing much of the traffic within the European Union (EU) and European Economic Area (EEA) through 3D-Secure 2.0 (3DS2). 

Directing transactions through 3DS2 will increase cart abandonment, poor customer experience and lead to merchants experiencing higher decline rates. 

However, there is good news; merchants who want to limit SCA’s impact on their conversion and revenue generation can request exemptions on certain transactions.  An exemption engine is the best way to get TRA exemptions and other types of exemptions. 

To understand what an exemption engine is, it is important first to understand what an exemption is.

What is a Payment Exemption? 

Not every transaction processed within the EU will have to abide by the full Strong Customer Authentication requirements of the PSD2. For qualifying transactions, merchants can request an exemption. For an exemption to be accepted, the acquirer needs to agree, and the issuer then needs to approve the request.  

When exemptions are granted, payment service providers (PSP’s) can process transactions without SCA.  This enables the merchant to offer a frictionless checkout process where consumers complete their purchase with a single click, drastically reducing cart abandonment rates. 

It is important to note that when an exemption is granted, the liability for the chargeback falls on the merchant rather than the issuer.

What is a Transaction Risk Analysis (TRA) Exemption?

The most common type of exemption is called a Transaction Risk Analysis (TRA) exemption. The purpose of the TRA exemption is to enable merchants who have low-risk transactions the ability to process transactions without additional verification methods. 

Merchants can request a TRA exemption for transactions deemed low-risk by the issuing banks based on the card issuer and acquirer’s fraud-levels.  Acquirers can request TRA exemptions if their overall portfolio fraud rate is under a certain threshold.  Each issuing bank has a matrix that considers the transaction amount and required fraud rate to determine if they can grant a TRA exemption or not. 

As part of PSD2, acquirers will have to ensure their fraud rates are even lower than before, and as a result, will only grant TRA exemptions for merchants who exhibit low fraud rates. This makes it in the best interest of merchants to have a powerful fraud-prevention tool as part of their payment processing suite. 

What Are Other Types of Exemptions? 

In addition to TRA exemptions, there are other types of exemptions that merchants can apply for such as:  

  • Low Transaction Value – Any transaction under 30 EUR can be granted an exemption. However, if a consumer makes multiple (usually 5) consecutive transactions or the total transaction sum of a single consumer exceeds 100 EUR, SCA may be requested. 
  • Whitelisted Merchants – Consumers can select to add merchants to a whitelist after completing an SCA payment session. This will enable the consumers to complete the following transactions with the same merchant without filling out their information again. The merchant can do this through their card issuer, however, it is important to know that many issuers still do not support this option.
  • Fixed-amount/Subscriptions – Similarly to whitelisting, exemptions can be applied when there is a fixed-amount/subscription model in place. In such instances, the consumer will have to complete the first transaction under SCA, and they can process the following charges under the exemption. 
  • Secure Corporate Payments – Transactions initiated by a secure corporate account can be granted SCA exemption. This includes cards held by travel agents, virtual cards, and more. 

What is an Exemption Engine?

An exemption engine is a tool used by merchants to determine which transactions are eligible for an exemption and which type of exemption to request (TRA or other).  An exemption engine also determines which transactions should be processed using full 3DS authorization.  

Exemption engines operate on behalf of merchants and consider multiple things when determining if an exemption should be requested or not. Based on the merchant fraud level and the transaction risk, an exemption engine will request an exemption for low-risk transactions or transactions that meet the PSD2 exemption criteria. 

As the liability for exemption chargeback falls on the merchant rather than issuer banks, merchants should only ask for exemptions when the risk of a chargeback is low.  If a merchant processes a transaction that was granted an exemption, and then later there is a chargeback, this will increase the merchant’s fraud rate, and acquirers and issuers will grant fewer exemptions in the future.

In addition to recognizing which transactions are exemption eligible,, an exemption engine needs to consider the type of 3DS that will be applied to the transaction.  By understanding the consumers behavior and the impact friction will have on their abandonment rates, it is possible to optimize the payment flow to reduce touch points through exemptions, thereby ensuring compliance while reducing abandonment rates.  

Lastly, the issuer must be considered by an exemption engine.  Incorporating 3DS has an effect on the overall authorization approval ratio. With some issuers, the approval ratio for 3DS transactions may be up to 20% lower, while for other issuers, 3DS can actually increase the chances for the transaction to be authorized.  This is dependent upon the industry, the merchant history, and other factors.  

Having an exemption engine in place will automate the exemption request process for merchants, enabling them to increase their exemption requests and their approval ratio

What Happens if a TRA Exemption Request Fails? 

