Appendices

90-Days Re-authentication (delegated SCA)

This version is:

This is the latest version Published 9 months ago 31 May 2023

PSD2 requires Strong Customer Authentication (SCA) to be performed each time the PSU accesses its online payment account, either directly or using the services of an AISP. The frequency of authentication can be reduced if an ASPSP applies the exemption relevant to account information access.

Other pages in this section

User Journey

 

Main content image

 

In the European Union, PSD2 requires Strong Customer Authentication (SCA) to be performed each time the PSU accesses its online payment account, either directly or using the services of an AISP. The frequency of authentication can be reduced if an ASPSP applies the exemption relevant to account information access (RTS, Article 10), however, this will still require the PSU to be authenticated at least every 90 days.​ Moreover, the 90-day exemption doesn’t apply if the AISP wants to access more than the last 90 days’ worth of transactions.

A PSU having given long-lived consent to an AISP to avail account information services, has to undergo SCA if it is accessing its account information via the AISP online for the first time, or if more than 90 days have elapsed since the last time the PSU accessed the information and SCA was applied. Irrespective of the duration of the consent agreed between the AISP and the PSU for the provision of the account information service, the PSU would still need to undergo SCA with their ASPSP at least every 90 days. This frequency may also increase if the PSU holds multiple payment accounts with various ASPSPs as they would need to undertake SCA for each of those ASPSPs on an individual basis.

(It should be noted that the API specification allows the AISP to inform the ASPSP that the request is a refresh rather than a new request).

SCA by AISP on behalf of ASPSPs

In the case where the AISP requires the PSU to undergo SCA within or at the expiry of the 90 day period for account information access, the AISP will alert the PSU either within the session or outside of it (e.g. via SMS or push notification) that specific payment account(s) access across multiple ASPSPs are due for a refresh. 

The PSU will then undergo SCA at the AISP, as per the agreed parameters with the ASPSP(s). The AISP will then send a message to each ASPSP confirming that SCA has been performed successfully and requesting the ASPSPs to reset the 90-days re-authentication counter for the selected payment account accesses.

This reduces the friction of the PSU going through multiple re-authentication journeys with multiple ASPSPs for the same AISP. 

Note: This option is likely to require a contract between the AISP and each ASPSPPlease also note that the proposition of SCA being performed by AISP on behalf of ASPSPs is subject to the applicable commercial arrangements between the parties. 

 

Wireframes

 

This content is best viewed on a desktop browser.

1

CEG Checklist 1
AISPs must alert the PSU when authentication needs to be performed to refresh AISP access. Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space.

3

CX Checklist 3
AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change. If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP.

5

CEG Checklist 5
AISPs must also allow the PSU to confirm their request after selecting the accounts.

6

CEG Checklist 6
AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs.

7

CEG Checklist 7
AISPs must provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed. Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s).

CEG Checklist Requirements & CX Considerations
CEG Checklist Reference

1

AISPs must alert the PSU when authentication needs to be performed to refresh AISP access.

Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space.

16

AISPs should allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for access refresh.  

3

AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the AISP is only trading with its registered company name then it must display that name to the PSU.

If the AISP is not the customer-facing entity and there is an Agent who is acting on behalf of the AISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the AISP and must also, display the AISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the AISP. 

AISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU. Only in instances where there is an Agent acting on behalf of the AISP, the ‘On Behalf of’ name must be displayed to the PSU. AISPs must not populate the ‘ On behalf of’ field with the details of their TSP.

The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off).

For examples of what names should be displayed, please refer to AIS Consent Dashboard & Revocation, Examples.

8

AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change.

5

AISPs must also allow the PSU to confirm their request after selecting the accounts.

17a

6

AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs.

17b

7

AISPs must  provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed.

Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s).

18a

Note

“Agent” means a person or entity who acts on behalf of an authorised payment institution or a small payment institution in the provision of payment services including account information services.

When an agent acts on behalf of the AISP, the PSU must in the case of requirement #3,   be made aware of this within the consent journey.

Please see details in Checklist Requirements item3 

What the research says

 

Click for customer research