Question ID:
2022_6392
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
Paragraph:
1
Subparagraph:
d
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
30(1)(b)-(c)
Disclose name of institution / entity:
No
Type of submitter:
Credit institution
Subject Matter:
API functionality
Question:

Is it allowed to use a dedicated PSD2 interface by a TPP that identifies itself with an eIDAS certificate for purposes other than those specified in Article 30(1)(b) - (c) of the RTS on strong customer authentication (SCA) and secure communication? 

Background on the question:

TPP has informed us that it uses API requests to the Production PSD2 API for purposes other than payment initiation or access to account information, namely, monitoring API availability. What's more, these API requests are part of the monitoring service offered on the market, which is used, among others, by some national competent authorities.  

PSD2 and specifically RTS define the dedicated interface's purposes (Article 30(1)(b) and (c)of RTS on strong customer authentication (SCA) and secure communication).

Furthermore, Article 34(3)(a) defines the requirements for what needs to be included in the certificates the TPP uses for identification.

The roles for payment institutions are (I) account servicing, (ii) payment initiation; (iii) account information; (iv) issuing of card-based payment instruments.

These roles are reflected in the eIDAS certificates. None of them refers to the monitoring activity.  Use of the actual request for monitoring purposes can also affect the conversion and error rates, as the request is counted as failed.   

Date of submission:
10/03/2022
Published as Final Q&A:
14/10/2022
Final Answer:

In accordance with Article 34(1) of Commission Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall rely, for the purpose of identification of third party providers (TPPs) as referred to in Article 30(1)(a), on eIDAS certificates. Article 34(3) provides that the eIDAS certificate shall specify the role of the PSP as ‘account servicing’, ’payment initiation’; ‘account information’ and/or ‘issuing of card-based payment instruments’. As clarified in the EBA Opinion on the use of eIDAS certificates under the RTS on SCA and CSC (EBA-Op-2018-7), these four roles can be assigned to PSPs that have been authorised to provide the respective payment services as referred to in Annex I to PSD2.

At the same time, TPPs should ensure that they comply with their respective obligations under Articles 66 and 67 of Directive 2015/2366/EU (PSD2) including the requirement to not access any data for purposes other than for the provision of the payment initiation service or, respectively, the account information service as explicitly requested by the payment service user.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA