- Question ID
-
2021_6248
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
10
- Type of submitter
-
Competent authority
- Subject matter
-
Application of strong customer authentication (SCA) where Account Information Service users access the Account Information Service Providers’ (AISPs) own channels and the previously retrieved payment account information compiled and stored therein
- Question
-
Are Account Information Service Providers (AISPs) exempt, in respect of their own channels, from the requirements of Article 97(1) of Directive (EU) 2015/2366 and of Article 10 of Regulation (EU) 2018/389, and therefore allowed:
- to let users of their Account Information Service, access the AISPs’ own channels and the payment account information compiled and stored therein – previously retrieved by AISPs from the users’ respective Account-Servicing Payment Service Providers (ASPSPs) – without applying any strong customer authentication (SCA) upon that access to AISPs’ own channels, irrespective of whether the conditions of Article 10 of Regulation (EU) 2018/389 are satisfied –
- such that AISPs may, in their own channels, allow users of their service to consult, without SCA, previously retrieved payment account information of a broader scope (more than the last 90 days’ worth of data, and potentially the users’ complete transactional history) as compared to the data that ASPSPs may, without SCA, display to the same users in the ASPSPs’ own channels (maximum the last 90 days’ worth of data, and provided that SCA was applied no more than 90 days prior) –
- and such that AISPs, despite being payment services providers (PSPs), need not afford users of their services the same level of protection that ASPSPs are required to, and can expose said users to the risks of abuses referred to in Article 97(1)(c) of Directive 2015/2366?
- Background on the question
-
Pursuant to Article 97(1) of Directive (EU) 2015/2366, payment service providers (PSPs) must apply strong customer authentication (SCA) where, inter alia, the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. Article 10 of Regulation (EU) 2018/389 allows PSPs not to apply SCA, subject to compliance with the requirements laid down therein, where the payment service user is limited to accessing a limited data set.
Neither Article 97 of Directive (EU) 2015/2366 nor Article 10 of Regulation (EU) 2018/389 restrict their scope of application to ASPSPs and apply to all PSPs.
The EBA also did refer to PSPs generally when addressing Article 10 of Regulation (EU) 2018/389, stating that: “Consequently for payment transaction history older than 90 days, the exemption to the obligation to apply strong customer authentication under Article 10 of the Delegated Regulation does not apply. For such information, payment service providers should always have to apply strong customer authentication” (Q&A 2018_4177).
Recital 93 of Directive (EU) 2015/2366 states that: “(…) The payment initiation service providers and the account information service providers on the one hand and the account servicing payment service provider on the other, should observe the necessary data protection and security requirements established by, or referred to in, this Directive or included in the regulatory technical standards (…). Recital 94 of that Directive also states that: “When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimize threats to data protection”. Recital 95 of that Directive also states that: “(…) All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. (…)”.
The exemptions set out in Chapter III of Regulation (EU) 2018/389, thus including Article 10 of that Regulation, “have been designed and defined on the basis of risk” (EBA Final Report on the draft RTS, p. 67, comment 39), as also recalled in Recital 9 and set out in Article 1(b) of that Regulation, and as required by Article 98(3)(a) of Directive (EU) 2015/2366 which mandates that such exemptions be based on “the level of risk involved in the service provided”.
Article 10 of Regulation (EU) refers to users “accessing (…) items online (…)” and to users having “accessed online the information specified in paragraph 1(b)”; it does not further qualify the access falling within the scope of the provision. Account Information Service users access such information when accessing AISPs’ own channels wherein this information is compiled and stored.
There is no difference in the level of risk associated with accessing payment account information directly from the payment account serviced by ASPSPs and with accessing the transactional history previously retrieved and compiled by the AISPs in their own channels.
Both actions are associated with the same level of risk to users; the provisions mentioned above encompass both actions.
It is irrelevant that the initial access by AISPs to information held by ASPSPs is subject to the application of SCA by ASPSPs themselves. This question pertains to the access, by Account Information Service users, of the previously retrieved account information compiled and stored within the channels of AISPs, which are PSPs.
Accordingly, it should be clarified whether AISPs should, in respect of the access to their own channels by users of their Account Information Services (an action through a remote channel as referred to in Article 97(1)(c) of Directive (EU) 2015/2366), apply SCA or (as the case may be) exempt users therefrom in accordance with the provisions of Article 10 of Regulation (EU) 2018/389.
- Submission date
- Status
-
Question under review