Understanding PSD2 and EBA Guidelines on Strong Customer Authentication (SCA) in Open Banking
The Payment Services Directive (2015/2366) (PSD2) has been a transformative regulation aimed at enhancing the efficiency, convenience, and security of online payments across the European Union. Central to PSD2 is the implementation of **Strong Customer Authentication (SCA)**, a security measure requiring two or more independent factors to verify a user’s identity during online transactions or account access.
The Regulatory Framework: PSD2 and Delegated Regulations
Regulation (EU) 2018/389 and Its Significance
The **Commission Delegated Regulation (EU) 2018/389** supplements PSD2 with detailed technical standards on SCA. Notably, **Article 32(3)** prohibits **Account Servicing Payment Service Providers (ASPSPs)**, such as banks, from creating obstacles that hinder **Open Banking services** like **Payment Initiation Services (PIS)** and **Account Information Services (AIS)** provided by third-party providers (TPPs).
Prohibition of Barriers to Open Banking
Banks are explicitly barred from imposing barriers that make third-party services more cumbersome than their own interfaces. For example, banks should not force users to leave their apps and navigate multiple browser windows, a process known as redirection, to complete a transaction.
EBA Guidance and Key Q&A Insights
The European Banking Authority (EBA) and Its Clarifications
The EBA’s Q&A (Q&A 2025_7358) clarifies the application of SCA in open banking contexts. It addresses scenarios where banks allow reuse of static SCA elements during user sessions and how this affects third-party providers (TPPs) initiating payments via redirection flows.
Double SCA in Open Banking Transactions
When users access their accounts via an online banking website, they can often reuse static SCA elements for subsequent transactions. However, in redirection-based flows initiated by PISPs, users are required to perform full SCA twice—once to access account data and again to authorize the payment.
EBA’s Interpretation: Is Double SCA a Prohibited Obstacle?
The EBA concluded that requiring two separate SCAs in such flows does not inherently violate PSD2 or Regulation (EU) 2018/389. This is because AIS and PIS are considered distinct services, and each involves separate authorization actions, thus justifying the need for different SCA procedures.
Implications for Banks and Third-Party Providers
Non-Discrimination Principle under PSD2
Banks must ensure fair treatment of TPP requests, providing equivalent functionality to that available within their own online banking portals. If a bank allows SCA reuse internally, it should offer similar options to TPPs unless justified by **security concerns** or **technical limitations**.
The PIS-Only Journey and Single SCA Requirement
In cases where a TPP already has access to the user’s account data, the bank must support a single SCA to initiate payments. Requiring two SCAs in such scenarios would be considered a prohibited obstacle under PSD2.
The Role of Dynamic Linking and Transaction-Specific Authentication
The dynamic linking requirement mandates that each SCA code must be specific to the transaction amount and payee. While banks may reuse certain authentication factors, they must always require a second, unique factor at payment time to ensure transaction security.
Conclusion: Balancing Security and User Experience in Digital Finance
As digital banking and open banking continue to evolve, regulators aim to strike a balance between robust security measures and seamless user experiences. Ensuring compliance with PSD2 and EBA guidelines is crucial for providers to maintain secure, user-friendly online payment ecosystems.
