How does affect?

From 14 September onwards, some of the aspects that have the biggest impact on payment service users will be coming into effect, and we wanted to inform you of this.

IMPACT OF PSD2 ON USERS
INCREASED SECURITY

STRONG CUSTOMER AUTHENTICATION

One of the main aims of this policy is to improve the safety of remote operations to reduce fraud in these services.
Hence, it introduces the concept of strong customer authentication (SCA), which is based on a second authentication factor. When a user wishes to carry out an operation, they must identify themselves through the combination of two of the following three authentication factors:

ACCESS AUTHENTICATION

Strong authentication will not only be mandatory for payment operations, but also when logging in for the first time and periodically (maximum 180 days from the last secure access) to use digital banking channels.
It will also be required to view account movements more than 90 days old.

AUTHENTICATION FOR OUR DIGITAL CHANNELS

On our digital channels, strong authentication will be carried out by means of:

• Entering your username and password (something you know)
• Your FirmaMóvil or SMS Signature (something you have)

E-COMMERCE PAYMENTS USING BANK CARDS

The implementation of strong authentication in e-commerce payments made with bank cards is being delayed, and so will not be implemented in September.

We will keep you informed about this.

EXEMPTIONS FROM STRONG AUTHENTICATION

Some payment operations will be exempted from the requirement for strong authentication. In our case, on 14 September, we started applying the following:

• Operations for small amounts (less than 30€ with an accumulated total of 100€)
• Transfers between the Holder’s accounts

Therefore, these operations will be confirmed by pressing the OK button.

We will soon be implementing the following exceptions:

• Trusted beneficiary
• Frequent operations
• Low-risk operations

WHAT WE NEED FROM YOU FOR STRONG AUTHENTICATION

So that we can carry out strong authentication, we need your mobile phone number, which must be linked to your virtual branch contract and your bank card.

Log into online banking (Tools/ Personal details/ Mobile phone) to confirm that we have your correct number, and whether you can change it online or you need to go to your branch to do so.

NEW WAYS OF OPERATING

Another of the objectives of the new directive is to increase the range of payment services available to users. To do this, two new figures have been created:

PAYMENT INITIATORS

Who will be able to initiate payments directly against the users accounts held with their Financial Institution.

INFORMATION AGGREGATORS

Who will be able to collect information about user accounts in one or several financial institutions and aggregate it so that it can be presented all together.

CONSEQUENCES

1. In order to perform these activities, payment initiators and information aggregators will require the express consent of the account owners.
2. We advise you to be extremely careful when managing your consent.
3. To make it easier for you to operate using Online Banking, there will be a feature that will allow you to manage (view / change / cancel) these permissions:
   - Linkage: Where the Customer authorises a third party Entity to access our systems on your behalf.
   - Consent: Where the Customer authorises these third party entities to access your account information, as well as to request confirmation of funds.
4. For our part, we will always make sure that you consent to requests for payments, as well as information, requested by these new Entities in your name.
5. Through the current management services for future or periodic operations available through your online banking, you will also be able to manage these kinds of operations completed through a payment initiator.