Single Rulebook Q&A

Question ID: 2018_4360
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 13
Paragraph: 2
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Article 13/Paragraph 2
Type of submitter: Credit institution
Subject matter : Application of the exemption related to a trusted beneficiary
Question:

Has the exemption related to a trusted beneficiary to be applied on an account basis or rather to a list of accounts included in an online banking agreement ? Whose list has to be considered in case of a power of attorney where the initiator is not the account owner ? What happens in case of a shared account where each one holds his own trusted beneficiary lists ?

Background on the question:

Article 13(2) of the RTS on Strong Customer Authentification states that SCA can be exempted where "the payer initiates a payment transaction and the payee is included in a list of trusted beneficiaries previously created by the payer".

Furthermore, Article 4(8) of the PSD2 defines the payer as "natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order".

The RTS clearly refers to the payer (=account owner) of the transaction. However, in some cases (power of attorney, common account), other persons than the sole account owner can initate a payment on the same account, where each one of them manages his own trusted beneficiary list (linked to his personal online banking access). It is not clear if the list of the account owner or the list of the authorized initiator of the transaction has to be considered, in order to decide wether an exemption can be allowed or not.

Date of submission: 07/11/2018
Published as Final Q&A: 08/03/2019
EBA answer:

Article 13(2) of the Commission Delegated Regulation (EU) 2018/389 states that where the payee is on ‘a’ list of trusted beneficiaries previously created by the payer, strong customer authentication (SCA) may not apply. Further, Article 13(1) of the Delegated Regulation states that SCA applies where the payer creates or amends the list through the payer’s account servicing payment service provider (ASPSP). Article 13 refers to ‘a’ list and ‘the payer’. Under Article 4(8) of PSD2, ‘payer’ is defined as “a natural or legal person who holds a payment account and allows a payment order from that payment account, or, where there is no payment account, a natural or legal person who gives a payment order”. Accordingly, the list would refer to the one created by each account holder.

The exemption should be applied on an account by account basis. Nevertheless, the decision whether a list of trusted beneficiaries applies to more than one account and the corresponding process of authentication, will depend upon the agreement between the ASPSP and the payment service user. Where a power of attorney (PoA) is in place, the list to be considered is that of the payer on whose behalf the PoA holder is acting.

In the event of a joint account each account holder may have its own trusted beneficiary list. In this case, the list to be considered should be the list of the acting account holder at the time the payment is initiated. It is for the contract between the payment service users (PSU) and the ASPSP to determine whether it is possible or not to have a different trusted beneficiary list for each account holder or group of account holders using the account. 

Status: Final Q&A
Permanent link: link