Financial institutions often serve many different customers in many different sectors, including customers in sectors with higher inherent integrity risks. The sector in which a customer operates is one of the factors that a financial institution...Read more
The Dutch text is leading. This courtesy English translation is for your convenience only.
Following RTS 2018/389, DNB considers an account servicing payment service provider to create such obstacles within its own domain of the redirection based customer journey of the dedicated interface, if it:
- forces users to perform strong customer authentication (hereafter: SCA) or log in procedures (or combinations of the two) two times or more;
- takes control of the management of the scope (e.g. duration) of consent;
- forces users to pass through multiple confirmation screens, each requiring them to perform an action;
- requires users to select an account even though the payment account being accessed has already been pre-determined by the user’s account information or payment initiation service provider;
- does not inform payment initiation service providers about accounts selected by users when the payment account being accessed has not been pre-determined by the user’s account payment initiation service provider (associated IBAN and account holder(s));
- uses final redirection screens requiring users to perform an action (e.g. a click);
- forces users to pass through a particular authentication procedure while they support other, more efficient procedures of authentication in their own interfaces (e.g. force the use of online (web) redirection in cases where authentication would have been possible using the banking app for users authenticating directly with the account servicing payment service provider on their mobile devices);
- presents information that is irrelevant to the authentication in any of the steps;
- uses discouraging language or presentation.
Please note that this list is not exhaustive.
In a redirection journey related to the provision of payment initiation services, DNB will allow an exception to (1) above for objectively justified reasons related to security or fraud prevention, provided the account servicing payment service provider also requires multiple SCAs for these payments in the equivalent authentication procedures offered to users in their own interface. Specific examples include high value payments or payments requiring multiple authorisations from different individuals.
Recital 24 of the RTS states that exempted dedicated interfaces must comply with specific conditions that ensure unhampered competition.
Article 32 of the RTS states that account servicing payment service providers (hereafter: banks) that have put in place a dedicated interface for this purpose should ensure that this interface does not create obstacles to the provision of payment initiation and account information services by these third parties.
EBA Guideline 2018/07 on the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of RTS 2018/389 mentions unnecessary delay or friction, superfluous steps and the use of unclear or discouraging language as examples of obstacles. This description still leaves room for interpretation. The aim of this Q&A document is to provide further guidance on what DNB would regard as potentialobstacles .
The guidance is based on an analysis of the minimum number of technically required authentication steps which meet security requirements in RTS 2018/389. This Q&A document focuses specifically on the redirection model permitted by the EBA and covers the entire customer journey in both the third party domain and the bank domain. The aim is to not give rise to unnecessary delay or friction in the customer experience whilst avoiding the use of discouraging language.
Ideally, the obstacle-free customer journey for the provision of payment initiation services consists of one single action for the payment service user in the banking domain to perform strong customer authentication (SCA) which includes a confirmation of the amount and the beneficiary. This confirmation may also be introduced as a second step following the SCA step, provided the bank is able to demonstrate that this is desirable from the customer's perspective, or if supplementary information must be presented (e.g. account selection or charges). Since the user has already authenticated in the first step of the journey in the banking domain, the confirmation does not require another SCA.
Ideally, the obstacle-free provision of account information services consists of two actions for the payment service user in the banking domain, the first being SCA, and the second being a confirmation of the payment service user for the provision of the requested account information service. Where appropriate, an account selection dialogue can be presented. Since the user has already authenticated in the first step of the journey in the banking domain, the confirmation of the account information details does not require another SCA.
A further explanation and visualisation of the necessary steps in the provision of payment initiation and account information services, as well as examples of efficient and inefficient customer journeys, are given in the annex to this Q&A document .