2020_5650 Requirements towards SCA if association is done based on phone call

Question ID: 2020_5650
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 24 (2) (b)
Type of submitter: Other
Subject matter: Requirements towards SCA if association is done based on phone call
Question: Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?
Background on the question: Article 24 paragraph 2 b of the RTS on SCA "the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication".
During the pandemics there is a high demand for the services not requiring to meet in presence.
Submission date: 09/12/2020
Final publishing date: 24/09/2021
Final answer: In accordance with Article 97(1)(c) of Directive 2015/2366/EU (PSD2), payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer ‘carries out any action through a remote channel which may imply a risk of payment fraud or other abuses’.

Article 4(30) of PSD2 defines strong customer authentication as ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.

In accordance with Article 24(2) of the Commission Delegated Regulation (EU) 2018/389, in order to ensure that only the payment service user (PSU) is associated, in a secure manner, with the personalised security credentials (PSC), the authentication devices and the software, PSPs shall ensure that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’

Accordingly, the association of the PSU with the PSC can be done remotely by applying SCA. A telephone call does not, for approaches currently observed in the market, ensure the application of a valid SCA in accordance with PSD2 and the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer