Question ID
2018_4065
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
Paragraph
1
Subparagraph
a
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Article 4(3)(d)
Type of submitter
Credit institution
Subject matter
Accessing payment account online in web browser shall exceed not 5 minutes without acitvity
Question

Is it necessary to stop the complete web session or would it be enough to deactivate the relevant items of PSD2 and to reduce the display to the available balance so trading functionality in the same session can stay available?

Background on the question
To be able to trade online securities the user have to know about the balance of his account, so he can decide whether or not he will trade. For this process the user uses a web api, that will stay online for more than five minutes t be able to trade direct without delay by an new authentication. It is our understanding of RTS Article 4 (3) d), that given authentication runs off, if user has no activity by online access to his payment accounts. After that the authentication has to be renewed. In browser-based application this means, that the affected functionalities should be deactivated. The session has expired and for further actions a newauthentication is required. The fixed time is impractical in our opinion. The actual available funds on payment account are constantly displayed in browser-based trading-application. The related payment account belongs to the securities account of the user. The payment account is used for clearing transactions on the security account (referring to Question 2018-4023). The user observes trends of securities and wants to be able to act without hesitation in our browser based application. Observing trends of securities often needs more time than five minutes. So we want to avoid, that the user has to renew his authentication for online access to his payment account, when he wants to check his funds for placing an order. The payment account restricts outgoing funds only to trusted beneficiaries. Primarily the online application offers trading functionalities, payment transaction are not in front. So we think that it is acceptable to grant access to the available funds on the payment account without restrictions invoked by five minutes inactivity. Accessing remittance form can act in sense of the five-minute-rule an requires authentication after more than five minutes inactivity. Our question refers to customer-convenience and the aim to provide our customers a smart application for trading securities.
Submission date
Final publishing date
Final answer

Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that where Payment Service Providers (PSPs) apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366 “the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes”. Article 10 of the Delegated Regulation states that “Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data: (a) the balance of one or more designated payment accounts; (b) the payment transactions executed in the last 90 days through one or more designated payment accounts.”

Thus, the PSP can apply the exemption from strong customer authentication under Article 10 of the Delegated Regulation where the payment service user (PSU) is limited to accessing the balance of one or more payment accounts, or payment transactions executed in the last 90 days. In such a scenario, the 5-minute inactivity requirement would not apply although, in the context of the management of security risks, PSPs may still wish to consider putting in place an automated “time out” of such a session.

However, if the PSU (i.e. the customer) accesses the payment account online for the first time or more than 90 days have elapsed since strong customer authentication was applied to access information online, the customer would need to strongly authenticate him/herself by the corresponding authentication procedure. In this case, the session must automatically expire after 5 minutes of inactivity.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.