Question ID:
2021_6280
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
36(1)(c)
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Central Bank of Malta
Country of incorporation / residence:
Malta
Type of submitter:
Competent authority
Subject Matter:
Application of SCA for confirmation of funds requests made by a PISP
Question:

1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation?

2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?

Background on the question:

Article 36(1)(b) of the RTS on SCA and CSC states that after receipt of the payment order, the ASPSP shall provide PISPs with the same level of information on the initiation and execution of the payment transaction provided to the customer when the payment is initiated directly by the latter.

Furthermore, Article 36(1)(c) also states that, upon request, ASPSPs shall provided PSPs with a confirmation in a simple ‘yes’ or ‘no’ format, whether there is sufficient balance for the execution of a payment transaction.

In its Opinion of June 2018, the EBA clarified that Article 36(1)(c) applied to both CBPIIs and PISPs, rather than solely CBPIIs.

Our first question relates on whether there should be a single SCA for a customer journey whereby the PISP requests fund confirmation in the same process of a payment initiation.

Furthermore, our second question relates to whether, the ‘yes’ or ‘no’ confirmation as per Article 36 (1)(c) of the RTS should be provided by the ASPSP before or after the payment has been submitted by the PISP.

Date of submission:
16/11/2021
Published as Final Q&A:
27/01/2023
Final Answer:

According to Article 97 of Directive 2015/2366/EU (PSD2), payment service providers should apply strong customer authentication (SCA) where the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Article 36(1)(c) of the Commission Delegated Regulation (EU) 2018/389 requires account servicing payment service providers (ASPSPs) to immediately provide, upon request, payment service providers with a confirmation in a simple ‘yes’ or ‘no’ format, whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. Paragraph 22 of the EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04) clarified that this applies to payment service providers including payment initiation service providers (PISPs).

Furthermore, paragraph 24 of the EBA Opinion on obstacles under Article 32(3) of the RTS on SCA&CSC (EBA/OP/2020/10) clarified that in a PIS-only journey, ASPSPs should support a single SCA for a single payment initiation via a PISP, if the PISP transmits to the ASPSP all the information necessary to initiate the payment, including the account number/IBAN of the account to be debited.

Accordingly, a separate SCA for providing the confirmation of funds as referred to in Article 36(1)(c) of the Delegated Regulation is not necessary. Requiring two SCAs in a PIS-only journey where the PISP transmits to the ASPSP all the information necessary to initiate the payment, namely one SCA for the yes/no confirmation under Article 36(1)(c) and a second SCA for payment initiation is an obstacle to the provision of payment initiation services under Article 32(3) of the Delegated Regulation, unless the ASPSP has duly justified security arguments why two SCAs would be needed in such case as referred to in paragraph 24 of the EBA Opinion on obstacles.

With regard to the second question, in accordance with Article 36(1)(c) of the Delegated Regulation, the ASPSP should provide the yes/no confirmation immediately upon request from the PISP. Therefore, as soon as the PISP requests the ASPSP to provide such confirmation, which could be before or after the payment initiation request, the ASPSP should immediately provide the answer to the PISP.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA