The European Banking Authority (EBA) has published answers to four further questions regarding strong customer authentication (SCA) requirements.
In the latest batch of clarifications related to the revised Payment Services Directive (PSD2), the Paris-based regulator has focused entirely on SCA-related issues.
A question was submitted in May 2021 by Bizum, the Spanish mobile payments service, asking whether a payee’s payment services provider (PSP) can apply an exemption from the security rule in credit transfers that are initiated through the payee.
For example, Bizum specifically called out the example of a request to pay transaction whereby the payee initiates the request for payment to the payee (albeit separately from the payment message) and "in certain e-commerce payment services such as Bizum where the e-commerce payment is channeled by the same virtual Point of Sale (POS) as cards".
The EBA clarified that "the payee's PSP cannot apply an exemption from SCA when the payer initiates a credit transfer, even if the transaction is initiated through the payee".
In its reasoning, the regulator indicated that Article 4 of PSD2 defines a credit transfer as a “payment service for crediting a payee's payment account with a payment transaction or a series of payment transactions from a payer's payment account by the payment service provider which holds the payer's payment account, based on an instruction given by the payer”.
Additionally, the EBA noted a previous answer it gave to the Smart Payment Association which clarified that credit transfers are by definition payer-initiated electronic payments (i.e., they cannot be initiated by a payee) and that SCA applies to them in accordance with Article 97 of PSD2.
A question submitted by the Central Bank of Malta asked the EBA about the application of SCA for confirmation of funds requests made by a payment initiation service provider (PISP).
The question, submitted in October 2021, asks whether two SCAs can be applied when a fund confirmation is made by a PISP, meaning one for fund confirmation and one for payment initiation.
Additionally, a follow-up question asked whether account servicing payment service providers (ASPSPs), typically a bank, must provide confirmation to a funds confirmation request made by a PISP before or after the payment is submitted.
The EBA confirmed here that a separate SCA for providing the confirmation of funds is not necessary.
This is because requiring two SCAs in a PIS-only journey where the PISP transmits to the ASPSP all the information necessary to initiate the payment would actually be classified as an obstacle to the provision of payment initiation services under Article 32 of the Delegated Regulation.
This would be the case unless in an instance where the ASPSP has duly justified security arguments as to why two authentications are necessary.
With regard to the second question, the EBA stated that the ASPSP should provide the SCA confirmation immediately upon request from the PISP.
“Therefore, as soon as the PISP requests the ASPSP to provide such confirmation, which could be before or after the payment initiation request, the ASPSP should immediately provide the answer to the PISP,” the answer states.
Another question, submitted in September 2021 by a credit institution, also tackled the contrast between obstacles and security.
It was asked whether having a secured communication channel between an ASPSP and a third-party provider (TPP) can be of operational value for purposes such as data exchange during the TPP's onboarding or communication in case of an incident.
“A simple way to realise this, is to encrypt those communications, and the (sic) ASPSP sends a decryption password to the TPP out-of-band via SMS,” the credit institution said. “This of course requires that the ASPSP knows a mobile phone number inside of the TPP’s organisation, which could be seen as an obstacle in the onboarding process, as it is not strictly necessary.”
This practice could be implemented, the credit institution says, but adds that it is not clear for the financial institution, nor for its supervisory body, if such an implementation would be inside of the boundaries of an acceptable interpretation.
The EBA answered that this would not be possible to do in compliance with PSD2.
“Requiring TPPs to provide a mobile phone number to ASPSPs for submission of decryption password via an SMS is an obstacle,” the regulator concludes.
A 2021 question submitted by another credit institution asked whether ASPSPs are required to allow a redirection of the payment service user (PSU) to an ASPSP’s mobile web authentication page, which are considered less secure.
According to the questioner, some ASPSPs have decided not to offer directly to their PSUs access to their electronic banking via mobile web browsers, due to “duly justified security reasons”.
Issues that can put ASPSPs off include the fact that security of a mobile app is much higher than the security of a mobile browser; mobile browsers are much more vulnerable to phishing because the web address is normally not displayed.
In addition, because the ASPSP cannot have a contractual relationship with the AISP or PISP, the ASPSP has no legal possibility to require AISP/PISPs to provide the necessary device profiling, such as the device fingerprint, that the ASPSP requires in its direct relationship with the PSU.
Here, the EBA clarified that neither PSD2 nor the regulatory technical standards (RTS) that the regulator issued in light of the regulation require the ASPSP to enable PSUs to authenticate via a mobile web browser when an AISP or PISP is used.
However, if the PSU is using an AISP or PISP’s services via a mobile web browser, and the ASPSP does not offer its PSUs the possibility to authenticate via a mobile web browser authentication page when directly accessing their payment accounts or initiating a payment with the ASPSP, it will not be an obstacle if the PSU is redirected to the ASPSP’s authentication app.
The EBA said this is provided that it is the only way in which PSUs can authenticate when directly accessing their payment accounts with the ASPSP.
In such an instance, the ASPSP should keep in mind the EBA’s opinion on obstacles, the EBA advised.
This advises that the PSU should be redirected to the ASPSP’s authentication app without any additional and unnecessary steps in-between, and that after authentication with the ASPSP the PSU is automatically redirected back to the AISP/PISP’s page.