Article 10a | Delegated Regulation 2018/389

Article 10a - Access to the payment account information through an account information service provider

Article 10a

Access to the payment account information through an account information service provider

Payment service providers shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:

(a)

the balance of one or more designated payment accounts;

(b)

the payment transactions executed in the last 90 days through one or more designated payment accounts.

By way of derogation from paragraph 1, payment service providers shall apply strong customer authentication where one of the following conditions is met:

(a)

the payment service user is accessing online the information specified in paragraph 1 for the first time through the account information service provider;

(b)

more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 through the account information service provider and strong customer authentication was applied.

By way of derogation from paragraph 1, payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account. In such a case, the payment service provider shall document and duly justify to its competent national authority, upon request, the reasons for applying strong customer authentication.

Account servicing payment service providers that offer a dedicated interface as referred to in Article 31 shall not be required to implement the exemption laid down in paragraph 1 of this Article for the purpose of the contingency mechanism referred to in Article 33(4), where they do not apply the exemption laid down in Article 10 in the direct interface used for authentication and communication with their payment service users.

CHAPTER I - GENERAL PROVISIONS (Article 1-3)

CHAPTER II - SECURITY MEASURES FOR THE APPLICATION OF STRONG CUSTOMER AUTHENTICATION (Article 4-9)

CHAPTER III - EXEMPTIONS FROM STRONG CUSTOMER AUTHENTICATION (Article 10-21)Article 10 - Access to the payment account information directly with the account servicing payment service provider Q&A Article 10a - Access to the payment account information through an account information service provider Q&A Article 11 - Contactless payments at point of sale Q&A Article 12 - Unattended terminals for transport fares and parking fees Q&A Article 13 - Trusted beneficiaries Q&A Article 14 - Recurring transactions Q&A Article 15 - Credit transfers between accounts held by the same natural or legal person Q&A Article 16 - Low-value transactions Q&A Article 17 - Secure corporate payment processes and protocols Q&A Article 18 - Transaction risk analysis Q&A Article 19 - Calculation of fraud rates Q&A Article 20 - Cessation of exemptions based on transaction risk analysis Q&A Article 21 - Monitoring

CHAPTER IV - CONFIDENTIALITY AND INTEGRITY OF THE PAYMENT SERVICE USERS' PERSONALISED SECURITY CREDENTIALS (Article 22-27)

CHAPTER V - COMMON AND SECURE OPEN STANDARDS OF COMMUNICATION (Article 28-36)

CHAPTER VI - FINAL PROVISIONS (Article 37-38)

Metadata

Related documents

Article 10a - Access to the payment account information through an account information service provider

Table of contents