2019_4693 Scope of the corporate SCA exemption.

Question ID: 2019_4693
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 17
Name of institution / submitter: Quali-Sign LTD
Country of incorporation / residence: United Kingdom
Type of submitter: Other
Subject matter: Scope of the corporate SCA exemption.
Question: Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?
Background on the question: Prior to the application of PSD2, in the corporate banking space many Payment Initiation Service Providers (PISPs) offered multi-banking services to corporates (e.g. via a browser front end or mobile app). These PISPs connected to the AISP via 'secure corporate payment processes and protocols' such as SWIFTNet, the Electronic Internet Banking Communication Standard (EBICS) or via 'host-to-host' protocols such as Secure FTP (SFTP). Many of these PISPs may choose to retain their existing connections as opposed to migrating to a new XS2A API. The text of the PSD2 directive does not appear to distinguish between PISPs that connect to ASPSP's via a certified PSD2 dedicated interface (XS2A API's) and those that connect via other dedicated 'secure corporate payment processes and protocols'. The text of Article 17 refers to "the use of dedicated payment processes or protocols that are only made available to payers who are not consumers". There is no mention of PISP's using these 'dedicated payment processes or protocols' in this article.
Submission date: 02/05/2019
Final publishing date: 14/06/2019
Final answer: ‘Payment initiation’ as a process in Article 17 of the Commission Delegated Regulation (EU) 2018/389 is not to be confused with payment initiation services; the latter referring to a payment that is initiated by a third party. Further, in accordance with Article 66(1) of PSD2, a payer has the right to make use of a payment initiation service provider (PISP) to initiate a payment. In the case where a payer uses a PISP to initiate a payment, as clarified in paragraph 39 of the EBA Opinion on the implementation of the RTS on strong customer authentication and secure communication (EBA-Op-2018-04), it is the responsibility of the account servicing payment service provider (ASPSP) to identify whether or not an exemption applies, including the exemption under Article 17 of the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer