Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

We definitely appreciate the importance of setting up a robust strong customer authentication (“SCA”) regime. However, based on our experience from retail banking, the knowledge of the behaviour and the expectations of retail clients we consider the proposed exemption from the requirements to arrange SCA as very restrictive. In particular the time period specified as “later than one month after the last day in which strong customer authentication was applied” leads to the necessity to perform SCA at least once a month. In practice significant number of payment accounts are accessed by their users online relatively frequently with most accounts accessed least several times a month. In this respect we suggest a modification to the proposed rules. Specifically, we suggest that additional SCA does not need to be conducted in case a user of the account accessed frequently - for example once a week. In this context, we are of the view that the monitoring of security of the account is ensured by the account users themselves sufficiently. On the other hand it is not necessary to impose additional administrative burden on payment account operators in the form of frequent conduct of SCA. Also customers may be disappointed by excessive use of SCA.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

We definitely appreciate the importance of setting up a robust strong customer authentication (“SCA”) regime. However, based on our experience from retail banking, the knowledge of the behaviour and the expectations of retail clients we consider the proposed exemption from the requirements to arrange SCA as very restrictive. In particular the time period specified as “later than one month after the last day in which strong customer authentication was applied” leads to the necessity to perform SCA at least once a month. In practice significant number of payment accounts are accessed by their users online relatively frequently with most accounts accessed least several times a month. In this respect we suggest a modification to the proposed rules. Specifically, we suggest that additional SCA does not need to be conducted in case a user of the account accessed frequently - for example once a week. In this context, we are of the view that the monitoring of security of the account is ensured by the account users themselves sufficiently. On the other hand it is not necessary to impose additional administrative burden on payment account operators in the form of frequent conduct of SCA. Also customers may be disappointed by excessive use of SCA.

Please select which category best describes you and/or your organisation

[Payment institution"]"

Please select which category best describes the services provided by you/your organisation

[Execution of payment transactions"]"

Name of organisation

Air Bank a.s.

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre