.svg)
The European Banking Authority (EBA) has published another series of Q&As, with further clarifications on strong customer authentication (SCA) and other rules.
On Friday (September 29), the Paris-based regulator released a further seven Q&As. This means that it has in total answered 240 queries about the revised Payment Services Directive (PSD2), rejected 18, and intends to answer 13 more.
SCA queries dominate those answered in the latest batch.
One question asks if a bank, or other account servicing payment service provider (ASPSP), that offers redirected authentication with biometrics also needs to allow this for account information service providers (AISPs) and payment initiation service providers (PISPs).
Here, the EBA clarifies that payment service users (PSUs) should be able to use biometrics to authenticate with the ASPSP when using the services of an AISP or PISP.
Another asks whether revisions to the EU’s regulatory technical standards (RTS) for the 90-day exemption for account access mean that a PSU or AISP is now limited to accessing only the account balance, or the transaction details for the last 90 days when availing of the revised exemption.
Here, the EBA says that this remains unchanged from the previous rules, and that the 2022 amendment allows payment service providers (PSPs) not to apply SCA where a PSU is accessing its payment account online directly, “provided that access is limited to one of the following items online without disclosure of sensitive payment data — these being the balance of one or more designated payment accounts and/or the payment transactions executed in the last 90 days through one or more designated payment accounts”.
Furthermore, the amended RTS requires PSPs not to apply SCA where a PSU is accessing its payment account online through an AISP, based on the same above rules as when accessing an account onlline directly.
Limited network exclusion
Another issue addressed in the latest EBA Q&As is the limited network exclusion (LNE).
The LNE can be used when the relevant payment instrument meets a specific need and allows payment transactions for the purchase of goods or services.
Examples include fuel cards and membership cards, as they can only be used within a limited network of service providers or for a very limited number of goods or services.
In the Q&A, the trade association that submitted the question asked how to interpret the term “means of payment” in the LNE guidelines that were released last year.
The LNE definitions appear to vary throughout the EU, depending on the national competent authority in question.
For example, the German Federal Financial Supervisory Authority (BaFin) published its opinion that the term "means of payment" as used in the EBA Guidelines should be interpreted as "carrier" (no indication whether physical and/or digital).
The EBA clarifies in its response that the term “means of payment” does not distinguish between physical and digital means of payment and, therefore, captures both.
The term “single card-based means of payment”, meanwhile, refers to the means of payment that accommodates card-based payment instruments, while the term “other means of payment” refers to a means of payment that accommodates payment instruments that are not card-based, the EBA said.
The EBA further points out that the use of the terms “payment instrument” and “card-based payment instrument” are consistent with the respective definitions set out in the PSD2 and Interchange Fee Regulation.
SCA data retention
Another question submitted seeks clarification on whether the ASPSP should maintain a record of the consent of the PSUs and of AIS requests received through an AISP, and whether there is a specific retention period for these issues.
Here, the EBA says that ASPSPs should keep records of the authorisation of a payment transaction executed by the ASPSP, including, in the case of a transaction initiated through a PISP, evidence regarding the request received from the PISP, as well as evidence that the ASPSP has complied with the requirements set out in the PSD2, as well as the RTS for SCA.
ASPSPs also need to keep records regarding any access requests to a PSU account received from AISPs and evidence that the ASPSP has complied with the requirements.
The EBA, meanwhil, points to retention periods set out in relevant EU law and, where applicable, national law.
If an ASPSP is to go by the EU’s General Data Protection Regulation, this dictates that the data can be retained for as long as is necessary.
Regulator questions
One question submitted by a national competent authority (NCA) looks for answers from the EBA about statistics that ASPSPs need to publish.
ASPSPs are required to publish quarterly statistics on the availability and performance of the dedicated interface and of the interface used by PSUs.
However, the regulation does not specify what period should be covered.
Here, the EBA says that this was deliberate and advises that the competent authority may determine an appropriate period for which ASPSPs should maintain these statistics on their website.
The Central Bank of Hungary asked the EBA to clarify whether its 2018 RTS on SCA makes it possible to use the same SCA element to authorise a payment and approve a payee as a trusted beneficiary.
If it is allowed, the central bank asked whether the PSU should be informed prior to authorisation by an approved SCA element (SMS) about the payment execution and about modifying the list of the trusted beneficiaries as well.
“We identified a fraudulent transaction pattern where fraudsters have gained credentials of a PSU and the fraudsters have created a mobile app and have initiated a payment at the first time with an extremely low amount and at the same time it is possible to set their own account as trusted beneficiary by using a checkbox in the mobile app which the fraudsters have done,” the regulator explains.
The central bank says in this case fraudsters can save their own account as a trusted beneficiary and can initiate and execute any payments without SCA.
Here, the EBA says that one of the authentication elements used for initiating an electronic payment transaction may be reused when the payer adds a payee to the trusted beneficiaries list.
However, reusing the same two SCA elements applied for initiating an electronic payment transaction when adding a payee to the trusted beneficiaries list is not compliant with the legal requirements.
Finally, a question filed by a NCA looks for answers regarding service downtimes.
For example, if an incident with a duration of two hours disrupts transaction processing and occurs around the daily cut-off time of same-day transaction processing then the incident may be of a short duration but, as a result, transactions are booked one day later.
“Considering this example, what service downtime should the payment service provider (PSP) indicate in the PSD2 notification? Just the net time of the failure or the total time any payment service users are affected by delayed transactions?” the authority asks.
Here, the EBA says that PSPs should count the service downtime from the moment the downtime starts until the moment the payment services affected by the incident are executed.
