Pursuant to Article 97(1) of Directive (EU) 2015/2366, payment service providers (PSPs) must apply strong customer authentication (SCA) where, inter alia, the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. Article 10 of Regulation (EU) 2018/389 allows PSPs not to apply SCA, subject to compliance with the requirements laid down therein, where the payment service user is limited to accessing a limited data set.

Neither Article 97 of Directive (EU) 2015/2366 nor Article 10 of Regulation (EU) 2018/389 restrict their scope of application to ASPSPs and apply to all PSPs.

The EBA also did refer to PSPs generally when addressing Article 10 of Regulation (EU) 2018/389, stating that: “Consequently for payment transaction history older than 90 days, the exemption to the obligation to apply strong customer authentication under Article 10 of the Delegated Regulation does not apply. For such information, payment service providers should always have to apply strong customer authentication” (Q&A 2018_4177). 

Recital 93 of Directive (EU) 2015/2366 states that: “(…) The payment initiation service providers and the account information service providers on the one hand and the account servicing payment service provider on the other, should observe the necessary data protection and security requirements established by, or referred to in, this Directive or included in the regulatory technical standards (…). Recital 94 of that Directive also states that: “When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimize threats to data protection”. Recital 95 of that Directive also states that: “(…) All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. (…)”.

The exemptions set out in Chapter III of Regulation (EU) 2018/389, thus including Article 10 of that Regulation, “have been designed and defined on the basis of risk” (EBA Final Report on the draft RTS, p. 67, comment 39), as also recalled in Recital 9 and set out in Article 1(b) of that Regulation, and as required by Article 98(3)(a) of Directive (EU) 2015/2366 which mandates that such exemptions be based on “the level of risk involved in the service provided”. 

Article 10 of Regulation (EU) refers to users “accessing (…) items online (…)” and to users having “accessed online the information specified in paragraph 1(b)”; it does not further qualify the access falling within the scope of the provision. Account Information Service users access such information when accessing AISPs’ own channels wherein this information is compiled and stored.

There is no difference in the level of risk associated with accessing payment account information directly from the payment account serviced by ASPSPs and with accessing the transactional history previously retrieved and compiled by the AISPs in their own channels.

Both actions are associated with the same level of risk to users; the provisions mentioned above encompass both actions.

It is irrelevant that the initial access by AISPs to information held by ASPSPs is subject to the application of SCA by ASPSPs themselves. This question pertains to the access, by Account Information Service users, of the previously retrieved account information compiled and stored within the channels of AISPs, which are PSPs. 

Accordingly, it should be clarified whether AISPs should, in respect of the access to their own channels by users of their Account Information Services (an action through a remote channel as referred to in Article 97(1)(c) of Directive (EU) 2015/2366), apply SCA or (as the case may be) exempt users therefrom in accordance with the provisions of Article 10 of Regulation (EU) 2018/389.