Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Name of institution / submitter:
Quali-Sign LTD
Country of incorporation / residence:
United Kingdom
Type of submitter:
Subject Matter:
Scope of the corporate SCA exemption.

Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?

Background on the question:

Prior to the application of PSD2, in the corporate banking space many Payment Initiation Service Providers (PISPs) offered multi-banking services to corporates (e.g. via a browser front end or mobile app). These PISPs connected to the AISP via 'secure corporate payment processes and protocols' such as SWIFTNet, the Electronic Internet Banking Communication Standard (EBICS) or via 'host-to-host' protocols such as Secure FTP (SFTP). Many of these PISPs may choose to retain their existing connections as opposed to migrating to a new XS2A API. The text of the PSD2 directive does not appear to distinguish between PISPs that connect to ASPSP's via a certified PSD2 dedicated interface (XS2A API's) and those that connect via other dedicated 'secure corporate payment processes and protocols'. The text of Article 17 refers to "the use of dedicated payment processes or protocols that are only made available to payers who are not consumers". There is no mention of PISP's using these 'dedicated payment processes or protocols' in this article.

Date of submission:
Published as Final Q&A:
EBA Answer:

‘Payment initiation’ as a process in Article 17 of the Commission Delegated Regulation (EU) 2018/389 is not to be confused with payment initiation services; the latter referring to a payment that is initiated by a third party. Further, in accordance with Article 66(1) of PSD2, a payer has the right to make use of a payment initiation service provider (PISP) to initiate a payment. In the case where a payer uses a PISP to initiate a payment, as clarified in paragraph 39 of the EBA Opinion on the implementation of the RTS on strong customer authentication and secure communication (EBA-Op-2018-04), it is the responsibility of the account servicing payment service provider (ASPSP) to identify whether or not an exemption applies, including the exemption under Article 17 of the Delegated Regulation.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.