2020_5650 Requirements towards SCA if association is done based on phone call

Question ID:

2020_5650

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Strong customer authentication and common and secure communication (incl. access)

Article:

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph:

24 (2) (b)

Disclose name of institution / entity:

Type of submitter:

Other

Subject Matter:

Requirements towards SCA if association is done based on phone call

Question:

Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?

Background on the question:

Article 24 paragraph 2 b of the RTS on SCA "the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication".

During the pandemics there is a high demand for the services not requiring to meet in presence.

Date of submission:

09/12/2020

Published as Final Q&A:

24/09/2021

Final Answer:

In accordance with Article 97(1)(c) of Directive 2015/2366/EU (PSD2), payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer ‘carries out any action through a remote channel which may imply a risk of payment fraud or other abuses’.

Article 4(30) of PSD2 defines strong customer authentication as ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.

In accordance with Article 24(2) of the Commission Delegated Regulation (EU) 2018/389, in order to ensure that only the payment service user (PSU) is associated, in a secure manner, with the personalised security credentials (PSC), the authentication devices and the software, PSPs shall ensure that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’

Accordingly, the association of the PSU with the PSC can be done remotely by applying SCA. A telephone call does not, for approaches currently observed in the market, ensure the application of a valid SCA in accordance with PSD2 and the Delegated Regulation.

Status:

Final Q&A

Answer prepared by:

Answer prepared by the EBA.