Skip to main content
European Banking Authority logo
  • Extranet
  • Log in
  • About us
    Back

    About us

    The EBA is an independent EU Authority.  We play a key role in safeguarding the integrity and robustness of the EU banking sector to support financial stability in the EU.

    Learn more
      • Mission, values and tasks
      • Organisation and governance
        • Governance structure and decision making
        • EBA within the EU institutional framework
        • Internal organisation
        • Accountability
      • Legal and policy framework
        • EBA regulation and institutional framework
        • Compliance with EBA regulatory products
      • Sustainable EBA
      • Diversity and inclusion
      • Careers
        • Vacancies
        • Meet our team
      • Budget
      • Procurement
    Close menu panel
  • Activities
    Back

    Activities

    To contribute to the stability and effectiveness of the European financial system, the EBA develops harmonised rules for financial institutions, promotes convergence of supervisory practices, monitors, and advises on the impact of financial innovation and the transition to sustainable finance.

    Start here
      • Single Rulebook
      • Implementing Basel III in Europe
      • Supervisory convergence
        • Supervisory convergence
        • Supervisory disclosure
        • Peer Reviews
        • Mediation
        • Breach of Union Law
        • Colleges
        • Training
      • Direct supervision and oversight
        • Markets in Crypto-assets
        • Digital operational resilience Act
      • Information for consumers
        • National competent authorities for consumer protection
        • How to complain
        • Personal finance at the EU level
        • Warnings
        • Financial education
        • National registers and national authorities responsible for handling complaints related to credit servicers
        • Frauds and scams
      • Research Workshops
      • Ad hoc activities
        • Our response to Covid-19
        • Brexit
    Close menu panel
  • Risk and data analysis
    Back

    Risk and data analysis

    To ensure the orderly functioning and stability of the financial system in the European Union, we monitor and analyse risks and vulnerabilities relevant for the regulation of banks and investment firms. We also facilitate information sharing among authorities and institutions through supervisory reporting and data disclosure.

    Learn more
      • Risk analysis
        • 2024 EU wide transparency exercise
        • EU-wide stress testing
        • Risk monitoring
        • Thematic analysis
      • Remuneration and diversity analysis
      • Reporting frameworks
        • Reporting Time Traveller
        • DPM data dictionary
      • Data
        • Registers and other list of institutions
        • Guides on data
        • Aggregate statistical data
        • Secondary reporting: data from Competent Authorities to the EBA
        • Data analytics tools
    Close menu panel
  • Publications and media
    Back

    Publications and media

    Communicating to all our audiences in the most effective way and using the most appropriate channels is crucial for us. Through our publications, announcements, and participation in external events, we are committed to reaching out to all our stakeholders to report about our policies, activities, and initiatives.

    Learn more
      • Publications
        • Guidelines
        • Regulatory Technical Standards
        • Implementing Technical Standards
        • Reports
        • Consultation papers
        • Opinions
        • Decisions
        • Staff papers
        • Annual reports
      • Press releases
      • Speeches
      • Interviews
      • Events
      • Media centre
        • Media gallery
        • Media resources
    Close menu panel

Breadcrumb

  1. Home
  2. Single Rulebook Q&A
  3. 2021_6248 Application of strong customer authentication (SCA) where Account Information Service users access the Account Information Service Providers’ (AISPs) own channels and the previously retrieved payment account information compiled and stored
Question ID
2021_6248
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
10
Type of submitter
Competent authority
Subject matter
Application of strong customer authentication (SCA) where Account Information Service users access the Account Information Service Providers’ (AISPs) own channels and the previously retrieved payment account information compiled and stored therein
Question

Are Account Information Service Providers (AISPs) exempt, in respect of their own channels, from the requirements of Article 97(1) of Directive (EU) 2015/2366 and of Article 10 of Regulation (EU) 2018/389, and therefore allowed:

  1. to let users of their Account Information Service, access the AISPs’ own channels and the payment account information compiled and stored therein – previously retrieved by AISPs from the users’ respective Account-Servicing Payment Service Providers (ASPSPs) – without applying any strong customer authentication (SCA) upon that access to AISPs’ own channels, irrespective of whether the conditions of Article 10 of Regulation (EU) 2018/389 are satisfied –
  2. such that AISPs may, in their own channels, allow users of their service to consult, without SCA, previously retrieved payment account information of a broader scope (more than the last 90 days’ worth of data, and potentially the users’ complete transactional history) as compared to the data that ASPSPs may, without SCA, display to the same users in the ASPSPs’ own channels (maximum the last 90 days’ worth of data, and provided that SCA was applied no more than 90 days prior) –
  3. and such that AISPs, despite being payment services providers (PSPs), need not afford users of their services the same level of protection that ASPSPs are required to, and can expose said users to the risks of abuses referred to in Article 97(1)(c) of Directive 2015/2366?  
Background on the question

