On 16 August 2022, the European Commission published Commission Delegated Regulation (EU) of 3.8.2022 amending the regulatory technical standards (RTS) laid down in Delegated Regulation 2018/389 as regards the 90-day exemption for account access.
The final draft RTS introduces into Commission Delegated Regulation 2018/389 a new mandatory exemption from the requirement to apply strong customer authentication (SCA). Under the exemption, account providers must not apply SCA when customers use an account information service provider to access their payment account information, if certain conditions are met that are aimed at ensuring the safety and security of the payment service user’s data. Furthermore, the draft amending RTS limits in parallel the scope of application of the voluntary exemption in Article 10 of Commission Delegated Regulation 2018/389 to instances where the customer accesses the account information directly. Finally, the draft amending RTS extends the timeline for renewal of SCA from every 90 days to every 180 days where the above-mentioned exemptions apply. Account Service Payment Service Providers that offer both a dedicated interface and a contingency mechanism are not required to implement the SCA exemption in the contingency mechanism, provided that they do not apply the SCA exemption in their direct customer channels.
The draft RTS enter into force on the twentieth day following that publication in the Official Journal of the EU.