- Question ID
-
2023_6827
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- Paragraph
-
1
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
13
- Name of institution / submitter
-
The Central Bank of Hungary
- Country of incorporation / residence
-
Hungary
- Type of submitter
-
Competent authority
- Subject matter
-
Trusted Beneficiaries
- Question
-
Please clarify whether under Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) is it allowed to use the same SCA element to authorize a payment and at the same time (using the same session ID) approve (technically using by a checkbox) the payee as a trusted beneficiary? If it is allowed, the payment service user (hereinafter: PSU) shall be informed (prior to authorisation) by an approval SCA element (SMS) about the payment execution and about modifying the list of the trusted beneficiaries as well?
- Background on the question
-
We identified a fraudulent transaction pattern where fraudsters have gained credentials of a PSU and the fraudsters have creating a mobile app and have initiated a payment at the first time with an extremely low amount and atthe same time it is possible to set their own account as trusted beneficiary by using a checkbox in the mobile app wich the fraudsters have done. After the fraudsters have saved their own account as trusted beneficiary they can initiate and execute any payments without SCA.
According to the Article 13(1) of RTS on SCA & CSC the payment service provider (hereinafter: PSP) shall apply SCA where a PSU creates or amends a list of trusted beneficiaries. The answer to Q&A 4338 states that adding a payee to a trusted beneficiary list requires the application of SCA, including when done prior to the initiation of a payment.
- Submission date
- Final publishing date
-
- Final answer
-
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to apply strong customer authentication (SCA) when the payer initiates an electronic payment transaction.
Q&A 4141 clarified that, when initiating a payment while within the same session in which SCA was performed to access account data, one of the elements used at the time the customer accessed its payment account online (including via a mobile app) may be reused in compliance with Article 4 of the Commission Delegated Regulation (EU) 2018/389, provided that the other element of SCA is carried out at the time the payment is initiated and the dynamic linking element required under Article 97(2) PSD2 (for remote payment transactions) is present and linked to that latter element.
Further, the principle set out in Q&A 4141 may be applied in the specific case described by the submitter. This means that one of the authentication elements used for initiating an electronic payment transaction may be reused when the payer adds a payee to the trusted beneficiaries list under Article 13 of the Delegated Regulation within the same session.
However, reusing the same two SCA elements applied for initiating an electronic payment transaction when adding a payee to the trusted beneficiaries list under Article 13 of the Delegated Regulation is not compliant with the legal requirements.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.