Question ID:
2021_5821
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
4
Paragraph:
30
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
6
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Strong customer authentication (SCA) Knowledge element: Place of Birth and Date of Birth
Question:

Does a payer’s date of birth and place of birth constitute a valid Knowledge Element for strong customer authentication.

Background on the question:

After reading many different articles, Knowledge should be something in the customers head. So if a date of birth can be viewed across many different forms of personal information (even through the window of some letters in your letterbox or my facebook page) and my Place of birth can be found on my passport.,

Should my bank be using this to validate Knowledge for making data changes?

Date of submission:
21/04/2021
Published as Final Q&A:
30/07/2021
EBA Answer:

Article 4(30) of Directive 2015/2366/EU (PSD2) defines knowledge as something only the user knows.

 

Article 6 of Regulation (EU) 2018/389 specifies the requirement for payment service providers (PSPs) to mitigate the risk that the element is ‘uncovered by, or disclosed to, unauthorised parties’ and to have mitigation measures in place ‘in order to prevent their disclosure to unauthorised parties’.

 

Accordingly, date and/or place of birth cannot constitute a knowledge element under PSD2 and the Delegated Regulation since these may be accessible by third parties other than the payment service user or the PSP.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA