Financial institutions often serve many different customers in many different sectors, including customers in sectors with higher inherent integrity risks. The sector in which a customer operates is one of the factors that a financial institution...Read more
Q&A – Secure business payment procedures and protocols
What does DNB expect from payment service providers that use dedicated secure business payment authentication procedures and protocols under the exemption from applying strong customer authentication?
Payment service providers can be exempted from applying strong customer authentication pursuant to Article 17 of Commission Delegated Regulation (EU) 2018/389 (RTS SCA CSC). The decision to opt for exemption is at the institution's discretion and subject to specific requirements. The security level of the authentication procedure or protocol the institution wishes to use instead must in any event be equivalent to the level described in Directive (EU) 2015/2366.
Institutions wishing to opt for exemption pursuant to Article 17 must first in advance submit the following information to DNB:
- A statement that the dedicated payment authentication procedure or protocol is only available to non-consumer payers
- A description of the relevant authentication procedure or protocol, including at least the following:
- A description of the authentication procedure for payers (including any multiple authentication procedures and the underlying process with compensatory measures)
- A risk analysis and security measures to prevent unauthorised payments, the level of which must be equivalent to the level described in Directive (EU) 2015/2366
- A step-by-step description of the actions required to make a payment, from the payer’s perspective
We will assess the effectiveness of the authentication procedure as part of our regular supervision of the institution.
To further support the assessment of the article 17 exemption, the institution is required to submit the attached form. This form serves to further specify the abovementioned bullet points. This form, including all supporting documentation and –information is to be submitted to the regular contact person (supervisor) of the institution at DNB.
- Electronic money institutions
- Payment institutions