- Question ID
-
2021_5821
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
4
- Paragraph
-
30
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
6
- Type of submitter
-
Other
- Subject matter
-
Strong customer authentication (SCA) Knowledge element: Place of Birth and Date of Birth
- Question
-
Does a payer’s date of birth and place of birth constitute a valid Knowledge Element for strong customer authentication.
- Background on the question
-
After reading many different articles, Knowledge should be something in the customers head. So if a date of birth can be viewed across many different forms of personal information (even through the window of some letters in your letterbox or my facebook page) and my Place of birth can be found on my passport.,
Should my bank be using this to validate Knowledge for making data changes?
- Submission date
- Final publishing date
-
- Final answer
-
Article 4(30) of Directive 2015/2366/EU (PSD2) defines knowledge as something only the user knows.
Article 6 of Regulation (EU) 2018/389 specifies the requirement for payment service providers (PSPs) to mitigate the risk that the element is ‘uncovered by, or disclosed to, unauthorised parties’ and to have mitigation measures in place ‘in order to prevent their disclosure to unauthorised parties’.
Accordingly, date and/or place of birth cannot constitute a knowledge element under PSD2 and the Delegated Regulation since these may be accessible by third parties other than the payment service user or the PSP.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.