Diario Oficial de la Unión Europea del 5/12/2022 - Sección Legislación
Text version What is this?Dateas is an independent website not affiliated with any government agency. The source of the PDF documents that we publish is the official agency stated in each of them. The text versions are non official transcripts that we do to provide better tools for accessing and searching information, but may contain errors or may not be complete.
Source: Diario Oficial de la Unión Europea - Sección Legislación
EN
5.12.2022
Official Journal of the European Union
L 312/1
II
Non-legislative acts
REGULATIONS
COMMISSION DELEGATED REGULATION EU 2022/2360
of 3 August 2022
amending the regulatory technical standards laid down in Delegated Regulation EU 2018/389 as regards the 90-day exemption for account access Text with EEA relevance
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union, Having regard to Directive EU 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation EU No 1093/2010, and repealing Directive 2007/64/EC 1, and in particular Article 984, second subparagraph, thereof, Whereas:
1
Article 10 of Commission Delegated Regulation EU 2018/389 2 provides for an exemption from the requirement laid down in Article 97 of Directive EU 2015/2366 to apply strong customer authentication where a payment service user is accessing the balance and the recent transactions of a payment account without disclosure of sensitive payment data. In that case, payment service providers are allowed not to apply strong customer authentication for accessing the account information, provided that strong customer authentication was applied when the account information was accessed for the first time, and at least every 90 days after that.
2
The use of that exemption has led to very divergent practices in the application of Delegated Regulation EU
2018/389, where some account servicing payment service providers request strong customer authentication every 90 days, others at shorter time intervals, and some have not applied the exemption and request strong customer authentication for every account access. That divergence has led to undesirable friction in the customer journey when using account information services and to a negative impact on the services of account information service providers.
3
In order to ensure proper balance between the objectives of Directive EU 2015/2366 of enhancing security, facilitating innovation and enhancing competition in the internal market, it is necessary to further specify the application of the exemption set out in Article 10 of Delegated Regulation EU 2018/389, for cases where the account information is accessed through an account information service provider. Accordingly, in such a case, payment service providers should not be allowed to choose whether or not to apply strong customer authentication, and the exemption should be made mandatory, subject to conditions that aim to ensure that the safety and security of the payment service users data is being met.
1 OJ L 337, 23.12.2015, p. 35.
2 Commission Delegated Regulation EU 2018/389 of 27 November 2017 supplementing Directive EU 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication OJ L 69, 13.3.2018, p. 23.
