Single Rulebook Q&A

Question ID: 2018_4120
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: (b)
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 13
Name of institution / submitter: European Association of Co-operative Banks
Country of incorporation / residence: Belgium
Type of submitter: Industry association
Subject matter : Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

Background on the question:

Article 13 of the RTS on strong customer authentication and common secure communication creates an exemption from strong customer authentication based on the list of trusted beneficiaries.

Date of submission: 16/07/2018
Published as Final Q&A: 21/12/2018
EBA answer:

In accordance with Article 13(1) of the Commission Delegated Regulation (EU) 2018/389, "payment service providers shall apply strong customer authentication (SCA) where a payer creates or amends a list of trusted beneficiaries through the payer’s account servicing payment service provider."

Accordingly, for lists of trusted beneficiaries that already existed before the application of the Delegated Regulation (and have been developed in the same context as an exemption to the requirement to use SCA under the general authentication requirements in Article 2 of the Delegated Regulation), SCA should be required only when there is an amendment to this list. The payment service user would not need to re-create that list.

Status: Final Q&A
Permanent link: link