Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Subject Matter:
Perform SCA by reusing an element used in an authentication exempted from SCA

When an element is used to access the payment account online, in the case the Payment Service Provider (PSP) is allowed not to apply Strong Customer Authentication (SCA) (only applying a single-factor authentication : login + password), is it possible to reuse this element to perform SCA to authenticate a transaction ?

Background on the question:

Considering the following :

Suppose that a Payment Service User (PSU) wants to access his payment account online. In compliance with RTS Art. 10 and supposing that less than 90 days have elapsed since the last time SCA was applied, the PSU accesses his payment account online with a single-factor authentication (login + password : knowledge). Once the PSU has accessed his payment account online and within the same session, the PSU wants to authenticate a transaction (requiring SCA). In this case, is it possible to reuse within the same session the element used to access the payment account online (knowledge) and add a second element (possession with dynamic linking) at the time the transaction is initiated to perform SCA?

Date of submission:
Published as Final Q&A:
EBA Answer:

EBA Q&A 2018_4141 clarified that “the Commission Delegated Regulation does not prescribe a time limit for the provision of the two authentication elements necessary for SCA (Strong Customer Authentication) while within a session. When initiating a payment, SCA may therefore be performed when one of the elements used at the time the customer accessed its payment account online (including via a mobile app) is reused in compliance with Article 4, and the other element of SCA is carried out at the time the payment is initiated, provided that the dynamic linking element required under Article 97(2) PSD2 and detailed under Article 5 of the Delegated Regulation is present and linked to that latter element”.

Q&A 2018_4141 does not exclude the possibility for payment service providers to make use of the exemption from the application of SCA to payment account information under Article 10 of the Commission Delegated Regulation (EU) 2018/389.

Following the above, it is possible for payment service providers to reuse an element used for accessing payment accounts online under the exemption under Article 10 of the Delegated Regulated when initiating a remote electronic payment transaction within the same session, provide that the conditions set in Q&A 2018_4141 are met.

Final Q&A