Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article 4(3)(d)
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Accessing payment account online in web browser shall exceed not 5 minutes without acitvity

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

Background on the question:
To be able to trade online securities the user have to know about the balance of his account, so he can decide whether or not he will trade.
For this process the user uses a web api, that will stay online for more than five minutes t be able to trade direct without delay by an new authentication.
It is our understanding of RTS Article 4 (3) d), that given authentication runs off, if user has no activity by online access to his payment accounts. After that the authentication has to be renewed. In browser-based application this means, that the affected functionalities should be deactivated. The session has expired and for further actions a new
authentication is required.
The fixed time is impractical in our opinion.
The actual available funds on payment account are constantly displayed in browser-based trading-application. The related payment account belongs to the securities account of the user. The payment account is used for clearing transactions on the security account (referring to Question 2018-4023). The user observes trends of securities and wants to be able to act without hesitation in our browser based application. Observing trends of securities often needs more time than five minutes. So we want to avoid, that the user has to renew his authentication for online access to his payment account, when he wants to check his funds for placing an order. The payment account restricts outgoing funds only to trusted beneficiaries. Primarily the online application offers trading functionalities, payment transaction are not in front. So we think that it is acceptable to grant access to the available funds on the payment account without restrictions invoked by five minutes inactivity. Accessing remittance form can act in sense of the five-minute-rule an requires authentication after more than five minutes inactivity.
Our question refers to customer-convenience and the aim to provide our customers a smart application for trading securities.
Date of submission:
Published as Final Q&A:
Final Answer:

Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. Article 10 of the Delegated Regulation states that “Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data: (a) the balance of one or more designated payment accounts; (b) the payment transactions executed in the last 90 days through one or more designated payment accounts.”

Thus, the PSP can apply the exemption from strong customer authentication under Article 10 of the Delegated Regulation where the payment service user (PSU) is limited to accessing the balance of one or more payment accounts, or payment transactions executed in the last 90 days. In such a scenario, the 5-minute inactivity requirement would not apply although, in the context of the management of security risks, PSPs may still wish to consider putting in place an automated “time out” of such a session.

However, if the PSU (i.e. the customer) accesses the payment account online for the first time or more than 90 days have elapsed since strong customer authentication was applied to access information online, the customer would need to strongly authenticate him/herself by the corresponding authentication procedure. In this case, the session must automatically expire after 5 minutes of inactivity.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.