1This Article applies where a payment service user is accessing account information through an account information service provider.
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2 and paragraph 3 of this Article, where a payment service user is limited to accessing either or both of the following items without disclosure of sensitive payment data:
the balance of one or more designated payment accounts;
the payment transactions executed in the last 90 days through one or more designated payment accounts.
For the purpose of paragraph 2, payment service providers shall not be exempted from the application of strong customer authentication unless strong customer authentication has been applied on at least one previous occasion where the account information service provider accessed the information specified in paragraph 2 on behalf of the payment service user.