Should non-payment accounts be listed as trusted beneficiaries where they are exempted from Strong Customer Authentication (SCA) as Beneficiaries of a Payment Transaction?
Many Account Information Service Providers (AISPs) are providing specific Payment Initiation Services (PIS) for Personal Finance Management use cases and obtained their PIS license specially to be able to maintain their services. One of their service main functionality is allowing the PSU to transfer funds from his Payment Account to his Non-Payment Accounts (such as Savings).
In answer to Third Party Provider (TPP) information requests, most of Credit Institutions confirm that their dedicated interfaces are supporting Payment Initiation from a Payment Account to an Internal Non-Payment Account which seems compliant with Regulation and with Paragraph 45 of EBA Opinion on RTS on SCA and CSC.
On the other hand, most of them consider that those Non-Payment Accounts are not in the scope of Trusted Beneficiaries although they are exempted from Strong Customer Authentication.
Where a list of Internal Accounts is made available to the Payment Service User (PSU) in his Direct Access Interface as Beneficiaries, the information of these beneficiaries shall be available in the Dedicated Interface, otherwise TPP have no possibility to identify these accounts as Beneficiaries in the PIS context.
Article 13 of the Commission Delegated Regulation (EU) 2018/389 does not specify the type of payees that can be included in the list of trusted beneficiaries. This means that there are no restrictions on the type of accounts that can be included in the list of trusted beneficiaries, provided that they allow the receipt of payment transactions.
In relation to the above, non-payment accounts can be included in the list of trusted beneficiaries under Article 13 of the Delegated Regulation.
In the specific case where the payer initiates a payment from his payment account to another non-payment accounts held within the same payment service provider (PSP), the PSP may also apply the exemption under Article 15 of the Delegated Regulation.
Q&A 2018_4128 clarified that “as it is ultimately the ASPSP (account servicing payment service provider) that applies strong customer authentication (SCA) or decides whether or not to apply an exemption, including the exemption on trusted beneficiaries as stated in Article 13 of the Commission Delegated Regulation (EU) 2018/389, the information as to whether or not a payee is on the list of trusted beneficiaries is not necessary for the provision of the PIS (payment initiation service). This may be different if the ASPSP and the PISP (payment initiation service provider) agree that SCA is performed by the PISP and if it is agreed that the PISP is allowed to apply the exemption in Article 13.
Finally, ASPSPs do not have an obligation to provide to account information service providers or PISPs a list of the non-payment accounts of the payment service user, because the requirements of Directive 2015/2366/EU (PSD2) on access to accounts data apply only to payment accounts.