Barclays reject consumers who do not authenticate using PINsentry or Mobile PINsentry, stating "For your security you can only use this service if you have PINsentry."
(see attached image)
However it is clear that through the Web based portal, Barclays support alternative methods of authentication (namely, memorable word and passcode)
(see attached images)
From our experience performing screen scraping, a significant percentage of users prefer to opt for these methods of access - our scraping solution allows users to choose their preferred form of authentication and a large number of our existing users opted for this method.
Given that non-PINsentry access is possible in Online portals, we additionally question whether current offerings are aligned to RTS Art. 32(3), in particular the comments regarding preventing use of issued credentials.
We note that this grants users a "read only", limited view of their account. Therefore we recognise that Memorable Info/Passcode based authorization is inappropriate for PISP use cases since payment initiation cannot be performed through existing online channels with these credentials. However, PSUs can access all relevant account information using these credentials and as such we would suggest that these methods should be acceptable for use for AIS authorization.
We recognise that SCA is a regulatory requirement for all interfaces as PSD2 comes into effect. However this should not be applied unevenly to the dedicated interface before being added to other online channels - doing so is conflict with the spirit of CMA order (and in particular the provisions of the Trustee P3/P4 letter) and alignment with the future PSD2 regulatory framework cannot come at the expense of CMA Order alignment/current customer experience.
Critical. A significant percentage of consumers we've interacted with using legacy scraping solutions use these methods. To interact with AISP services they will be forced to use alternative credentials compared to their usual online banking experience, or will be unable to access the services at all if no PINsentry device/application is available to them.
Align the dedicated Open Banking interface credential requirements with the credential requirements of other online channels, namely allowing the non-PINsentry access for AISP authorization.