- Question ID
-
2018_4076
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
13
- Name of institution / submitter
-
Banque de France
- Country of incorporation / residence
-
FRANCE
- Type of submitter
-
Competent authority
- Subject matter
-
On the access to trusted beneficiaries lists (RTS Art 13) by TPPs in write mode
- Question
-
Do the TPPs have the right to access trusted beneficiaries lists in write mode?
- Background on the question
-
Article 13(1) ("1.Payment service providers shall apply strong customer authentication where a payer creates or amends a list of trusted beneficiaries through the payer's account servicing payment service provider.") of the RTS on strong customer authentication and secure communication seems to allow for the creation/amendment of the trusted list managed by ASPSP through TPPs. If this interpretation is correct, we also have differentiated views depending on the type of TPP.
This question is relevant for our national API provider to know if a feature needs to be implemented.
- Submission date
- Final publishing date
-
- Final answer
-
Article 13(1) of the Commission Delegated Regulation (EU) 2018/389, sets out that a payer can create or amend a list of trusted beneficiaries through its account servicing payment service provider. Therefore, the creation or amendment of such a list through the services of a PISP or an AISP is not possible. A list that is accessible to a PISP or to an AISP in write mode does not fulfill the requirements of the exemption under Article 13(2) of the Delegated Regulation.
In addition, and as stated in the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, June 2018, the payment service provider (PSP) applying SCA is the PSP that issues the personalised security credentials, namely the ASPSP. Consequently, it is also the same provider that decides whether or not to apply an exemption, such as the beneficiary list exemption, and not the AISP or PISP.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.