New account access rules without SCA

Banking & Fintech Online & eCommerce Retail

On July 25, 2023, the amendment to the RTS to PSD2 enters into force, changing the rules for logging into the account without SCA directly and via AIS.

WITH AIS ACCESS BANK MAY NOT USE SCA FOR 180 DAYS. IN ELECTRONIC BANKING WITHOUT SCA, THE USER SEES EITHER THE TRANSACTION HISTORY OR THE BALANCE BUT NOT BOTH TOTAL

Table of Contents:

Timeline
Scenarios covered by the regulation
Logging without SCA via e-banking and mobile banking
Access to the account via AIS
Other issues of the amendment
What we provide
DLK information

Timeline

RTS SCA CSC 2023 – go to the content of the act on the publisher’s pages (link active 11.05.2023).

published 05.12.2022, entered into force 25.12.2022
effective 25.07.2023, the deadline for changing the PSD2 interface specification in most cases is 25.05.2023.

Scenarios covered by the regulation

The regulation governs the use of strong user authentication (SCA) when accessing a payment account. This includes both:

direct access, i.e. via an electronic banking application, whether classic or mobile, and
access via an account information service (so-called AIS, or account information services); AIS access is currently most commonly used for credit assessment, primarily by loan companies.

Logging without SCA via e-banking and mobile banking

The RTS amendment introduces the following changes to logging in via the account provider’s application (bank, SKOK, other account providers, including a payment institution or small payment institution, electronic money institution), i.e. in Art. 10 RTS:

after any login with SCA, the account provider may, but is not obliged to, allow a login period without SCA for 180 days, instead of 90 days as before;
in login mode without SCA, the user may access information:
1. either about the balance,
2. or the transactions for the last 90 days,

but not both together.

This means that the current practice, where after logging in without SCA, the user accesses electronic banking with full account information, except that with transaction history limited to 90 days, will not be allowed. When logged in in this mode, the user can see either the balance or the transaction history, but not both information together.

The above conclusion results directly from the content of the Regulation:

Article 10 Payment service providers may not use strong customer authentication, subject to the requirements of Art. 2, where a payment service user accesses his payment account directly online provided that the access is limited to one of the following online items without disclosing sensitive payment data:

a) the balance of one or more designated payment accounts;

b) payment transactions carried out in the last 90 days through one or more designated payment accounts.

Other language versions contain similarly unambiguous wording.

This solution is surprising and has not previously been signalled by the European Commission. The draft of the regulation in question, presented by the European Banking Authority, did not provide for such a solution, yet this draft was formally the basis for the regulation issued by the European Commission. Also, the preamble to the regulation (recital 4) refers to the conjunction ‘balance and transactions’ and does not use a disjunctive alternative. A similar discrepancy was encountered, inter alia, with the MIFREG Regulation, where the preamble (recital 36) prohibited surcharge fees on consumer cards, while a provision to this effect was only introduced in PSD2 (Article 62(4) PSD2, Article 37a(3) Payment Services Act). According to well-established EU case law, in case of a discrepancy between a preamble and a provision of an EU act, the provision will prevail.

Providers operating an account will have to choose:

either to maintain the current practice of logging in to the account with a display of the balance and transactions, which will require an SCA at each login;
or to maintain logging in without an SCA, but limit the information to the balance only.

Access to the account via AIS

The amendment to the Regulation introduces fundamental changes to the use of the SCA when accessing a payment account via the AIS service. This method is currently used as a credit assessment and identity verification mechanism, mainly by lending institutions that use third-party AIS providers for this purpose.

SCA in account access via AIS

The Regulation introduces a prohibition on the payment account provider from performing SCA on a user who accesses the account using AIS. The SCA may only be applied on the first AIS access using the relevant AIS provider. The prohibition applies for 180 days after the last access with an SCA via the AIS provider concerned. Although the wording of the provision does not specify that the above limits are counted separately against each individual provider, purposefully this is undoubted. In addition, this is confirmed by recital 4 of the regulation.

The regulation exceptionally allows the account provider to execute an SCA against the user only if there are reasons relating to unauthorised or fraudulent access to the account. These reasons must be documented and presented to the FSA upon request.

Since most of the current business models for the AIS service in Poland assume one-time access (capability assessment, KYC), the change will not materially affect the provision of this service. In markets where the AIS service is used for treasury management and accounting services, the change will facilitate the use of these functions.

Information available in the AIS service without SCA

Similar to access through the account provider’s application, with AIS access without SCA, the user can access either the balance or the transaction history, not both combined.

Further analysis is required as to whether, under the new rules, an AIS provider can alternately retrieve balance information and transaction information in subsequent queries without an SCA. The AIS provider is entitled to 4 queries per day without the payer being present in the AIS application, which would allow the balance and transaction information to be updated twice daily without the user having to perform an SCA.

Change to the API specification

Changing the SCA rules for AIS access will result in a change to the PSD2 interface rules and therefore a change to the technical specification. In accordance with Article 30(4) of the Regulation, account providers shall make changes to the specifications available a minimum of 3 months in advance.

The amendment introduces a specific deadline. Changes to the specifications, resulting from the amendment, may be announced two months in advance, i.e. by 25 May 2023.

Other issues of the amendment

The amendment to the regulation further regulates:

the transition from a 90-day deadline to a 180-day deadline if the 90-day deadline for accesses prior to 25.07.2023 falls after this date
obligations to introduce the 180-day rule without SCA to the user interface serving as a fallback interface.

What we provide

Regulatory support in managing the strong authentication architecture for account providers, payment instruments and TPP service providers. Our experience includes e.g. implementation of strong authentication based on behavioral biometrics, physical biometrics (iris), obtaining permits from the Polish Financial Supervision Authority regarding the implementation of strong user authentication, including obtaining an exemption from its use pursuant to Art. 17 of the RTS, postponing the deadline for its implementation based on the guidelines of the EBA and the Polish Financial Supervision Authority.

DLK information

If you want to stay up to date on regulatory matters, register and receive information about important regulatory and industry events and activities of DLK Legal: Registration for notifications.