Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
As such, if the ASPSP is currently requesting SCA more often than every 90 days, by design as a risk-mitigating factor, the ASPSP may want to con-sider revisiting whether the other risk-mitigating factors (such as the moni-toring mechanisms) currently in place should be tightened, e.g.,if it will lead to more fraud or data breaches.
According to the proposed article 10a (3): “payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthor-ised or fraudulent access to the payment account.”
However, the Consultation Paper does not give much guidance as to what could be “objectively justified and duly evidenced reasons” other than what is stated in section 32 of the CP. More guidance would be ap-preciated in order to ensure consistent application of the exemption.
We also stress, that we agree that the exemption for direct access by the costumer (article 10) should remain voluntary, as each ASPSP should be allowed to choose how to communicate with their customers.
Q1. Do you have any comments on the proposal to introduce a new mandatory exemption for the case when the information is accessed through an AISP and the proposed amendments to Article 10 exemption?
While we generally understand the rationale behind the proposed man-datory exemption, it is worth noting that the proposed change will no longer allow the ASPSP to choose its risk appetite with regard to how often SCA is requested. The increase from 90 to 180 days between each SCA could increase the potential risk that the ASPSP is considered liable of. The EBA should therefore monitor the proposed exemption closely.As such, if the ASPSP is currently requesting SCA more often than every 90 days, by design as a risk-mitigating factor, the ASPSP may want to con-sider revisiting whether the other risk-mitigating factors (such as the moni-toring mechanisms) currently in place should be tightened, e.g.,if it will lead to more fraud or data breaches.
According to the proposed article 10a (3): “payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthor-ised or fraudulent access to the payment account.”
However, the Consultation Paper does not give much guidance as to what could be “objectively justified and duly evidenced reasons” other than what is stated in section 32 of the CP. More guidance would be ap-preciated in order to ensure consistent application of the exemption.
We also stress, that we agree that the exemption for direct access by the costumer (article 10) should remain voluntary, as each ASPSP should be allowed to choose how to communicate with their customers.