Where a Payment Service Provider (PSP) is providing financial services via a third party application - either through a Payment Initiation Services Provider (PISP), Account Information Service Provider (AISP) or by providing embedded financial products or banking as a service solutions (i.e. financial services via an Application Programming Interface (API)) - is it permitted for the PSP to delegate the application of 2-Factor Authentication (2FA) to the third party?
Directive 2015/2366/EU (PSD2) Article 97, Paragraph 5 states: ‘Member States shall ensure that the account servicing payment service provider allows the payment initiation service provider and the account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with paragraphs 1 and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.’
While the PSP may allow the PISP, AISP or other to use their authentication procedures, the PSP, AISP or other may desire to use their own procedures.
There are many third party applications that run 2FA through third parties such as Firebase (Google), for example.
Is it sufficient for a PSP to be reliant on the third party application applying this outsourced 2FA in the provision of the underlying financial service?
Article 97(5) of Directive 2015/2366/EU (PSD2) prescribes that account servicing payment service providers (ASPSPs) shall allow payment initiation service providers (PISPs) and the account information service providers (AISPs) to rely on the authentication procedures provided by the ASPSP to the payment service user (PSU).
Articles 66(3) and 67(2) of PSD2 state that the personalised security credentials (PSC) are accessible to AISPs and PISPs.
In addition, Recital 30 of PSD2 states that ‘the personalised security credentials used for secure customer authentication by the payment service user or by the payment initiation service provider are usually those issued by the account servicing payment service providers’.
In relation to the above, paragraph 38 of the EBA Opinion on the implementation of the RTS on SCA&CSC (EBA-Op-2018-04) clarified that the above PSD2 requirements are to be read in conjunction with one another, which means that the payment service provider (PSP) applying strong customer authentication (SCA) is the PSP that issues the PSC. This paragraph also clarified that the ASPSP may, however, choose to contract with other providers such as wallet providers or PISPs and AISPs for them to conduct SCA on the ASPSP’s behalf and determine the liability.
Q&A 2018_4047, Q&A 2019_4651 and Q&A 2019_4937 further clarified different aspects on delegation of SCA, including that PSPs may (i) use third party technology, such as a smartphone fingerprint reader, to support SCA and to ensure they fulfill all the security measures established in the Commission Delegated Regulation (EU) 2018/389 or (ii) outsource the execution of SCA to a third party in compliance with the general requirements on outsourcing, including the requirements in the EBA Guidelines on Outsourcing arrangements (EBA/GL/2019/02).
In relation to the above, the application of SCA can be delegated to AISPs, PISPs or other third parties, provided that the ASPSP complies with the applicable legal requirements cited above.