Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Name of institution / submitter:
Croatian National Bank
Country of incorporation / residence:
Type of submitter:
Competent authority
Subject Matter:
Legal requirements for the authentication procedure when SCA exemptions are applied for remote payment transactions

What are the legal requirements for the type of authentication procedure used when conditions for the application of of Strong customer authentication (SCA) exemption for remote payment transactions are fulfilled?

Background on the question:

There are different ways how a Payment Services Provider (PSP) can apply an authentication procedure when conditions for SCA exemption are fulfilled in the case of remote payment transactions (Articles 13-18 of RTS on SCA&CSC).

There is a possibility to initiate a transaction with the application of a single authentication element. Another possibility is to not require authentication at all (or maybe only require the customer to select Yes/No for initiation of transaction) if it can be justified by risk assessment.

Our understanding is that, according to its risk assessment, a PSP can choose the appropriate authentication procedure. Furthermore, we think that a PSP has the right to implement a partial solution and apply the SCA exemption only on dynamic linking requirement. In that case, a PSP would require SCA authentication, but without dynamic linking. It is up to the PSP to define the level of risk it wants to accept and one possible solution is to use the SCA authentication all the time even when PSP could apply the SCA exemption.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 97(1) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to ‘apply strong customer authentication where the payer:

(a) accesses its payment account online;

(b) initiates an electronic payment transaction;

(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.’

Chapter III of the Commission Delegated Regulation (EU) 2018/389 sets out the exemptions from the application of strong customer authentication (SCA).

Recital 17 of the Delegated Regulation further clarifies that PSPs that make use of any of the exemptions from SCA ‘should be allowed at any time to choose to apply strong customer authentication...’.

PSD2 and the Delegated Regulation do not specify how the authentication as defined in Article 4(29) of PSD2 should take place when an exemption from SCA is used. Therefore, if a PSP decides to make use of an exemption from SCA, it is up to the PSP to decide how to perform authentication, i.e. how to verify the identity of a payment service user or the validity of the use of the payment instrument.

Finally, it should be noted that the security measures for dynamic linking under Article 97(2) of PSD2 and Article 5 of the Delegated Regulation are required for the initiation of remote electronic payment transactions where SCA is required under Article 97(1)(b) of PSD2. PSD2 and the Delegated Regulation do not require the application of these security measures to remote electronic payment transactions exempted from SCA.

Final Q&A