Question ID:
2018_4383
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
Paragraph:
1
Subparagraph:
b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
17
Disclose name of institution / entity:
No
Type of submitter:
Credit institution
Subject Matter:
Exemption of secure corporate payment processes and protocols
Question:

Is the exemption of applying strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers applicable to both payment initiation and account information services? Or, is it solely applicable to payment initiation service?

Background on the question:

The text “dedicated payment process or protocols” could be understood as making reference solely to payment process also known as payment initiations and would there by exclude account information processes from benefiting from exemption of strong customer authentication under the conditions expressed in Article 17 of the RTS.

If the exemption is only applicable to payment initiation, in the case where our company has an encrypted leased line or VPN tunnel with our client establishing a secure communication between our companies where both parties are completely identified. Where the customers accounting system uses API’s to communicate directly with our core banking system and is able among other functions to initiate payments and request account information such as balances and transactions on accounts which we also make available on our online banking system in case the primary connection breaks down.

We would be able to exempt from secure customer authentication the payment initiation performed by our client’s system for instance when he pays his employees. We would however be forced to require secure customer authentication for that same system to request and download the account statement when it performs the reconciliation of these same accounts.

Date of submission:
21/11/2018
Published as Final Q&A:
26/02/2021
EBA Answer:

Article 17 of the Commission Delegated Regulation (EU) 2018/389 states that payment service providers may decide not to apply strong customer authentication (SCA) “in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers”, provided competent authorities are satisfied that the levels of security are equivalent to those provided for by Directive 2015/2366/EU (PSD2). This exemption applies solely to payment initiation, given it refers to “legal persons initiating electronic payment transactions”; it does not apply to account information.

Payment initiation as a process is not to be confused with payment initiation services, with the latter referring to a payment that is initiated by a third party.

Status:
Final Q&A
Image CAPTCHA