Can an Account Servicing Payment Service Provider (ASPSP) consider that it is not applying the Article 10 Exemption under the Commission Delegated Regulation (EU) 2018/389 “at all” where it permits its Payment Services Users (PSUs) to access balances and transactions information through another direct interface (such as Electronic Banking Internet Communication Standard (EBICS) T) with no systematic or daily strong customer authentication (SCA)?

In Country A, at least 3 major ASPSPs consider they do  not need to apply the RTS Article 10 Exemption because they request systematic SCA when the PSU connects directly to its online Banking Web-interface.  Therefore, they oblige their PSU to apply systematic or even daily SCA when their Account Information Service (AIS) application is accessing its information through the Application Programming Interface (API) interface.  These ASPSPs officially consider that situation as fair and compliant with the parity rule applying the same way for direct interface and dedicated interface.  Account Information Service Providers (AISPs) consider that these ASPSPs forgot to mention that they have another “direct interface” (named EBICS T) giving through an online https access, information about Balances and Transactions and that they actually are not applying the same systematic or daily SCA to their PSU through this interface.  This creates an unfair competition as some institutions don’t use this exemption (Art 10) in their API as an argument to make their PSU choose the EBICS T interface.

AISPs regrets that those ASPSPs use this lower level of security as a commercial argument to get their PSU back from AISP Services to EBICS T.

Article 67(3)(b) of Directive 2015/2366/EU(PSD2) requires account servicing payment service providers (ASPSPs) to treat data requests transmitted through the services of an account information service provider (AISP) without any discrimination for other than objective reasons.

Furthermore, Articles 97(1)(a) and 97(4) of PSD2 specify that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payment service user (PSU) “accesses its payment account online”, including when the information is requested through an AISP.

As an exception to the above, Article 10 of the Delegated Regulation (EU) 2018/389 allows PSPs not to apply SCA where the PSU is accessing certain limited payment account information (namely the balance of the payment account and/or the last 90 days payment transactions).

It follows from the above that, in line with Articles 97(1)(a) and 97(4) of PSD2, SCA is required where the PSU accesses its payment account online, directly or through an AISP, irrespective of the type of access interface. By contrast, the SCA requirement in Article 97(1)(a) PSD2 does not apply if the payment account is not being accessed “online”, within the meaning of Articles 97(1)(a) PSD2.

It also follows from the above that ASPSPs can decide based on their risk assessment whether or not to apply the exemption in Article 10 across all or some of their online direct customer channels (e.g, the web interface or mobile app). However, in line with the non-discrimination principle in Article 67(3)(b) PSD2, if the ASPSP applies the exemption in Article 10 to its PSUs in a particular direct online customer channel, it should also apply the exemption for access requests received via an AISP through the same channel, unless the ASPSP has objective reasons, within the meaning of Article 67(3)(b) PSD2, not to do so.

The EBA answer was amended on 27.04.2022 to remove a clerical error which affected the last paragraph.