Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Name of institution / submitter:
Banque de France
Country of incorporation / residence:
Type of submitter:
Competent authority
Subject Matter:
On the access to trusted beneficiaries lists (RTS Art 13) by TPPs in write mode

Do the TPPs have the right to access trusted beneficiaries lists in write mode?

Background on the question:

Article 13(1) ("1.Payment service providers shall apply strong customer authentication where a payer creates or amends a list of trusted beneficiaries through the payer's account servicing payment service provider.") of the RTS on strong customer authentication and secure communication seems to allow for the creation/amendment of the trusted list managed by ASPSP through TPPs. If this interpretation is correct, we also have differentiated views depending on the type of TPP.

This question is relevant for our national API provider to know if a feature needs to be implemented.

Date of submission:
Published as Final Q&A:
Final Answer:

Article 13(1) of the Commission Delegated Regulation (EU) 2018/389, sets out that a payer can create or amend a list of trusted beneficiaries through its account servicing payment service provider. Therefore, the creation or amendment of such a list through the services of a PISP or an AISP is not possible. A list that is accessible to a PISP or to an AISP in write mode does not fulfill the requirements of the exemption under Article 13(2) of the Delegated Regulation.

In addition, and as stated in the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, June 2018, the payment service provider (PSP) applying SCA is the PSP that issues the personalised security credentials, namely the ASPSP. Consequently, it is also the same provider that decides whether or not to apply an exemption, such as the beneficiary list exemption, and not the AISP or PISP.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.