Client Communication

A. Impated changes on Citidirect BE users

From 14th September 2019, CitiDirect BE users that have access to one or more Citi accounts located in the European Economic Area (EEA) will be subject to Strong Customer Authentication (SCA) security measures required by PSD2 (Directive (EU) 2015/2366). In order to meet the SCA requirements by this regulatory deadline, the following changes in system security behaviour will become live on CitiDirect BE from the 7th September 2019 for users that have access to Citi EEA accounts:

• The maximum number of consecutive failed authentication attempts at login will be set to five. A user login account will be locked upon reaching five consecutive failures. A locked user will need to request their Client Security Manager to unlock their user login account, or contact Citi Service if a Client Security Manager has not been appointed.
• The maximum period of inactivity whilst logged into CitiDirect BE will be set to five minutes. Users will be automatically logged out as a security feature upon reaching five minutes of inactivity, and will be required to log in again to continue using CitiDirect BE.

B. Changes impacting payment initiation file imports uploaded in-session via CitiDirect BE

From 14th September 2019, payment files that are uploaded by a CitiDirect BE user in order to initiate payments from a Citi account located in the European Economic Area (EEA) will need to satisfy one or more of the following security measures in order to comply with Strong Customer Authentication (SCA) requirements of PSD2 (Directive (EU) 2015/2366):

• The payment file is digitally signed using a private certificate key registered to the client.
• The payment file as a whole is authorised in CitiDirect BE by a user that is entitled to do this. This authorisation flow can be configured by the client Security Manager within CitiDirect BE.
• The payments contained in the payment file are authorised in CitiDirect BE, either individually or in batches, by a user that is entitled to do this. This authorisation flow can be configured by the client Security Manager within CitiDirect BE.

Citi clients will be required to ensure at least one of the above security processes is implemented for files initiating payments from EEA accounts at the earliest opportunity, and no later than 31st October 2019.

Citi would like to assure you that your payment files that would currently not meet the PSD2 SCA requirements will continue to be processed after the regulatory deadline for meeting these requirements on the 14th September 2019 in order to give you time to implement the compliance measures by the end of October.

A Citi Digital Clients Support Specialist will contact you shortly to confirm with you the file import profiles that we have identified as not meeting the PSD2 SCA requirements, and to discuss with you the implementation steps that will enable these file import profiles to become compliant.

C. Changes impacting payment initiation files transmitted host-to-host via CitiConnect for Files

From 14th September 2019, payment files that have been transmitted via the CitiConnect for Files host-to-host channel in order to initiate payments from a Citi account located in the European Economic Area (EEA) will need to be digitally signed using a private certificate key registered to the client in order to satisfy Strong Customer Authentication (SCA) requirements of PSD2 (Directive (EU) 2015/2366).

Citi clients will be required to ensure a client digital signature is implemented for files initiating payments from EEA accounts at the earliest opportunity, and no later than 31st December 2019.

Citi would like to assure you that your payment files that would currently not meet the PSD2 SCA requirements will continue to be processed after the regulatory deadline for meeting these requirements on the 14th September 2019 in order to give you time to implement the compliance measures by the end of the year.

A Citi Technical Implementation Manager will contact you shortly to confirm with you the payment files we have identified as not meeting the PSD2 SCA requirements, and to discuss with you the implementation steps that will enable these files to become compliant.

Information for Third Party Service Providers:

In accordance with Payment Services Directive (EU) 2015/2366 of the European Parliament and of the Council (PSD2), this interface can be used by authorized payment initiation service providers, account information service providers, and payment service providers issuing card-based payment instruments. For further information about this interface including documentation to assist with implementing this interface please fill out this simple web form.

If you need further assistance please contact our EB-HelpDesk. Phone: +36 (1) 374 5518.