Question ID:
2020_5115
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
13
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Token.io
Country of incorporation / residence:
United Kingdom
Type of submitter:
Other
Subject Matter:
Using Trusted Beneficiary Lists to Auto Reject PISP Transactions
Question:

Is an Account Servicing Payment Service Provider (ASPSP) able to block a Payment Initiation Services Provider (PISP) transaction before attempting Strong Customer Authentication (SCA) if the beneficiary account does not appear in the Payment Services User (PSU)'s regular payee list/trusted beneficiary list?

Background on the question:

Article 13 of the RTS introduced "Trusted beneficiaries" where an ASPSP could optionally choose to provide an exemption from the application of SCA where the PSU had securely added the beneficiary account to a trusted beneficiary list. This could potentially provide an improved user experience on what would be a lower risk transaction.

The response to EBA Q&A 2018_4076 "Strong customer authentication and secure communication (incl. access) clarified that, "creation or amendment of such a list through the services of a PISP or an Account Information Service Provider (AISP) is not possible".

Unfortunately some ASPSPs have interpreted the guidance to mean that they have the legal right to block access to any PISP transaction where the beneficiary account does not appear in the trusted beneficiary list without applying SCA. This is done on the basis that through the ASPSP in question's online interface a PSU must add all beneficiary accounts to their trusted beneficiary account as part of the payment process.

As a PISP (or AISP) does not have write access to the trusted beneficiary list, Third Party Providers (TPPs) are not able to create an equivalent level of payment service as offered through the banks own interface, severely limiting innovation which would appear to be against the spirit of the PSD2 legislation.

Date of submission:
10/02/2020
Published as Final Q&A:
15/01/2021
EBA Answer:

Article 68(5) of Directive 2015/2366/EU (PSD2) prescribes that “an account servicing payment service provider may deny an account information service provider or a payment initiation service provider access to a payment account for objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account by that account information service provider or that payment initiation service provider, including the unauthorised or fraudulent initiation of a payment transaction.”

The fact that the payee is not included in a list of trusted beneficiaries under Article 13 of the Commission Delegated Regulation (EU) 2018/389 does not constitute such a reason and therefore account servicing payment service providers should not deny access to payment accounts to payment initiation service providers on that basis.

Article 13 of the Delegated Regulation specifies the requirements for the creation and amendment of lists of trusted beneficiaries and introduces an optional exemption from the application of strong customer authentication for payment transactions where the payee is included in a list of trusted beneficiaries. Article 13 does not introduce requirements related to the access to payment accounts data.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA