There is a seeming inconsistency between RTS on strong customer authentication (SCA) and secure communication (CSC) (Delegated Regulation (EU) 2018/389), the EBA opinion on the application of RTS on SCA and CSC (EBA-Op-2018-04), and the Q&A answer EBA Q&A 2018_4089.

1. Article 10 of the RTS on strong customer authentication and secure communication, states:
"(Payment Services Providers) PSPs shall be allowed not to apply SCA, (...), where a (Payment Services User) PSU is limited to accessing either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts."

Article 36(5) of the RTS on SCA and CSC, states:
“Account information service providers shall be able to access information from designated payment accounts and associated payment transactions held by account servicing payment service providers for the purposes of performing the account information service in either of the following circumstances:
(a) whenever the payment service user is actively requesting such information;
(b) where the payment service user does not actively request such information, no more than four times in a 24-hour period, unless a higher frequency is agreed between the account information service provider and the account servicing payment service provider, with the payment service user's consent.”

COMMENT: The above articles seems to entail that the SCA exemption under Article 10 of the RTS shall be applied mandatorily by ASPSP whenever an Account Information Service Provider (AISP) is requesting it, otherwise it would not be possible for AISPs to exercise their right to perform automated AIS accesses without the PSU. ex art 36(5).

2. EBA Opinion on the implementation of the RTS on SCA and CSC, EBA-Op-2018-04, paragraph 38, states: “…the PSP applying SCA is the PSP that issues the personalised security credentials [i.e. the ASPSP]. It is consequently also the same provider that decides whether or not to apply an exemption in the context of AIS and PIS.
EBA Opinion EBA-Op-2018-04, paragraph 39, states: “…only the ASPSP can apply SCA or decide whether or not an exemption applies to a PSU’s payment account in the context of AIS and PIS.”

COMMENT: EBA Opinion EBA-Op-2018-04 states that all exemptions - thus including Article 10 of the RTS - are applicable in a fully discretionary way by the ASPSP. Therefore, an ASPSP may decide to never apply the exemption ex art 10 to the AIS services, or to apply such exemption only when the PSU is accessing through the ASPSP direct channels (e.g. Internet Banking) and to avoid applying it when the PSU accesses through an AISP, i.e. to apply it in a discriminatory way versus Third Party Providers (TPPs). It seems that the statements included in the EBA Opinion EBA-Op-2018-04, paragraph 38 and 39, if not mitigated, are at odds with a key objective of the PSD2 i.e. to create a "level playfield" between ASPSPs and TPPs. Furthermore, there is a significant contradiction with respect to Article 36(5) of the RTS.

3. Q&A Tool / EBA Q&A 2018_4089 “PSD2 does not distinguish between payment transactions that may have been made using a payment initiation service provider or not. Similarly the Commission Delegated Regulation (EU) 2018/389 does not distinguish whether a payment transactions has been made using a payment initiation service provider or not for the purpose of applying an exemption.”

COMMENT: In this EBA Answer a further different notion is affirmed both with respect to Article 36 (5) of the RTS, and in relation to paragraphs 38 and 39 in this EBA Opinion : i.e. for the purpose of applying the SCA exemptions, the input channel of the payment request (bank's own channel or TPP channel) is not relevant.

The EBA answer 2018_4089 is explicitely referred to exemptions related to PIS requests (RTS art. 11 to 18), however by applying the same concept to the exemption for AIS requests pursuant art. 10, it could be deduced that "it is the ASPSP that always decides whether or not to apply an exemption, provided that the same exemption is applied regardless of the channel from where the request is coming (own channel or XS2A)".

The above rule would not be discriminatory against TPPs (like the one described in paragrah 38 and 39 of the EBA opinion EBA-Op-2018-04), but it is still at odds with Article 36(5) of the RTS.