In theory, merchants can request a TRA exemption for every transaction; however, doing so may harm them if they end up having high fraud rates which will then harm their ability to request future exemptions.  Merchants should only apply for a TRA exemption if they are using a pre-authorization fraud solution that uses behavioral analytics and artificial intelligence (AI) to determine if the transaction is low risk. 

If a payment service provider requests a TRA exemption for transactions that meet the exemption criteria, it is in the issuer’s best interest to grant the exemption. This is because the fraud liability shifts from the issuer to the merchant.  At the same time, issuers are liable to comply with PSD2 regulation, and therefore may be wary of accepting exemptions. Issuers will also likely use their own fraud tools to determine which exemption requests to accept and which to deny. 

While merchants can always request TRA exemptions for transactions they believe to be low risk, however, sometimes the exemption will fail. It is the responsibility of the issuing bank to accept or reject exemptions.  If an issuing bank declines the exemption request, consumers should be directed to complete the Strong Customer Authentication process.

It is important for merchants to make sure that this payment flow is supported by their system. Directing consumers to complete SCA after an exemption is rejected can be managed internally or by their PSP, however without this payment flow, any declined exemption request will lead to a lost transaction.

Why are exemptions so critical under PSD2 regulation?

Starting January 1st, 2021, when merchants catering to EU or EEA customers will have to comply with PSD2, the role of exemption will be critical.  

Today, over 73% of fraud in Europe results from online fraud, and this number is continuing to rise.  The PSD2 aims to combat the increased fraud rates while enhancing the European payment market’s safety.

One of the most critical elements of the PSD2 for merchants is the SCA requirement. 

Until now, issuers and acquiring banks could choose to use 3DS1, 3DS2, or no additional verification method. Once PSD2 goes into effect, this will no longer be an option. Merchants will need to route all traffic through 3DS unless exemptions are granted.

The very nature of 3DS increases friction and requires consumers to have more touchpoints throughout the checkout process, thus increasing cart abandonment rates. It is important to recognize that cart abandonment is not always a result of difficulty completing authentication; cart abandonment can also occur if the consumer has additional time to consider their purchase – something 3DS significantly increases. Because of a lack of issuer and acquirer PSD2 readiness, more traffic will be directed via 3DS, thereby giving consumers more time to have second thoughts about their purchase. 

Merchants that want to reduce consumer friction and improve their websites’ checkout experience will have to integrate a pre-authorization fraud solution and an exemption engine as part of the payment optimization solution and request exemptions whenever possible. 

What are the Benefits of Exemptions? 

Friction during the payment process has a significant impact on overall conversion, with 3DS friction reportedly causing an average of 25% declines – more in countries such as France and Italy, of which 15-30% are the result of cart abandonment. 

When merchants get an exemption, they provide their consumers with a frictionless payment process that makes the overall shopping experience better, improving the likelihood that the consumer will return to them in the future. 

The main benefit of exemptions is the ability to maximize revenue generation by optimizing checkout processes and making it easier for consumers to complete their purchase.  In addition to reducing the reliance on 3DS, exemptions reduce merchants’ operational costs by reducing the additional authentication processing costs. However, this is only advantageous if a merchant has a fraud prevention solution in place that reduces risk and chargeback liability. 

How to Take Advantage of Exemptions? 

Merchants that want to take advantage of exemptions need to either apply for specific exemptions or have a managed service that provides an exemption engine as part of the service. 

A smart exemption engine, such as that offered by Forter as part of the PSD2 product, can use past transaction data and artificial intelligence (AI) to determine if a consumer’s behavior is fraudulent. Based on the exemption assessment and real-time risk analysis, an exemption engine can route transactions to request an exemption, eliminating the SCA requirement while retaining PSD2 compliance. 

By operating on behalf of merchants, Forter can recognize legitimate transactions, route relevant ones to exemption, and provide those that do not meet the criteria with the path of least friction. This reduces the touch-points consumers’ encounter, leading to higher conversions and revenue generation and lower fraud and liability.

Dynamic payment optimization partners such as Forter can customize exemption logic flows, creating exemption logic based on each merchant’s product and consumer profile. The right partner will also ensure they take liability upon themselves, therefore maximizing profitability and reducing merchants’ risk.

Ask your payment optimization partner the following questions to ensure your business is ready to request exemptions and is PSD2 compliant: 

  1. Can my business request exemptions? 
  2. What are your exemption criteria?
  3. Under PSD2, what percentage of transactions will be sent with exemptions rather than 3DS?
  4. What is your post-PSD2 exemption approval rate?
  5. How does your exemption engine work? 
  6. Does your exemption engine only request TRA exemptions or other exemptions as well?
  7. What happens if an exemption fails? 

How ready is your business for PSD2? Download our checklist here. To discuss these questions and others ahead of the PSD2 deadline, contact a payment processing expert from Forter today by filling out this form.

9 minute read