Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Pillar 3 data hub
      • Reporting
        • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
        • Integrated reporting
        • Joint Bank Reporting Committee (JBRC)
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2019_4450 Potential inconsistency on the application of Strong Customer Authentication exemptions to AISPs
Question ID
2019_4450
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
10 and 36(5)
Type of submitter
Consultancy firm
Subject matter
Potential inconsistency on the application of Strong Customer Authentication exemptions to AISPs
Question

Shall Account Servicing Payment Service Providers (ASPSPs) always grant Account Information Service Provider (AISPs) to be exempted from Strong Customer Authentication (SCA) according to rules defined in Article 10 of the RTS on strong customer authentication and secure communication (Delegated Regulation (EU) 2018/389), or is the final decision to apply such exemption always up to the ASPSP?

Background on the question

There is a seeming inconsistency between RTS on strong customer authentication (SCA) and secure communication (CSC) (Delegated Regulation (EU) 2018/389), the EBA opinion on the application of RTS on SCA and CSC (EBA-Op-2018-04), and the Q&A answer EBA Q&A 2018_4089.

1. Article 10 of the RTS on strong customer authentication and secure communication, states:
"(Payment Services Providers) PSPs shall be allowed not to apply SCA, (...), where a (Payment Services User) PSU is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts."

Article 36(5) of the RTS on SCA and CSC, states:
“Account information service providers shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service in either of the following circumstances:
(a) whenever the payment service user is actively requesting such information;
(b) where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user's consent.”

COMMENT: The above articles seems to entail that the SCA exemption under Article 10 of the RTS shall be applied mandatorily by ASPSP whenever an Account Information Service Provider (AISP) is requesting it, otherwise it would not be possible for AISPs to exercise their right to perform automated AIS accesses without the PSU. ex art 36(5).

2. EBA Opinion on the implementation of the RTS on SCA and CSC, EBA-Op-2018-04, paragraph 38, states: “…the PSP applying SCA is the PSP that issues the personalised security credentials [i.e. the ASPSP]. It is consequently also the same provider that decides whether or not to apply an exemption in the context of AIS and PIS.
EBA Opinion EBA-Op-2018-04, paragraph 39, states: “…only the ASPSP can apply SCA or decide whether or not an exemption applies to a PSU’s payment account in the context of AIS and PIS.”

COMMENT: EBA Opinion EBA-Op-2018-04 states that all exemptions - thus including Article 10 of the RTS - are applicable in a fully discretionary way by the ASPSP. Therefore, an ASPSP may decide to never apply the exemption ex art 10 to the AIS services, or to apply such exemption only when the PSU is accessing through the ASPSP direct channels (e.g. Internet Banking) and to avoid applying it when the PSU accesses through an AISP, i.e. to apply it in a discriminatory way versus Third Party Providers (TPPs). It seems that the statements included in the EBA Opinion EBA-Op-2018-04, paragraph 38 and 39, if not mitigated, are at odds with a key objective of the PSD2 i.e. to create a "level playfield" between ASPSPs and TPPs. Furthermore, there is a significant contradiction with respect to Article 36(5) of the RTS.

3. Q&A Tool / EBA Q&A 2018_4089 “PSD2 does not distinguish between payment transactions that may have been made using a payment initiation service provider or not. Similarly the Commission Delegated Regulation (EU) 2018/389 does not distinguish whether a payment transactions has been made using a payment initiation service provider or not for the purpose of applying an exemption.”

COMMENT: In this EBA Answer a further different notion is affirmed both with respect to Article 36 (5) of the RTS, and in relation to paragraphs 38 and 39 in this EBA Opinion : i.e. for the purpose of applying the SCA exemptions, the input channel of the payment request (bank's own channel or TPP channel) is not relevant.

The EBA answer 2018_4089 is explicitely referred to exemptions related to PIS requests (RTS art. 11 to 18), however by applying the same concept to the exemption for AIS requests pursuant art. 10, it could be deduced that "it is the ASPSP that always decides whether or not to apply an exemption, provided that the same exemption is applied regardless of the channel from where the request is coming (own channel or XS2A)".

The above rule would not be discriminatory against TPPs (like the one described in paragrah 38 and 39 of the EBA opinion EBA-Op-2018-04), but it is still at odds with Article 36(5) of the RTS.

Submission date
04/01/2019
Rejected publishing date
11/02/2022
Rationale for rejection

Please note that as part of adjustments to the Single Rulebook Q&A process, agreed by the EBA and the European Commission, it has been decided to reject outstanding questions submitted before 1 January 2020, when the Q&A process was updated as part of the last ESAs Review. In particular, the question that you have submitted has now regrettably been rejected and will not be addressed.

If you believe your question would still benefit from clarification, you are invited to resubmit your question, adapting it to reflect any legislative, regulatory or other relevant developments that may have occurred since the initial date of submission. The EBA will aim to address resubmitted questions as a matter of priority. When considering to resubmit, you are kindly requested to observe the updated admissibility criteria agreed in the context of the adjustment of the Q&A process, available in the Additional background and guidance for asking questions. We hope for your understanding.

For further information please refer to the press release and the updated Q&A page.

Status
Rejected question

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive