Please clarify whether under Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) is it allowed to use the same SCA element to authorize a payment and at the same time (using the same session ID) approve (technically using by a checkbox) the payee as a trusted beneficiary? If it is allowed, the payment service user (hereinafter: PSU) shall be informed (prior to authorisation) by an approval SCA element (SMS) about the payment execution and about modifying the list of the trusted beneficiaries as well?
We identified a fraudulent transaction pattern where fraudsters have gained credentials of a PSU and the fraudsters have creating a mobile app and have initiated a payment at the first time with an extremely low amount and atthe same time it is possible to set their own account as trusted beneficiary by using a checkbox in the mobile app wich the fraudsters have done. After the fraudsters have saved their own account as trusted beneficiary they can initiate and execute any payments without SCA.
According to the Article 13(1) of RTS on SCA & CSC the payment service provider (hereinafter: PSP) shall apply SCA where a PSU creates or amends a list of trusted beneficiaries. The answer to Q&A 4338 states that adding a payee to a trusted beneficiary list requires the application of SCA, including when done prior to the initiation of a payment.
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to apply strong customer authentication (SCA) when the payer initiates an electronic payment transaction.
Q&A 4141 clarified that, when initiating a payment while within the same session in which SCA was performed to access account data, one of the elements used at the time the customer accessed its payment account online (including via a mobile app) may be reused in compliance with Article 4 of the Commission Delegated Regulation (EU) 2018/389, provided that the other element of SCA is carried out at the time the payment is initiated and the dynamic linking element required under Article 97(2) PSD2 (for remote payment transactions) is present and linked to that latter element.
Further, the principle set out in Q&A 4141 may be applied in the specific case described by the submitter. This means that one of the authentication elements used for initiating an electronic payment transaction may be reused when the payer adds a payee to the trusted beneficiaries list under Article 13 of the Delegated Regulation within the same session.
However, reusing the same two SCA elements applied for initiating an electronic payment transaction when adding a payee to the trusted beneficiaries list under Article 13 of the Delegated Regulation is not compliant with the legal requirements.