PSD2 and strong customer authentication (SCA): the compliant electronic signature guide
The second Payment Services Directive (PSD2, Directive (EU) 2015/2366) requires strong customer authentication (SCA) to access an online payment account, initiate an electronic payment, or perform any remote action presenting a fraud risk. This guide explains how eIDAS-compliant advanced electronic signature (AES) satisfies these requirements for banks, payment institutions, and fintechs.
What is strong customer authentication (SCA) under PSD2?
Article 97 of Directive (EU) 2015/2366 (PSD2) requires strong customer authentication. Its technical procedures are specified by Delegated Regulation (EU) 2018/389 (Regulatory Technical Standards, RTS). SCA is based on at least two independent elements belonging to different categories.
- Knowledge: an element that only the customer knows (password, code)
- Possession: an element that only the customer has (telephone receiving an SMS OTP)
- Inherence: an element that the client is (biometrics) — optional if the other two are met
- Dynamic linking: for a payment, the code must be linked to the amount and the beneficiary (art. 5 RTS EU 2018/389)
Which banking acts fall under strong customer authentication?
What does a compliant SCA signature journey look like?
- 1
Identify the customer (knowledge)
The customer accesses the envelope via a secure link and authenticates with a first factor (email + password, or Certyneo identifier). This is the knowledge element.
- 2
Verify possession (OTP)
A single-use code (OTP) is sent by SMS to the customer''s previously verified phone number. Entering the code proves possession — second independent factor.
- 3
Sign with qualified timestamp
The customer affixes their advanced signature (AES). Certyneo generates a unique signature certificate and a qualified timestamp compliant with article 26 of the eIDAS regulation.
- 4
Produce the SCA audit trail
The proof PDF documents the two factors, the qualified timestamp, the SHA-256 hash and the IP — opposable to the ACPR to demonstrate SCA compliance of the journey.
Frequently asked questions — PSD2 & strong authentication
- Is advanced signature (AES) sufficient to satisfy PSD2 SCA?
- Yes, when it combines two independent factors. Certyneo advanced signature covers knowledge (password / signature email) and possession (OTP SMS on a verified phone): two elements from different categories, compliant with article 97 of PSD2 and delegated regulation (EU) 2018/389. Biometrics (inherence) is not necessary as long as these two factors are present.
- What is the difference between strong authentication (SCA) and electronic signature?
- SCA authenticates the client''s access and intention at the time of a sensitive operation; electronic signature seals a document with lasting evidentiary value. Certyneo combines both: the strong authentication journey directly feeds the signature audit trail, so that proof of authentication and proof of consent form an enforceable whole.
- What is the dynamic linking required for payments?
- Article 5 of delegated regulation (EU) 2018/389 requires that, for a payment operation, the authentication code be specifically linked to the amount and the beneficiary. Any modification of this data invalidates the code. For signing a mandate or order, the integrity guaranteed by the SHA-256 hash of the document fulfills an equivalent non-alteration function.
- Are there exemptions to strong authentication?
- Yes. Delegated regulation (EU) 2018/389 provides for exemptions (low-value payments, recurring operations, trusted beneficiaries, transaction risk analysis). They concern the execution of payments, not the signature of a contractual act: signing an account agreement or mandate remains subject to the evidentiary requirements of article 1367 of the Civil Code.
- Is the audit trail enforceable against the ACPR in case of inspection?
- Yes. The Certyneo audit trail documents the two authentication factors, qualified timestamping, document integrity and signer identity. Exportable as a certified PDF, it allows you to demonstrate to the Prudential Supervision and Resolution Authority (ACPR) that the journey complies with the SCA requirements of PSD2.