- Question ID
-
2023_6820
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
10
- Type of submitter
-
Consultancy firm
- Subject matter
-
Exemption from strong customer authentication
- Question
-
Do the revisions to Art.10 set out in Commission Delegated Regulation (EU) 2022/2360 of 3 August 2022 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/389 as regards the 90-day exemption for account access mean that a payment service user or account information service provider is now limited to accessing only the account balance OR the transaction details for the last 90 days when availing of the revised exemption?
- Background on the question
-
Article 10(1) of Delegated Regulation (EU) 2018/389 provided that,
“Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and to paragraph 2 of this Article and, where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
Commission Delegated Regulation (EU) 2022/2360 has revised Art.10 and introduced a new Art.10a which now provide:
Art.10(1)
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
- the balance of one or more designated payment accounts;
- the payment transactions executed in the last 90 days through one or more designated payment accounts.
Art. 10a(1)
Payment service providers shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
Under the original Art.10 exemption, a payment service user could access “either or both of”, meaning the account balance AND/OR transaction details whereas in both the revised Art.10 and the new Art.10a access is limited to “one of” the account balance or transaction details which would seem to restrict the levels of access enjoyed today. Did the Commission intend to introduce such a material change with the revised wording, and if so, why?
- Submission date
- Final publishing date
-
- Final answer
-
Article 10(1) of Delegated Regulation (EU) 2018/389, as amended by Commission Delegated Regulation (EU) 2022/2360, allows Payment service providers (PSPs) not to apply strong customer authentication (SCA), where a payment service user (PSU) is accessing its payment account online directly, “provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts”.
Furthermore, Article 10a(1) of Delegated Regulation (EU) 2018/389, as amended by Commission Delegated Regulation (EU) 2022/2360, requires PSPs not to apply SCA where a PSU is accessing its payment account online through an account information service provider (AISP), “provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts”.
In relation to the above, recital 4 of Commission Delegated Regulation (EU) 2022/2360 clarifies that the above exemption from SCA “should be limited to access to the balance and the recent transactions of a payment account without disclosure of sensitive payment data”.
It follows from the above that the exemptions in Articles 10 and 10a also apply where the access request refers to both the payment account balance and the last 90-days transaction history, provided that the other conditions set out in the Delegated Regulation (EU) 2018/389 are met. In this regard, the scope of data that can be accessed using the exemptions in Article 10 and 10a remains the same as before the amendments introduced by Commission Delegated Regulation (EU) 2022/2360.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.