Skip to content

Why am I here? Nethone is now part of Mangopay. Learn more about our award-winning Fraud Prevention solution  arrow-right-thin-inline

What you need to know about PSD2 one leg transactions

Non-EEA companies are still being caught out by PSD2 requirements - particularly when it comes to one leg transactions. Learn how to deal with the rules.

what-you-need-to-know-about-psd2-one-leg-transactions Thumbnail - what-you-need-to-know-about-psd2-one-leg-transactions


There are many challenges experienced by businesses within the European Economic Area (EEA), but what about those outside of it? For non-EEA companies, there are other, less obvious problems still being encountered. We have spoken with many non-EEA online businesses that are aware of PSD2, but do not know about all the measures that may apply to them. One surprising stumbling point has been one leg transactions. This is crucial knowledge to any company seeking to do business in Europe. Let’s get our heads around some of the key concepts.

What are one leg transactions?

In their most basic form, one leg transactions (also referred to as one leg out) refer to payments and transactions where the payer or recipient’s Payment Service Provider (PSP) is located outside the EEA, but a customer's account is held within the EEA. On the other hand, two leg transactions refer to payments when both the payer and the recipient are located in the EEA. Despite their differences, PSD2 regulations apply to both.

To understand one leg transactions, it's important to know why they apply to certain payments. It all comes down to PSD2. Under PSD1, one leg transactions did not fall within its regulatory scope but PSD2 has changed all that.

How do one leg transactions affect companies doing business in the EEA?

The short answer: immensely. Every non-EEA company dealing with payments within the EEA must adhere to PSD2 regulations, which also include the requirements for secure communication between PSPs. International companies need to ensure that they have the necessary infrastructure and technology in place to support PSD2-compliant payments. This may involve partnering with PSPs that are authorized and regulated under PSD2, or investing in their own payment infrastructure to ensure compliance.

Overall, PSD2 one leg out transactions may increase the complexity and cost of providing payment services to customers within the EEA for international companies. However, complying with these regulations can also help to improve the security and transparency of payment transactions, which can ultimately benefit both businesses and consumers.

What we have been surprised to learn through experiences and discussions with several merchants is that some of them have reached contract negotiations with EEA entities only to be surprised to learn that they must meet PSD2 requirements for processing payments. They believed that being located half a world away from the EU meant they did not have to comply with PSD2 SCA principles.

More considerations for non-EEA entities

It’s not just PSD2 requirements alone that can appear difficult to adhere to, however, as there are a few other things that need to be considered.

Liabilities: all companies are liable for any fraudulent transactions that occur as a result of non-compliance with PSD2 regulations. Therefore, it is crucial for them to understand the requirements and ensure compliance to avoid financial penalties and reputational damage.

Third-party providers: by using third-party providers to process payments, companies must ensure that those providers also comply with PSD2 regulations and SCA requirements. Overall, any entity wishing to do business in the EEA that includes online payments must fully understand and comply with PSD2 regulations for one leg out transactions.

The benefits for companies efficiently processing one leg transactions

In a time when reputations can be made or broken in an instant through positive and negative online reviews, it is always in the best interest of companies to adhere to the latest rules and regulations. Of course, to be on the wrong side of the rules is one thing, but to be seen by customers to be inefficient in any aspect of cybersecurity, fraud and payment processes and rules can have a huge negative impact on a company.

Non-compliance is not an option for companies that are seeking to grow their businesses and increase revenue, as failure to meet the standards expected simply results in payments being unable to be processed. Not only does compliance allow you to do business within the EEA, leading to an increase in potential revenue flows, but it can also lead to a more secure environment for both businesses and consumers.

And with a more secure online payment experience, certain SCA exemptions can be allowed for non-EEA entities. Exemptions are limited (such as low-risk transactions and payments below EUR 30 avoiding SCA), but they can be effective in keeping processing costs down. Crucially, there are strict conditions that need to be met to qualify - all of which revolve around remaining well below accepted fraud thresholds.

What’s the solution to effective compliance?

It may seem so complex for non-EEA companies to process EEA payments, but it can be wonderfully simple. Understanding is the key, as is having the right solutions in place for reducing fraud. If you think you’re saving time and money by relying on ineffective legacy anti-fraud systems, think again. 

The best approach is to, therefore, stay ahead of the regulations with advanced solutions that are already available today. Why wait until the last minute to meet a regulatory implementation deadline when you can already begin the process now? Doing so now can smoothen payments and transaction flows long before regulators enforce financial penalties for non-compliance.

The most effective means to stay way ahead of existing requirements and any potential future legislation is to find a fraud solution that is powered by machine learning models and is able to continuously authenticate every single user in real time. Humans can be distinguished from bots, and humans can be distinguished between good and bad actors, all while automatically analysing digital fingerprints (device and network setups), coupled with behavioral biometrics to understand the true intentions of every user behind the scenes. All this while cutting back on manual processes and unnecessary financial penalties.

If you want to learn how to protect your business and stay compliant, please contact us.