On 21 June the European Banking Authority (EBA) issued an opinion on the strong authentication elements of the client pursuant to Directive 2015/2366 ("DSP2").
This EBA (EBA-Op-2019-06) opinion, addressed to the national relevant authorities, contains very relevant information for payment services users and providers.
As of 14 September 2019, payment service providers are required to apply strong client authentication whenever the latter accesses his payment account online, initiate an electronic payment transaction or carry out an action through a remote channel, which may involve the risk of fraud in payment or other abuses.
Pursuant to the DSP2, "strong client authentication" consists of an authentication based on the use of two or more customer elements belonging to the categories "knowledge" (something only the user knows), "possession" (something that only the user owns) and "inherence" (something that the user is), which are independent, insofar as the violation of one of them does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.
In this opinion, EBA identifies, although not exhaustively, the elements that can be considered in each of the three categories envisaged in the context of strong client authentication ("knowledge", "ownership" and "inherence").
To learn more about this opinion, please access our News Flash here.