Question ID
2023_6949
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
Paragraph
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
17 and 4 (3) d
Name of institution / submitter
The Central Bank of Hungary
Country of incorporation / residence
Hungary
Type of submitter
Competent authority
Subject matter
Secure corporate payment processes and protocols and inactivity time period
Question

May the period time of inactivity required by the (EU) 2018/389 - RTS on strong customer authentication and secure communication (hereinafter: RTS on SCA & CSC) Article 4 (3) (d) be changed from 5 minutes to 20 minutes if the exemption based on Article 17 of RTS on SCA & CSC has been granted by the competent authority to the Payment service provider?

Background on the question

During a supervisory inspection the competent authority observed that one of the Payment service providers (hereinafter: PSP) had increased the inactivity period from 5 minutes to 20 minutes in view of the fact that the mentioned PSP had received an exemption from its home National authority under Article 17 of RTS on SCA & CSC.

Article 17 of the RTS on SCA & CSC states that payment service providers may decide not to apply strong customer authentication (SCA) “in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers”, provided competent authorities are satisfied that the levels of security are equivalent to those provided for by Directive 2015/2366/EU (PSD2) however it is not unambiguous, whether the foregoing  means that it may also increase the inactivity period from 5 minutes to 20 as this would be contrary to Article 4 (3) (d) of the RTS on SCA & CSC.

Submission date
Final publishing date
Final answer

Article 17 of the Delegated Regulation (EU) 2018/389 prescribes that ‘payment service providers (PSPs) shall be allowed not to apply strong customer authentication (SCA), in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by Directive (EU) 2015/2366.’

Article 4(3)(d) of the Delegated Regulation provides that PSPs shall ensure that the ‘authentication by means of generating an authentication code includes … the maximum time without activity by the payer after being authenticated for accessing its payment account online shall not exceed 5 minutes.’

Article 4(3)(d) of the Delegated Regulation introduces a security requirement related to the application of SCA and Article 17 of the Delegated Regulation allows competent authorities to exempt dedicated payment processes or protocols from the application of SCA if these offer equivalent levels of security.

Accordingly, where a PSP intends introducing a longer period of inactivity during the authentication to that provided in Article 4(3)(d) of the Delegated Regulation, the PSP should introduce additional or alternative security measures to ensure that the level of security of the payment process or protocol is equivalent to that provided by PSD2.

Where no additional or alternative security measures are in place, the time without activity shall not exceed 5 minutes.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.