Pursuant to Article 97(1) of Directive (EU) 2015/2366, payment service providers (PSPs) must apply strong customer authentication (SCA) where, inter alia, the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. Article 10 of Regulation (EU) 2018/389 allows PSPs not to apply SCA, subject to compliance with the requirements laid down therein, where the payment service user is limited to accessing a limited data set.

Neither Article 97 of Directive (EU) 2015/2366 nor Article 10 of Regulation (EU) 2018/389 restrict their scope of application to ASPSPs and apply to all PSPs.

The EBA also did refer to PSPs generally when addressing Article 10 of Regulation (EU) 2018/389, stating that: “Consequently for payment transaction history older than 90 days, the exemption to the obligation to apply strong customer authentication under Article 10 of the Delegated Regulation does not apply. For such information, payment service providers should always have to apply strong customer authentication” (Q&A 2018_4177). 

Recital 93 of Directive (EU) 2015/2366 states that: “(…) The payment initiation service providers and the account information service providers on the one hand and the account servicing payment service provider on the other, should observe the necessary data protection and security requirements established by, or referred to in, this Directive or included in the regulatory technical standards (…). Recital 94 of that Directive also states that: “When developing regulatory technical standards on authentication and communication, EBA should systematically assess and take into account the privacy dimension, in order to identify the risks associated with each of the technical options available and the remedies that could be put in place to minimize threats to data protection”. Recital 95 of that Directive also states that: “(…) All payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. (…)”.

The exemptions set out in Chapter III of Regulation (EU) 2018/389, thus including Article 10 of that Regulation, “have been designed and defined on the basis of risk” (EBA Final Report on the draft RTS, p. 67, comment 39), as also recalled in Recital 9 and set out in Article 1(b) of that Regulation, and as required by Article 98(3)(a) of Directive (EU) 2015/2366 which mandates that such exemptions be based on “the level of risk involved in the service provided”. 

Article 10 of Regulation (EU) refers to users “accessing (…) items online (…)” and to users having “accessed online the information specified in paragraph 1(b)”; it does not further qualify the access falling within the scope of the provision. Account Information Service users access such information when accessing AISPs’ own channels wherein this information is compiled and stored.

There is no difference in the level of risk associated with accessing payment account information directly from the payment account serviced by ASPSPs and with accessing the transactional history previously retrieved and compiled by the AISPs in their own channels.

Both actions are associated with the same level of risk to users; the provisions mentioned above encompass both actions.

It is irrelevant that the initial access by AISPs to information held by ASPSPs is subject to the application of SCA by ASPSPs themselves. This question pertains to the access, by Account Information Service users, of the previously retrieved account information compiled and stored within the channels of AISPs, which are PSPs. 

Accordingly, it should be clarified whether AISPs should, in respect of the access to their own channels by users of their Account Information Services (an action through a remote channel as referred to in Article 97(1)(c) of Directive (EU) 2015/2366), apply SCA or (as the case may be) exempt users therefrom in accordance with the provisions of Article 10 of Regulation (EU) 2018/389.

Submission date
20/10/2021
Status
Question under review

Footer

EUROPEAN BANKING AUTHORITY

Our mission is to contribute to the stability and effectiveness of the European financial system through simple, consistent, transparent, fair regulation and supervision that benefits all EU citizens.


UE logoAn agency of the EU

EU Agencies Network logoEU Agencies Network

EMAS logoSustainable EBA

Contact us

  • Contacts
  • Ask a general question
  • Send a press query
  • Ask a regulatory question
  • File a complaint
  • Whistleblower reports

Stay up to date with our work

  • Subscribe to our email alerts
  • News & press RSS feed

Follow us on Social media

  • Bluesky
  • LinkedIn
  • X
  • YouTube

Find out about us

  • The EBA at a glance
  • Vacancies
  • Privacy policy
  • Legal notice
  • Cookies policy
  • Frauds and scams

Explore related sites

  • EIOPA
  • ESMA
  • ESRB
  • CEBS archive