- Question ID
-
2023_6863
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
9
- Type of submitter
-
Consultancy firm
- Subject matter
-
Mobile Banking Services and SCA in the same app
- Question
-
We use a mobile app, software installed in a separate sandbox on a multi-purpose device, for the elements of strong customer authentication. Is it correct to assume that Article 9 (in COMMISSION DELEGATED REGULATION (EU) 2018/ 389) does not prevent us from offering mobile banking services through the same app?
- Background on the question
-
Article 9 - 3 (a) mentions the "use of separated secure execution environments through the software installed inside the multi-purpose device". It is not 100% clear, how this use of a separated execution environment applies to mobile banking services.
- Submission date
- Final publishing date
-
- Final answer
-
In accordance with Article 9(1) of the Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall ‘ensure that the use of the elements of strong customer authentication referred to in Articles 6, 7 and 8 is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements’. In addition, Article 9(2) requires that PSPs and ‘shall adopt security measures, where any of the elements of strong customer authentication or the authentication code itself is used through a multi-purpose device, to mitigate the risk which would result from that multi-purpose device being compromised.
Article 9 of the Delegated Regulation introduces requirements for the independence of authentication elements and their security. Article 9 does not restrict PSPs from carrying out mobile banking services and authentication of payment transactions through the same mobile applications.
Finally, it should be noted that the requirements of Art. 9(3)(a) of the Delegated Regulation apply with regard to the two authentication elements. It is for payment service providers to ensure that the authentication approaches are compliant with these requirements.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.