The European Bank defines Transaction Risk analysis as the following:
In the case of real-time transaction risk analysis that categorise a payment transaction as low risk, it is also appropriate to introduce an exemption for the payment service provider that intends not to apply strong customer authentication through the adoption of effective and risk-based requirements which ensure the safety of the payment service user's funds and personal data.
The European Banking Authority has tried to take into consideration the tools that are available to PSPs, acquirers, merchants and other participants in payments processing to avoid high-friction verification for transactions of low risk. Machine Learning tools are quite effective at performing connection analysis on a large volume of data in real-time, so why not put it to use in easing the transaction flow, where possible?
The TRA exemption is interesting for issuers because its availability is dependent upon the issuer’s ability to manage its CNP fraud using measures short of SCA. It’s also interesting for merchants, because the European Bank regulations allow for “outsourcing” of transaction risk analysis monitoring to a given merchant. The European Banking Authority stated that it would
...allow only certain predefined merchants to benefit from that PSP’s exemption (based on a contractually agreed low fraud rate), the fraud rate making a given PSP eligible for an exemption under Article 18 would still need to be calculated on the basis of the payee PSP’s executed or acquired transactions, rather than on the merchant’s transactions.
So TRA is a tool that is available to acquirers and issuers, but it can also be contractually outsourced to merchants and gateways.