Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Question ID:

2018_4120

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Strong customer authentication and common and secure communication (incl. access)

Article:

Paragraph:

Subparagraph:

(b)

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph:

Disclose name of institution / entity:

Yes

Name of institution / submitter:

European Association of Co-operative Banks

Country of incorporation / residence:

Belgium

Type of submitter:

Industry association

Subject Matter:

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Question:

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

Background on the question:

Article 13 of the RTS on strong customer authentication and common secure communication creates an exemption from strong customer authentication based on the list of trusted beneficiaries.

Date of submission:

16/07/2018

Published as Final Q&A:

21/12/2018

EBA Answer:

In accordance with Article 13(1) of the Commission Delegated Regulation (EU) 2018/389, "payment service providers shall apply strong customer authentication (SCA) where a payer creates or amends a list of trusted beneficiaries through the payer’s account servicing payment service provider."

Accordingly, for lists of trusted beneficiaries that already existed before the application of the Delegated Regulation (and have been developed in the same context as an exemption to the requirement to use SCA under the general authentication requirements in Article 2 of the Delegated Regulation), SCA should be required only when there is an amendment to this list. The payment service user would not need to re-create that list.

Status:

Final Q&A