Could Payment Service Providers (PSPs) be allowed to choose between applying SCA(Strong Customer Authentication) or not when a PSU (Payment Service User) accesses payment transactions data older than on the last 90 days without having access to sensitive payment data and for a period of 90 days after its last access using SCA?
Article 10 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication provides an exemption from SCA when a PSU accesses limited payment account information that are the balance or payment transactions data on the last 90 days.
Many ASPSP's websites and TPP's applications actually show to the PSU, who accesses its payment account(s) online, payment transactions data on more than the last 90 days (meaning older data / data on payment transactions executed before).
As such, for a PSU accessing its payment accounts online (banking website for instance) without SCA :
When he/she scrolls the payment transactions and gets to older transactions (meaning here older than 90 days ago) then a SCA should be done ;
When he/she uses the search engine to look for an old transaction (meaning here older than 90 days ago) then a SCA should be done ;
When he/she uses PFM services (personal finance management) which usually show old transactions (meaning here older than 90 days ago) then a SCA should be done.
As a consequence, we note that the objective of the Article 10 - which allows PSPs, for payment account information access, to apply SCA only every 90 days – cannot be reached. With current practices of ASPSP’s websites and TPP’s websites (which show payment transactions older than 90 days ago), there is no interest for PSPs to use the SCA exemption of article 10.2.b) because with the today’s customer habits and uses (refer to the 3 examples above, the PSP will have to apply a SCA right after the PSU’s access . The requirement to consider the date of the payment transaction wipes out the purpose of applying the exemption described in Article 10.
According to Article 10(1) of Commission Delegated Regulation (EU) 2018/389, “payment service providers shall be allowed not to apply strong customer authentication where a payment service user is limited to accessing either or both of the following items online without disclosure of sensitive payment data: (a) the balance of one or more designated payment accounts; (b) the payment transactions executed in the last 90 days through one or more designated payment accounts”.
Consequently for payment transaction history older than 90 days, the exemption to the obligation to apply strong customer authentication under Article 10 of the Delegated Regulation does not apply. For such information, payment service providers should always have to apply strong customer authentication.