Go to main content
Certyneo
PSD2 & SCA Guide · 2026

PSD2 and strong customer authentication (SCA): the compliant electronic signature guide

The second Payment Services Directive (PSD2, Directive (EU) 2015/2366) requires strong customer authentication (SCA) to access an online payment account, initiate an electronic payment, or perform any remote action presenting a fraud risk. This guide explains how eIDAS-compliant advanced electronic signature (AES) satisfies these requirements for banks, payment institutions, and fintechs.

Last updated

What is strong customer authentication (SCA) under PSD2?

Article 97 of Directive (EU) 2015/2366 (PSD2) requires strong customer authentication. Its technical procedures are specified by Delegated Regulation (EU) 2018/389 (Regulatory Technical Standards, RTS). SCA is based on at least two independent elements belonging to different categories.

  • Knowledge: an element that only the customer knows (password, code)
  • Possession: an element that only the customer has (telephone receiving an SMS OTP)
  • Inherence: an element that the client is (biometrics) — optional if the other two are met
  • Dynamic linking: for a payment, the code must be linked to the amount and the beneficiary (art. 5 RTS EU 2018/389)

Which banking acts fall under strong customer authentication?

Opening a payment account and account agreement
SEPA direct debit mandate (initial setup)
Customer onboarding file and remote KYC
Remote subscription to financial services
Portfolio management mandate and significant transfer order
Modification of a payment method or limit

What does a compliant SCA signature journey look like?

  1. 1

    Identify the customer (knowledge)

    The customer accesses the envelope via a secure link and authenticates with a first factor (email + password, or Certyneo identifier). This is the knowledge element.

  2. 2

    Verify possession (OTP)

    A single-use code (OTP) is sent by SMS to the customer''s previously verified phone number. Entering the code proves possession — second independent factor.

  3. 3

    Sign with qualified timestamp

    The customer affixes their advanced signature (AES). Certyneo generates a unique signature certificate and a qualified timestamp compliant with article 26 of the eIDAS regulation.

  4. 4

    Produce the SCA audit trail

    The proof PDF documents the two factors, the qualified timestamp, the SHA-256 hash and the IP — opposable to the ACPR to demonstrate SCA compliance of the journey.

Frequently asked questions — PSD2 & strong authentication

Is advanced signature (AES) sufficient to satisfy PSD2 SCA?
Yes, when it combines two independent factors. Certyneo advanced signature covers knowledge (password / signature email) and possession (OTP SMS on a verified phone): two elements from different categories, compliant with article 97 of PSD2 and delegated regulation (EU) 2018/389. Biometrics (inherence) is not necessary as long as these two factors are present.
What is the difference between strong authentication (SCA) and electronic signature?
SCA authenticates the client''s access and intention at the time of a sensitive operation; electronic signature seals a document with lasting evidentiary value. Certyneo combines both: the strong authentication journey directly feeds the signature audit trail, so that proof of authentication and proof of consent form an enforceable whole.
What is the dynamic linking required for payments?
Article 5 of delegated regulation (EU) 2018/389 requires that, for a payment operation, the authentication code be specifically linked to the amount and the beneficiary. Any modification of this data invalidates the code. For signing a mandate or order, the integrity guaranteed by the SHA-256 hash of the document fulfills an equivalent non-alteration function.
Are there exemptions to strong authentication?
Yes. Delegated regulation (EU) 2018/389 provides for exemptions (low-value payments, recurring operations, trusted beneficiaries, transaction risk analysis). They concern the execution of payments, not the signature of a contractual act: signing an account agreement or mandate remains subject to the evidentiary requirements of article 1367 of the Civil Code.
Is the audit trail enforceable against the ACPR in case of inspection?
Yes. The Certyneo audit trail documents the two authentication factors, qualified timestamping, document integrity and signer identity. Exportable as a certified PDF, it allows you to demonstrate to the Prudential Supervision and Resolution Authority (ACPR) that the journey complies with the SCA requirements of PSD2.
Complete electronic signature guide · Certyneo solution for banking & insurance · eIDAS guide — SES/AES/QES levels · Sign a business account opening online · Sign a SEPA business mandate online

Implement an SCA-compliant signature journey

Permanent free plan (5 envelopes / month), no credit card required. PSD2 strong authentication (SMS OTP), eIDAS advanced signature, enforceable audit trail and 10-year archiving included.