2021_6280 Application of SCA for confirmation of funds requests made by a PISP

Question ID: 2021_6280
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 36(1)(c)
Name of institution / submitter: Central Bank of Malta
Country of incorporation / residence: Malta
Type of submitter: Competent authority
Subject matter: Application of SCA for confirmation of funds requests made by a PISP
Question: 1) Should two SCAs be applied when a fund confirmation is made by a PISP? i.e. one for fund confirmation and one for payment initiation?

2) Should ASPSPs provide confirmation to a CoF request made by a PISP before or after the payment is submitted?
Background on the question: Article 36(1)(b) of the RTS on SCA and CSC states that after receipt of the payment order, the ASPSP shall provide PISPs with the same level of information on the initiation and execution of the payment transaction provided to the customer when the payment is initiated directly by the latter.

Furthermore, Article 36(1)(c) also states that, upon request, ASPSPs shall provided PSPs with a confirmation in a simple ‘yes’ or ‘no’ format, whether there is sufficient balance for the execution of a payment transaction.

In its Opinion of June 2018, the EBA clarified that Article 36(1)(c) applied to both CBPIIs and PISPs, rather than solely CBPIIs.

Our first question relates on whether there should be a single SCA for a customer journey whereby the PISP requests fund confirmation in the same process of a payment initiation.

Furthermore, our second question relates to whether, the ‘yes’ or ‘no’ confirmation as per Article 36 (1)(c) of the RTS should be provided by the ASPSP before or after the payment has been submitted by the PISP.
Submission date: 16/11/2021
Final publishing date: 27/01/2023
Final answer: According to Article 97 of Directive 2015/2366/EU (PSD2), payment service providers should apply strong customer authentication (SCA) where the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; or (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Article 36(1)(c) of the Commission Delegated Regulation (EU) 2018/389 requires account servicing payment service providers (ASPSPs) to immediately provide, upon request, payment service providers with a confirmation in a simple ‘yes’ or ‘no’ format, whether the amount necessary for the execution of a payment transaction is available on the payment account of the payer. Paragraph 22 of the EBA Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04) clarified that this applies to payment service providers including payment initiation service providers (PISPs).

Furthermore, paragraph 24 of the EBA Opinion on obstacles under Article 32(3) of the RTS on SCA&CSC (EBA/OP/2020/10) clarified that in a PIS-only journey, ASPSPs should support a single SCA for a single payment initiation via a PISP, if the PISP transmits to the ASPSP all the information necessary to initiate the payment, including the account number/IBAN of the account to be debited.

Accordingly, a separate SCA for providing the confirmation of funds as referred to in Article 36(1)(c) of the Delegated Regulation is not necessary. Requiring two SCAs in a PIS-only journey where the PISP transmits to the ASPSP all the information necessary to initiate the payment, namely one SCA for the yes/no confirmation under Article 36(1)(c) and a second SCA for payment initiation is an obstacle to the provision of payment initiation services under Article 32(3) of the Delegated Regulation, unless the ASPSP has duly justified security arguments why two SCAs would be needed in such case as referred to in paragraph 24 of the EBA Opinion on obstacles.

With regard to the second question, in accordance with Article 36(1)(c) of the Delegated Regulation, the ASPSP should provide the yes/no confirmation immediately upon request from the PISP. Therefore, as soon as the PISP requests the ASPSP to provide such confirmation, which could be before or after the payment initiation request, the ASPSP should immediately provide the answer to the PISP.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer