Strong Customer Authentication in Private Banking: Three Controls

ByBertrand Mariaux Updated on

Article 105-3 of the amended Luxembourg law of 10 November 2009 on payment services, electronic money institutions and settlement finality in payment and securities settlement systems (hereafter, the “Payment Services Law of 2009”) requires strong customer authentication where the payer accesses its payment account online, initiates an electronic payment transaction, or carries out a remote-channel action which may imply payment fraud or other abuse risk.

Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (hereafter, the “SCA Delegated Regulation”, SCA meaning Strong Customer Authentication) specifies the mechanics. Authentication must use at least two elements from knowledge, possession and inherence. For remote electronic payments, the authentication code must be dynamically linked to the amount and the payee.

Three Operational Controls

  • (i) Map the relevant actions with precision. Identify each customer journey and touchpoint where authentication may be triggered, such as online account access, payment initiation, beneficiary management, card usage and mobile interactions. Distinguish clearly between simple access, transaction execution and higher-risk operations. This structured mapping is essential to determine when strong customer authentication must apply and to avoid both gaps and unnecessary friction.
  • (ii) Govern and evidence exemptions under the SCA Delegated Regulation. Key cases include trusted beneficiaries, recurring payments, low-value transactions, transaction risk analysis and secure corporate payment protocols. Each exemption operates within a narrowly defined legal framework and can only be applied at specific stages of the payment process, typically at initiation or execution. Institutions should establish detailed internal policies setting out eligibility criteria, decision trees and escalation procedures. Real-time controls must verify that each transaction meets the applicable conditions before an exemption is granted. Comprehensive audit trails should record the rationale, data inputs and system decisions supporting each exemption. Continuous monitoring is particularly critical for transaction risk analysis, where fraud-rate thresholds must be respected and recalibrated as needed. Regular reviews, testing and governance oversight are necessary to ensure that exemptions remain compliant, proportionate and aligned with evolving fraud patterns and regulatory expectations.
  • (iii) Ensure that relationship-manager involvement is strictly framed and does not circumvent the requirements of the Payment Services Law of 2009. In practice, this requires a clear segregation between advisory support and execution of payment instructions. Relationship managers may assist clients in preparing or transmitting orders, but they must not replace or weaken the authentication process required at the point of payment initiation or confirmation. Institutions should define explicit procedures governing assisted transactions, including mandatory use of approved channels, traceability of instructions and verification of client intent. Controls should ensure that any manual intervention is logged, reviewed and subject to the same authentication standards as fully digital flows. Training and internal guidance are essential so that front-office staff understand both the legal boundaries and the operational risks. Ultimately, the objective is to preserve the integrity of strong customer authentication while maintaining a high level of client service.

In practice, private banks should test the client portal, mobile application, remote payment orders, card flows and holding-company accounts. This means that an exemption from strong customer authentication rules which is not properly documented and justified becomes a compliance, fraud and liability risk.

Connect with Bertrand Mariaux on LinkedIn. You can listen to the related podcast on ApplePodcast, Spotify, YouTube, or wherever you get your podcasts.

References:

Bertrand Mariaux is a certified Avocat à la Cour (admitted lawyer in Luxembourg, Liste I and Paris), holding an LL.B and LL.M (Hons).
He is an experienced lawyer with extensive expertise in investment funds, regulatory compliance, corporate & criminal law. Bertrand regularly contributes to legal publications and speaks at industry events, with a particular focus on financial regulation and corporate governance.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *