Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
33 (2)
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Communication plans to inform payment service providers making use of the dedicated interface

Is it sufficient to publish the measures to restore the system and the further descriptions on the website in an area, which is secured by the certificates of the payment service providers?

Background on the question:
ASPSP has to inform payment service providers about unavailability of the dedicated interface.
The link to the secured area on website has to be published in documentation of the dedicated interface. This should lead the payment service providers to observe the website of the ASPSP. This would be the general way to inform payment service provider.
Date of submission:
Published as Final Q&A:
Final Answer:

Article 33(1) and (2) of the Commission Delegated Regulation (EU) 2018/389 refer to the requirement for account servicing payment service providers (ASPSPs) to include, in the design of the dedicated interface, a strategy and contingency measures which include communication plans in the event the dedicated interface was not working - “to inform payment service providers making use of the dedicated interface of measures to restore the system and a description of the immediately available alternative options”. The objective of the requirement is to minimise any disruption to payment service providers (PSPs) using the dedicated interface by informing them of alternative options and measures being taken to restore the functioning of the interface.

Such information should be visible to PSPs using the dedicated interface and easily accessible to them. An area on the website of the ASPSP may be sufficient, provided that it is easy to find and PSPs are duly informed about it, for instance on the ASPSPs’ website or support function, and how it can be accessed (e.g. via an easy perceivable link to the corresponding page on the ASPSP’s webpage or via the documentation of the dedicated interface, provided that this documentation is easy to find). This is without prejudice to the separate requirement under Article 36 (2) of the Delegated Regulation, which requires ASPSPs to send a notification message to the PSP in case of an unexpected event or error occurring during the process of identification, authentication, or the exchange of the data elements.
Final Q&A
Answer prepared by:
Answer prepared by the EBA.