2025_7358 Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Question ID

2025_7358

Legal act

Directive 2015/2366/EU (PSD2)

Topic

Strong customer authentication and common and secure communication (incl. access)

Article

66, 67

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph

32(3)

Type of submitter

Competent authority

Subject matter

Authentication process of the PSU with the ASPSP in a combined AIS and PIS journey in a redirection approach

Question

Consider an ASPSP that offers a dedicated interface using a redirection approach. To fulfill the requirement that PSUs using a PIS should not have to enter their own account details, the ASPSP allows TPPs that have an AIS license to retrieve the list of all the PSU’s payment accounts via the interface so that the account can be selected in the TPP’s domain.

Does the ASPSP create an obstacle in the sense of Article 32(3) of Commission Delegated Regulation (EU) 2018/389 if

it forces a PSU who is initiating a payment through a PISP without entering the own IBAN to perform full SCA twice while
a PSU who initiates a payment through the ASPSP’s customer interface needs to perform full SCA only once, while the second authentication requires entering only one element of SCA?

Background on the question

In our market, a number of banks allow the reuse of the static SCA element in the customer interface but not in the dedicated interface.

If PSUs use the customer interface, e.g. the online banking website, they can access their account data by performing full SCA, using both elements. However, once they are logged in, they can initiate a payment with an authentication using only one element, while the other (static) element, is reused from the log-in.

In contrast, if PSUs initiate a payment via a PISP (using a redirection flow and without having to enter their account details), they have to perform full SCA twice, once for the retrieval of the list of accounts and once for the payment itself.

PISPs in our jurisdiction have complained that this discrepancy creates a worse customer experience for PIS users compared to the experience in the customer interface.

This question is restricted to cases where the combined journey is used to avoid the manual input of the payer’s account details and does not concern other use cases where such a combined journey might also arise. In addition, it does not affect PIS flows where the choice of account takes place in the ASPSP’s domain.

Submission date

26/02/2025

Status

Question under review

Answer prepared by

Answer prepared by the EBA.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre