The initial text of art.10 of the Regulation (EU) 2018/389 was as follows:

“Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and in paragraph 2 of this article, where a payment service user is accessing its payment account online directly, provided that access is limited to either or both of the following items online without disclosure of sensitive payment data:

(a) the balance of one or more designated payment accounts;

(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.

…..”

 These provisions have been amended by Art. 1 of Regulation (EU) 2022/2360 as follow:

“…1. Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:

(a) the balance of one or more designated payment accounts;

(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.

………“

We observe that the sentence “limited to either or both of..” in the original art.10  is changed to “limited to one of the following items” in the new art.10 and art.10a as defined in Regulation (EU) 2022/2360.

The new wording could be read in a way to restrict the RTS art.10 exemption to use cases where the PSU requires to access only a single item (balance or transaction list), excluding the possibility of applying the exemption where the access request refers to both the balance and the last 90 days transaction history.

This is not in line with the previous art. 10 provisions, currently implemented by all operators, where the SCA exemption is allowed also for PSU accesses where balance and transaction list are retrieved in a single request; also, this new wording seems to contradict the recitals of the provision, which are intended to extend the application of the SCA exemption, and not to reduce it.

In addition, this possible interpretation seems to be incoherent with recital 4 of the Regulation (EU) 2022/2360, which states that “The exemption should be limited to access to the balance and the recent transactions of a payment account without disclosure of sensitive payment data”. Here the exemption is referring to both items (balance and transaction list) without a distinction among a unique or separated requests.

As a result, and despite the unclear wording of  the new art. 10 and art. 10a, the SCA exemption applies also where the access request refers both to the balance and the last 90-days transaction history.