Revised RTS on SCA & CSC under PSD2
On 5 April 2022, the European Banking Authority (EBA) published draft amending Regulatory Technical Standards (RTS) in view of updating the current RTS on strong customer authentication and common and secure communications under PSD2 (which can be found in Commission Delegated Regulation (EU) 2018/389). In this blog post, we will take a closer look at the draft amending RTS by outlining the background of the proposed amendments, as well as their implications.
Table of Contents
Current situation regarding access to payment account information
According to Art. 97 PSD2, payment service providers (PSPs) must perform strong customer authentication (SCA) each time a payment service user (PSU) accesses his payment account online directly or via an account information service provider (AISP).
By way of derogation from this requirement, the current RTS for strong customer authentication and shared and secure communication allow PSPs not to be required to perform SCA, provided that:
- access is limited only to the balance of the account and/or the recent transaction history,
- no sensitive payment data are disclosed, and
- SCA is applied when the information is accessed for the first time and at least every 90 days after that.
This exemption was introduced by the EBA when drafting the RTS in 2016 because, without it, SCA for each individual access would have undermined the economic viability of account information service providers (AISPs), which PSD2 was explicitly intended to promote.
This exception, as well as all other exceptions to SCA in the technical standards, have been interpreted by the EBA as voluntary.
Downsides of the current situation
Account servicing payment service providers (ASPSPs) are allowed, but not obliged, to use the exemption and at any time can choose to apply SCA to the actions falling within the scope of the exemption.
The experience acquired in the application of the RTS has shown that the voluntary nature of this exemption has led to very divergent practises in its application:
- some ASPSPs request SCA every 90 days,
- others at shorter time intervals,
- while a third group of ASPSPs have not applied the exemption at all and request SCA for every account access.
The inconsistent application of the exemption and the frequent application of SCA have led to undesirable frictions for customers (e.g., multiple SCA at different points in time) and to a negative impact on AISPs’ services (e.g., personal finance management services and cloud accounting services).
Consultation paper
In order to ensure that a proper balance is achieved between the PSD2 objectives of enhancing security, facilitating innovation and enhancing competition in the EU, EBA saw the need to bring further harmonisation in the application of this exemption, when access to the account information is through an AISP, and proposed in the consultation paper (CP) of October 2021 a targeted amendment to the current RTS.
The main proposed amendments can be summarized as follows:
- introduce a new mandatory exemption to SCA, for the specific case when access is through an AISP and only if certain conditions are met (see below),
- limit the scope of the voluntary exemption to instances where the customer accesses the account information directly; and
- extend the timeline for the renewal of SCA from every 90 days to every 180 days, both when the information is accessed through an AISP or directly by the customer.
The EBA received more than 1,200 responses to the CP from a wide range of stakeholders.
Main concerns
The main concerns raised by respondents to the CP related to (i) the impact on the security of customers’ data and funds, the (ii) renewal frequency of SCA and (iii) implementation and transition periods.
Mandatory exemption
The new mandatory exemption to SCA, for the specific case when access is through an AISP and only if:
- the access is limited to either or both of the following items online: the balance of one or more designated payment accounts and the payment transactions executed in the last 90 days through one or more designated payment accounts,
- there is no disclosure of sensitive payment data,
- SCA has been applied to the first online access through the AISP,
- less than 180 days have elapsed since the last online access through the AISP, and
- no reasons relating to unauthorised or fraudulent access to payment account have been objectively justified and duly evidenced by a PSP.
Voluntary exemption
The voluntary exemption to SCA is limited to instances where the customer accesses the account information directly and may be applied if:
- the access is limited to either or both of the following items online: the balance of one or more designated payment accounts and the payment transactions executed in the last 90 days through one or more designated payment accounts,
- there is no disclosure of sensitive payment data,
- SCA has been applied to the first online access by the PSU,and
- less than 180 days have elapsed since the last online access by PSU,
New timelines
The timeline for ASPSPs to make available to AISPs the changes to their interfaces has extended from 1 month to 2 months before the implementation of these changes.
Furthermore, the overall implementation period was extended from 6 months to 7 months after the publication of the amending RTS in the Official Journal of the EU.
Endorsement and entry into force
The draft amending RTS of the EBA will be submitted to the Commission for endorsement (Commission Delegated Regulation), subject to scrutiny by the European Parliament and the Council before publication. They will apply 7 months after their entry into force.
Cover picture: Copyright © Adobe Stock/Looker_Studio