Question ID:
2018_4068
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
Paragraph:
1
Subparagraph:
a
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
4(3)(d)
Type of submitter:
Credit institution
Subject Matter:
Exemption from strong customer authentication (SCA) for payment account information in combination with accessing account information online in web browser
Question:

Is it acceptable to abstain from applying the 5-minute-rule when the strong customer authentication (SCA)-exemption for payment account information is in use?

Background on the question:

To be able to trade online securities the user has to know about the balance of his account, so he can decide whether or not he will trade.

For this process the user uses a web api, that will stay online for more than five minutes to be able to trade direct without delay by a new authentication

It is our understanding of RTS Article 4(3)(d), that given authentication runs off in browser-based application, if user has no activity by online access to his payment accounts. After that the authentication has to be renewed. In browser-based application this means, that the affected functionalities should be deactivated. The session has expired and for further actions a new authentication is required.

The fixed time is impractical in our opinion.

The actual available funds on payment account are constantly displayed in browser-based application for trading securities. The related payment account belongs to the securities account of the user. The payment account is used for clearing transactions on the security account (referring to Question 2018-4023). The user observes trends of securities and wants to be able to act without hesitation in our browser based application. Observing trends of securities often needs more time than five minutes. So we want to avoid, that the user has to renew his authentication for online access to his payment account, when he wants to check his funds for placing an order.

By using the exemption from SCA for payment account information (RTS Art. 10) we (ASPSP) shall be allowed not to apply SCA where the conditions mentioned in RTS are accordingly met. Applying this exemption leads in our opinion to the fact, that we do not have to deactivate the display of payment account information in browser-based application when the user has no activity for five or more minutes. We think, there is no difference between accessing payment account information for example through AISP to accessing it in browser-based application. The channels used for accessing payment account information are not marked to be relevant for applying exemption from SCA in RTS. So, if user is not accessing payment account information for the first time and the last authentication using SCA is not 90 days or more ago, the payment account information can be displayed independently from activity by the user in the application. When applying SCA for log in the browser-based application the payment account information can constantly displayed,  because counting the days starts new with log in every time.

Accessing remittance form can act independent to payment account information in sense of the five-minute-rule an requires authentication after more than five minutes inactivity. Our focus are the payment account information for displaying them to the user.

Date of submission:
03/07/2018
Published as Final Q&A:
21/12/2018
EBA Answer:

Article 4(3)(d) of the Commission Delegated Regulation (EU) 2018/389 states that payment service providers (PSPs) shall ensure that the authentication by means of generating an authentication code includes, inter alia, a maximum time of 5 minutes without activity by the payer after being authenticated for accessing its payment account online. The scope of Article 4 is limited to the cases where strong customer authentication (SCA) is applied. The 5-minute inactivity rule would not apply where account information access benefits from an exemption under Article 10 of the Delegated Regulation because the last time SCA was applied was less than 90 days ago and it otherwise complies with data limitation under this Article.

Status:
Final Q&A