法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Delegated Regulation (EU) 2022/2360 of 3 August 2022 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/389 as regards the 90-day exemption for account access (Text with EEA relevance)

CELEX
Delegated Regulation (EU) 2022/2360
Date of document
Articles
3
Source
EUR-Lex
Article 1Amendments to Delegated Regulation (EU) 2018/389

Delegated Regulation (EU) 2018/389 is amended as follows:

(1)

Article 10 is replaced by the following:

‘Article 10

Access to the payment account information directly with the account servicing payment service provider

1.   Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:

(a)

the balance of one or more designated payment accounts;

(b)

the payment transactions executed in the last 90 days through one or more designated payment accounts.

2.   By way of derogation from paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where one of the following conditions is met:

(a)

the payment service user is accessing online the information specified in paragraph 1 for the first time;

(b)

more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 and strong customer authentication was applied.’

;

(2)

the following Article 10a is inserted:

‘Article 10a

Access to the payment account information through an account information service provider

1.   Payment service providers shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:

(a)

the balance of one or more designated payment accounts;

(b)

the payment transactions executed in the last 90 days through one or more designated payment accounts.

2.   By way of derogation from paragraph 1, payment service providers shall apply strong customer authentication where one of the following conditions is met:

(a)

the payment service user is accessing online the information specified in paragraph 1 for the first time through the account information service provider;

(b)

more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1 through the account information service provider and strong customer authentication was applied.

3.   By way of derogation from paragraph 1, payment service providers shall be allowed to apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider and the payment service provider has objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account. In such a case, the payment service provider shall document and duly justify to its competent national authority, upon request, the reasons for applying strong customer authentication.

4.   Account servicing payment service providers that offer a dedicated interface as referred to in Article 31 shall not be required to implement the exemption laid down in paragraph 1 of this Article for the purpose of the contingency mechanism referred to in Article 33(4), where they do not apply the exemption laid down in Article 10 in the direct interface used for authentication and communication with their payment service users.’

;

(3)

in Article 30, the following paragraph 4a is inserted:

‘4a.   By way of derogation from paragraph 4, account servicing payment service providers shall make available to the payment service providers referred to in this Article the changes made to the technical specifications of their interfaces in order to comply with Article 10a not less than 2 months before such changes are implemented.’

.

Article 2Transitional provisions

1.   Payment service providers that applied the exemption in Article 10 of Delegated Regulation (EU) 2018/389 before 25 July 2023 shall be allowed to continue to apply that exemption for access requests received through an account information service provider up to the expiry of the period covered by that exemption.

2.   By way of derogation from paragraph 1, whenever a new strong customer authentication is applied for access request through an account information service provider before the expiry of the period covered by the exemption referred to in paragraph 1, Article 10a as introduced by this Regulation applies.

Article 3Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

It shall apply from 25 July 2023.

3 articles

Cite this act

Commission Delegated Regulation (EU) 2022/2360 of 3 August 2022 amending the regulatory technical standards laid down in Delegated Regulation (EU) 2018/389 as regards the 90-day exemption for account access (Text with EEA relevance) (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32022R2360

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com