Decision Amending the Decision on Ensuring Strong Customer Authentication and Common and Secure Open Standards for Communication

[unofficial translation] Pursuant to Article 44 paragraph 2 item 3 of the Central Bank of Montenegro Law (OGM 40/10, 6/13, 70/17, 125/23) and Article 56c of the paragraph (7) of the Payment System Law (OGM 62/13, 111/22), the Council of the Central Bank of Montenegro, at its meeting held on 31 July 2024, passed the following DECISION amending the Decision on ensuring strong customer authentication and common and secure open standards for communication Article 1 In Article 11 paragraph 1 shall be amended to read: “(1) A payment service provider shall be allowed not to apply strong customer authentication, subject to compliance with the general requirements laid down in Article 2 of this Decision, where a payment service user is accessing its payment account online directly, provided that access is limited to one of the following items online without disclosure of sensitive payment data:

1. the balance of one or more designated payment accounts; or
2. the payment transactions executed in the last 90 days through one or more designated payment accounts.” In paragraph 2 item 1 the words: “and/or” shall be replaced by the following: “or”. In item 2 the words: “90 days” shall be replaced by the following: “180 days”, and the words: “item 2” shall be deleted. Article 2 After Article 11 a new Article shall be added worded as follows: “Access to the payment account information through an account information service provider Article 11a (1) A payment service provider shall not apply strong customer authentication where a payment service user is accessing its payment account online through an account information service provider, provided that access is limited to one of the following items online without disclosure of sensitive payment data:
3. the balance of one or more designated payment accounts; or
4. the payment transactions executed in the last 90 days through one or more designated payment accounts.

[unofficial translation]

---

Decision on Ensuring Strong Customer Authentication and Common and Secure Open Standards for Communication (OGM 78/24) 2 (2) By way of derogation from paragraph (1) of this Article, payment service provider shall apply strong customer authentication where:

1. the payment service user is accessing online the information specified in paragraph (1) of this Article for the first time through the account information service provider; or
2. more than 180 days have elapsed since the last time the payment service user accessed online the information specified in paragraph (1) of this Article through the account information service provider and strong customer authentication was applied. (3) By way of derogation from paragraph (1) of this Article, payment service provider shall be allowed to apply strong customer authentication where they have objectively justified and duly evidenced reasons relating to unauthorised or fraudulent access to the payment account. (4) In the case referred to in paragraph (3) of this Article, the payment service provider shall document and duly justify to the Central Bank, upon request, the reasons for applying strong customer authentication. (5) An account servicing payment service provider that offers a dedicated interface as referred to in Article 32 of this Decision shall not be required to implement the exemption laid down in paragraph (1) of this Article for the purpose of the contingency mechanism referred to in Article 34 paragraphs (5) and (6) of this Decision, where they do not apply the exemption laid down in Article 11 of this Decision in the direct interface used for authentication and communication with their payment service users.” Article 3 In Article 31 after paragraph (7) a new paragraph shall be added worded as follows: “(8) By way of derogation from paragraph (7) of this Article, account servicing payment service provider shall make available to the payment service providers referred to in paragraph (7) of this Article the changes made to the technical specifications of their interfaces in order to comply with Article 11a of this Decision not less than 2 months before such changes are implemented.” In paragraphs (10) and (11) the words: “paragraph (9)” shall be replaced by the following: “paragraph (10)”. Current paragraphs (8) to (12) shall become paragraphs (9) to (13). Article 4 In Article 34 paragraph (8) item 2) the words: “paragraphs (9), (10) and (11)” shall be replaced by the following: “paragraphs (10), (11) and (12)”, and the words: “paragraph (9)” shall be replaced by the following: “paragraph (10)”.

[unofficial translation]

---

Decision on Ensuring Strong Customer Authentication and Common and Secure Open Standards for Communication (OGM 78/24) 3 Article 5 In Annex 2 item 5 sub-item 5.6 the words: “paragraph (9)” shall be replaced by the following: “paragraph (10)”. In item 6 sub-item 6.3 the words: “paragraph (9)” shall be replaced by the following: “paragraph (10)”. Article 6 This Decision shall enter into force on the eight day following that of its publication in the Official Gazette of Montenegro. THE COUNCIL OF THE CENTRAL BANK OF MONTENEGRO CHAIRPERSON Decision number: 0101- 5825-4/2024 G O V E R N O R Podgorica, 31 July 2024 Irena Radović, m.p.