Enhanced Client Authentication (SCA) with online payments


On September 11th, we learned of Banco de España’s decision to extend the period ending on the 14th to comply with the obligations of Delegated Regulation 2018/389. Banco de España (BdE) is thus making use of the extraordinary power granted by the European Banking Authority (EBA) to national authorities, permitting them to grant limited additional time and work with Payment Service Providers (PSPs) on the application of Enhanced Client Authentication (SCA) in electronic payments. BdE has not set an end date or duration for the additional time and will focus on reviewing plans submitted by PSPs.

The Internal Market Payment Services Directive 2015/2366, more commonly known as PSD2, aims to foster competition and innovation, protect consumers and strengthen security requirements for online payments. The Directive is complemented by the delegated Regulation on technical regulatory standards for enhanced customer authentication (SCA) and common and secure open communication standards (CSCs).

The SCA is a double-verified security authentication protocol that EBA established as part of the Technical Regulatory Standards (RTS) developed by PSD2 (which gave rise to the Delegated Regulation). This protocol has become the main stumbling block for the implementation of PSD2. SCA is considered to be a fundamental element in the development of what is known as Open Banking.

The PSD2 updates the regulations established with the PSD1 and introduces a regulation of payment services that were being provided in the market but were actually outside the scope of the PDS1, such as the payment initiation service (PIS) and the account information service (AIS), provided by so-called Third Party Providers (TPP). Until the entry into force of the PSD2 and the delegated Regulation, the provision of these services implied making use, through the technique known as “screen scraping”, of the same credentials for access to the services of the payment account holder himself, which implies a high security risk.

In line with the PDS2 mandate, the EBA started work on the definition of Technical Regulatory Standards (RTS), in cooperation with the ECB, applicable to PIS and AIS service providers. The definition of these standards has been complex and focused on the definition of the SCA and the CSC. The final result has been the Delegated Regulation. PSD2 and enhanced customer authentication therefore signify new rules that change the way payment service providers identify their customers.

Reinforced customer authentication processes serve to determine that a customer is who he claims to be. SCA will require payment service providers to verify that identity using at least two data independent of each other, known as authentication factors. These factors have been classified into three groups:

Knowledge: that which only the client knows.

Possession: that which only the client has.

Inherence: that which the client is.


Enhanced client authentication on PSD2

Source: Banco de España


Another aspect of the regulation to consider is the obligation for Payment Service Providers to develop open programming interfaces (APIs) so that TPPs providing any type of service, PIS or AIS, can communicate with them.

All these issues are regulated in the Royal Decree-Law 19/2018 which partially transposes the PSD2 into Spanish law.

Finally, we must not forget other regulations to take into account, such as Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, since what is involved is personal data and therefore agreements with payment service users may be necessary.

We must pay attention to the specific deadline that the BOE grants, but in any case we must work to meet the requirements as soon as possible

Authors: Sergio Muñoz


International Sanctions, Arbitration, Litigation, Criminal, Competition AND MORE!

Esta página web usa cookies

Las cookies de este sitio web se usan para personalizar el contenido y analizar el tráfico. Además, compartimos información sobre el uso que haga del sitio web con nuestros partners de análisis web, quienes pueden combinarla con otra información que les haya proporcionado o que hayan recopilado a partir del uso que haya hecho de sus servicios.

Close Popup
Privacy Settings saved!
Configuración de Privacidad

A continuación, puedes elegir qué tipo de cookies permite en este sitio web. Podrá revocar este consentimiento, obtener más información e informarse de sus derechos en la Política de cookies. *Para guardar tu configuración acepta o rechaza las cookies que desees y haz clic en el botón cerrar.

  • wp-wpml_current_language
  • bm_sz
  • _abck
  • ak_bmsc
  • __cf_bm
  • wordpress_gdpr_cookies_allowed
  • wordpress_gdpr_cookies_declined
  • wordpress_gdpr_allowed_services
  • MCPopupClosed

Rechazar todos los servicios
Acepto todos los servicios