Q&A – Secure business payment procedures and protocols

Answer

Payment service providers can be exempted from applying strong customer authentication pursuant to Article 17 of Commission Delegated Regulation (EU) 2018/389 (RTS SCA CSC). The decision to opt for exemption is at the institution's discretion and subject to specific requirements. The security level of the authentication procedure or protocol the institution wishes to use instead must in any event be equivalent to the level described in Directive (EU) 2015/2366.

Institutions wishing to opt for exemption pursuant to Article 17 must first in advance submit the following information to DNB:

• A statement that the dedicated payment authentication procedure or protocol is only available to non-consumer payers
  
  
• A description of the relevant authentication procedure or protocol, including at least the following:
  
  
  • A description of the authentication procedure for payers (including any multiple authentication procedures and the underlying process with compensatory measures)
  • A risk analysis and security measures to prevent unauthorised payments, the level of which must be equivalent to the level described in Directive (EU) 2015/2366
  • A step-by-step description of the actions required to make a payment, from the payer’s perspective

We will assess the effectiveness of the authentication procedure as part of our regular supervision of the institution.

To further support the assessment of the article 17 exemption, the institution is required to submit the attached form. This form serves to further specify the abovementioned bullet points. This form, including all supporting documentation and –information is to be submitted to the regular contact person (supervisor) of the institution at DNB.