- Question ID
-
2020_5516
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
10
- Type of submitter
-
Other
- Subject matter
-
Perform SCA by reusing an element used in an authentication exempted from SCA
- Question
-
When an element is used to access the payment account online, in the case the Payment Service Provider (PSP) is allowed not to apply Strong Customer Authentication (SCA) (only applying a single-factor authentication : login + password), is it possible to reuse this element to perform SCA to authenticate a transaction ?
- Background on the question
-
Considering the following :
- RTS on strong customer authentication and secure communication (RTS on SCA), Article 10 : PSPs are allowed not to apply SCA under specific conditions when a PSU accesses his payment account online ;
- EBA Opinion on the elements of strong customer authentication under PSD2, EBA-Op-2019-06 - Paragraph 40 : the element used to access the payment account online may be reused to perform SCA under specific conditions
Suppose that a Payment Service User (PSU) wants to access his payment account online. In compliance with RTS Art. 10 and supposing that less than 90 days have elapsed since the last time SCA was applied, the PSU accesses his payment account online with a single-factor authentication (login + password : knowledge). Once the PSU has accessed his payment account online and within the same session, the PSU wants to authenticate a transaction (requiring SCA). In this case, is it possible to reuse within the same session the element used to access the payment account online (knowledge) and add a second element (possession with dynamic linking) at the time the transaction is initiated to perform SCA?
- Submission date
- Final publishing date
-
- Final answer
-
EBA Q&A 2018_4141 clarified that “the Commission Delegated Regulation does not prescribe a time limit for the provision of the two authentication elements necessary for SCA (Strong Customer Authentication) while within a session. When initiating a payment, SCA may therefore be performed when one of the elements used at the time the customer accessed its payment account online (including via a mobile app) is reused in compliance with Article 4, and the other element of SCA is carried out at the time the payment is initiated, provided that the dynamic linking element required under Article 97(2) PSD2 and detailed under Article 5 of the Delegated Regulation is present and linked to that latter element”.
Q&A 2018_4141 does not exclude the possibility for payment service providers to make use of the exemption from the application of SCA to payment account information under Article 10 of the Commission Delegated Regulation (EU) 2018/389.
Following the above, it is possible for payment service providers to reuse an element used for accessing payment accounts online under the exemption under Article 10 of the Delegated Regulated when initiating a remote electronic payment transaction within the same session, provide that the conditions set in Q&A 2018_4141 are met.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.