Snippet: The European Banking Authority (EBA) plays an extraordinarily complex role. Having to manage and regulate the financial industry means walking a tightrope between directional regulation and restrictive controls.

The European Banking Authority (EBA) plays an extraordinarily complex role. Having to manage and regulate the financial industry means walking a tightrope between directional regulation and restrictive controls. The delivery of the revised Payment Service Directive (PSD2) and the regulatory technical standards (RTS) for strong customer authentication (SCA) has proven that this recognition is more than deserved, with the line between regulation and technical requirements being even more precarious than anyone anticipated.

On 21 June, the EBA released an opinion paper on the delivery of SCA under PSD2 to clarify the accepted solutions to SCA. In it, the EBA outlines how complying with the standard will be enforced and how the announced extension to the compliance deadline will be addressed. One take-home message from the paper is the challenge that the EBA has in trying to avoid stating what technology is acceptable and suitable for a real SCA solution. Perhaps this is a drive to be open and inclusive and avoid dictating solution choices. Or maybe it is an effort to ensure that all parties are given a chance to compete in this important arena.

Since the announcement of the SCA requirement, and even prior to this, there has been much discussion about the suitability of SMS as a vehicle for secure identification, including its susceptibility to interception. Telecommunication organizations have been trying to address the weaknesses, with options such as SIM-swap detection and number forwarding challenges, but these are not universal and still don’t address the underlying security issue. Incredibly, however, they are still seen by many as a convenient way of reaching people, but the fact remains that native SMSs do not meet the EBA’s own base requirement for SCA. 

As part of the EBA’s SCA requirement, a transaction must be communicated over a secure, encrypted channel. The statement from Article 22.2(b), which addresses identity information specifically, further clarifies that sharing and storing information cannot be performed in plain text: “PSPs shall ensure that […] personalized security credentials [and] cryptographic materials […] are not stored in plain text.” While SMSs are not a storage medium, the information is in plain text and is held/stored on an electronic device.

In addition to this, the requirements of Article 5 on the need to support dynamic linking (each SCA must be linked to a specific amount and payee) stipulate that the confidentiality and integrity of payment information needs to be protected during the authentication process to comply with PSD2. SMS is not an encrypted, secured channel; the message details sent in the SMS are in plain text, and can be easily intercepted and read by a hacker. Furthermore, if you choose to send information via SMS, you will need to limit the information contained in the SMS, otherwise you also risk falling on the wrong side of GDPR.

In short, many see SMSs as a convenient (and cost-effective) option of addressing the security and fraud challenges facing the financial industry, but because of the inherent weakness in the possession factor, the SIM card and ease of access to the mobile number, it is definitely not a state-of-the-art solution. In fact, I strongly believe that SMS one-time passwords do not meet the dynamic linking requirement, and therefore do not address the SCA specification.

You can read the EBA’s opinion on the elements of SCA and SMS OTP here. Looking for SCA advice? Read more about our solution for PSD2 compliance here, or contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. to speak to one of our experts.

Subscribe to our blog.

Simon Rodway

VP: Customer Delivery

Simon Rodway is an experienced software solutions designer and architect who supports Entersekt’s solutions teams in delivering best-in-class services for our clients. His expertise and knowledge take Entersekt’s solutions from strength to strength across the world. His extensive global experience in the information technology and software development industries ensures a refined industry perspective in growing Entersekt’s presence across the world.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.