Danish Fintech Alliance (DAFINA) supports the proposed amendments to the PSD2 RTS on SCA & CSC (Articles 10 and 10a) and especially the introduction of the new mandatory exemption from strong customer authentication (SCA) for the specific use case when payment account access is done through an AISP (Article 10a).
We also support the extension of the SCA renewal timeline from 90-days to 180-days (Articles 10(2)(b) and 10a(2)(b)). However, we suggest that the initial exemption timeline (Articles 10(1)(b) and 10a(1)(b)) is also amended from 90-days to 180-days so that the two timelines still mirror each other and so that the initial exemption timeline allows for not only a modest preview of the payment service user’s recent payment transactions but for a real useful view of the payment service user’s payments transactions (in reality, 90 days is too short a period in most AISP cases to rely on and to present to the payment service user the AISP solution as an useful, innovative and effective solution in practice).
We also suggest that the payment service provider in all derogation cases (Article 10a(3)) must report to its competent national authority the reasons for applying SCA, and not only do this upon request. This to protect the AISP from the payment services provider’s potential misuse of this exemption to the new mandatory SCA exemption. Such an approach would also be in line with the approach set out in the RTS when it comes to reporting to the competent national authority of any problem with the payment service provider’s dedicated API and the API fallback exemption etc. (Article 33). In any case, it is unclear who should request (the AISP or the competent national authority?) that the payment service provider shall document and duly justify the reasons for still applying SCA.