Printable version

EBA guidelines on strong customer authentication

The European Banking Authority has published an opinion on how to implement technical standards on strong customer authentication and the FCA has responded.

The regulatory technical standards (RTS) on strong customer authentication (SCA) under the Payment Services Directive II (PSD2) have caused some uncertainty in the market. As a result, the EBA issued an opinion and draft guidleines on 13 June to clarify some issues.

These include:

  • The fact that an account information provider (AISP) is able to access the maximum amount of data available on a customer's payment accounts irrespective of the channel (mobile or web)
  • But a payment provider may only access the data necessary to initiate the payment
  • The account service provider (ASPSP - eg the bank) need not provide an data on the customer's identity, date of birth etc
  • An account information providercan only access a customers account 4 times per day unless:
    • the customer is actively requesting the info
    • the AISP has contractual arrangements with the ASPSP
  • A PISP may initiate al the same transactions the ASPSP offers its own customers - eg instant payments, international transfers, recurring and future-dated payments
  • On two-factor authentication, the EBA states that the card number, CVV, expiry date does not count as 'something a user only knows' on its own -dynamic validation is required.
  • While a customer can access a PISP or an AISP service using credentials from that service, the SCA must be applied at the ASPSP end - only the ASPSP can decide.
  • On the mechanism of authentication, the EBA clarifies that redirection is not per se an obstacle to the provision of services under PSD2. THe RTS states that it 'may' be so, if it is implemented in an obstructive manner.

FCA Response

In reponse the FCA has published a statement saying that it will consult on changes to its own guidelines. It also notes that:

  • ASPSPs should provide dedicated access to TPPs using secure application programming interfaces (APIs). The FCA encourages providers to use standardised APIs, such as those developed by the Open Banking Implementation Entity, where applicable.
  • Where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS from 14 September 2019. 
  • All ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019. But the FCA encourages ASPSPs to do this as soon as possible before that date. 
  • The RTS does not allow us to grant a partial exemption. We will provide opportunities for ASPSPs to engage with us before submission of the exemption request.  We also encourage timely requests for exemption as we will need time to make an exemption assessment.


Channel website:

Original article link:

Share this article

Latest News from

How does Whitehall really work?Effective Government Policy Making...find out more