BT-REQ-3972 PSD3 Impacts v6(without crop marks) RL - Flipbook - Page 19
19
HL | PSD3 Impacts
However, the Council Text has reverted to the
original Commission wording.
Separately, the EBA has recently issued a
consultation on Draft Guidelines on the sound
management of third-party risk (EBA/CP/2025/12).
The Council Text also proposes:
to make orders for the creation or replacement
of a token of a payment instrument via a remote
channel a scenario that requires SCA (although
one would imagine this is something PSPs would
require in any event); and
activation of a mobile application on a new
device that can be used for payment transactions
to be subject to SCA, and to the use of different
communication channels to activate the mobile
application on a new device, if done remotely. In
such circumstances, the PSP will be required to
impose a delay of 4-12 hours for the activation of
the mobile application to take effect (although
the PSU can opt out of this delay subject, again,
to SCA).
What is the impact?
Technical service providers are unlikely to want
to be considered outsourced service providers, a
status which brings with it regulators’ rights of
access and audit (and increased regulatory scrutiny)
despite requiring regulatory responsibility to stay
with the PSP.
Firms that currently rely on non-electronic payment
instructions to remain outside the scope of SCA
requirements will have to consider/review their
approach to customer authorisation of those
instructions to ensure they are sufficiently secure.
Firms will also need to consider the extent to which
they comply with “accessibility” requirements in
terms of their SCA solution.
Firms may also need to consider their processes for
activation of new devices.
