Do the TPPs have the right to access trusted beneficiaries lists in write mode?
Article 13(1) ("1.Payment service providers shall apply strong customer authentication where a payer creates or amends a list of trusted beneficiaries through the payer's account servicing payment service provider.") of the RTS on strong customer authentication and secure communication seems to allow for the creation/amendment of the trusted list managed by ASPSP through TPPs. If this interpretation is correct, we also have differentiated views depending on the type of TPP.
This question is relevant for our national API provider to know if a feature needs to be implemented.
Article 13(1) of the Commission Delegated Regulation (EU) 2018/389, sets out that a payer can create or amend a list of trusted beneficiaries through its account servicing payment service provider. Therefore, the creation or amendment of such a list through the services of a PISP or an AISP is not possible. A list that is accessible to a PISP or to an AISP in write mode does not fulfill the requirements of the exemption under Article 13(2) of the Delegated Regulation.
In addition, and as stated in the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, June 2018, the payment service provider (PSP) applying SCA is the PSP that issues the personalised security credentials, namely the ASPSP. Consequently, it is also the same provider that decides whether or not to apply an exemption, such as the beneficiary list exemption, and not the AISP or PISP.