EBA publishes final Report on the amendment of its technical standards on the exemption to strong customer authentication for account access

The European Banking Authority (EBA) published today its final Report on the amendment of its Regulatory technical standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2). The changes introduce a new mandatory exemption to SCA that will require account providers not to apply SCA when customers use an account information service provider (AISP) to access their payment account information, provided certain conditions are met. The amendment aims to reduce frictions for customers using such services and to mitigate the impact that the frequent application of SCA and the inconsistent application of the current exemption have on AISPs’ services.

Following a public consultation that has attracted more than 1,200 responses, as well as an extensive analysis of such feedback, the EBA has introduced some changes to the draft amending RTS, while retaining the mandatory exemption and the extension of the frequency for the renewal of SCA from every 90 days to every 180 days proposed in the Consultation Paper.

These amendments are those that the EBA is legally in a position to make to address the issues identified. Other mitigations to address these issues are conceivable but would require changes to the Directive itself, which is beyond the EBA’s powers.

The amendments to the RTS are envisaged to apply 7 months after the publication of the amending RTS in the Official Journal of the EU.

Legal basis and background

• In fulfilment of the mandate in Article 98(1) of the PSD2, the EBA has developed the RTS on SCA&CSC which specify the requirements of SCA and the exemptions to SCA. The RTS were submitted to the European Commission (EC) in January 2017 and apply as of 14 September 2019.
• The EBA has developed these draft amending RTS in accordance with Article 98(5) of the PSD2, which provides that the EBA shall review and, if appropriate, update the RTS on SCA&CSC on a regular basis in order, inter alia, to take account of innovation and technological developments, and also in accordance with Article 8(1)(ka) of the EBA Founding Regulation, which provides that the EBA shall publish on its website, and update regularly, all its regulatory technical standards.