- Question ID
-
2023_6833
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
10
- Type of submitter
-
Competent authority
- Subject matter
-
The SCA-Exemption for account access based on art. 10 of Regulation (EU) 2018/389 as amended by Regulation (EU) 2022/2360.
- Question
-
We require a clarification with reference to the art. 10 of Regulation (EU) 2018/389 as amended by Regulation (EU) 2022/2360, regarding the meaning of the sentence: “…provided that access is limited to one of the following items online…”.
Does it mean that the 180days exemption is not allowed in case the PSU requires at the same time and in the same request: i) balance and ii) transactions-list of her/his payment account?
- Background on the question
-
The initial text of art.10 of the Regulation (EU) 2018/389 was as follows:
“Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and in paragraph 2 of this article, where a payment service user is accessing its payment account online directly, provided that access is limited to either or both of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
…..”
These provisions have been amended by Art. 1 of Regulation (EU) 2022/2360 as follow:
“…1. Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
(a) the balance of one or more designated payment accounts;
(b) the payment transactions executed in the last 90 days through one or more designated payment accounts.
………“
We observe that the sentence “limited to either or both of..” in the original art.10 is changed to “limited to one of the following items” in the new art.10 and art.10a as defined in Regulation (EU) 2022/2360.
The new wording could be read in a way to restrict the RTS art.10 exemption to use cases where the PSU requires to access only a single item (balance or transaction list), excluding the possibility of applying the exemption where the access request refers to both the balance and the last 90 days transaction history.
This is not in line with the previous art. 10 provisions, currently implemented by all operators, where the SCA exemption is allowed also for PSU accesses where balance and transaction list are retrieved in a single request; also, this new wording seems to contradict the recitals of the provision, which are intended to extend the application of the SCA exemption, and not to reduce it.
In addition, this possible interpretation seems to be incoherent with recital 4 of the Regulation (EU) 2022/2360, which states that “The exemption should be limited to access to the balance and the recent transactions of a payment account without disclosure of sensitive payment data”. Here the exemption is referring to both items (balance and transaction list) without a distinction among a unique or separated requests.
As a result, and despite the unclear wording of the new art. 10 and art. 10a, the SCA exemption applies also where the access request refers both to the balance and the last 90-days transaction history.
- Submission date
- Rejected publishing date
-
- Rationale for rejection
-
This question has been rejected because the matter it refers to is in the process of being answered in Q&A 6820.
- Status
-
Rejected question