Is the EBICS protocol exempt from strong authentication (SCA) in line with PSD2?

We have been asked this question repeatedly by French and European financial institutions and it has not always been easy to give a sufficiently formal answer.

Recently, the Banque de France wrote an official reply in which it added the EBICS protocol to the list of procedures and protocols exempt from strong authentication under Article 17 of the delegated regulation (UE) 2018/389. The regulation states that: "For legal entities initiating electronic payment transactions through dedicated payment processes or protocols that are available only to payers who are not consumers, payment service providers may waive the requirement of strong customer authentication where the competent authorities consider that such processes or protocols provide at least a level of security comparable to that provided for in the directive (EU) 2015/2366."

The full text can be found on the following page:
However, this does not mean that EBICS does not support strong authentication - far from it! The certainty that the EBICS protocol guarantees at least comparable levels of security to those provided for in the directive has long been established. With this in mind, I would like to invite you to read or re-read the article EBICS and PSD2 – How do they work together? published on this blog a few months ago.

Author: Marc Dutech