Two-factor authentication for ČNB-regulated banks: SCA under PSD2

Banks and fintechs in CZ fall under Czech National Bank regulation and the EU PSD2 directive (RTS 2018/389). Strong Customer Authentication (SCA) demands two of three factors and SMS OTP remains the most used „something you have“ element. 4notify guarantees P50 delivery in 1 second, voice fallback on SMS failure and 90-day retention for ČNB audits.

Problem

If OTP doesn't arrive within 30 s, 19% of users abandon. The bank then handles hundreds of complaints weekly. A standard aggregator can't guarantee OTP priority, so weekend latency drops to 8 s because of neighbours' marketing campaigns.

Legal framework

Směrnice (EU) 2015/2366 (PSD2) — RTS 2018/389

SCA requires two independent factors; ČNB accepts SMS OTP as a „possession“ factor if the channel is reliable.

Zákon č. 370/2017 Sb. o platebním styku

Czech PSD2 transposition; § 223 et seq. detail the technical SCA standards applicable in CZ.

Opatření ČNB č. 4/2017 o vnitřním řídicím systému banky

Requires logging all security events for 5 years; OTP events are exported by 4notify in a ČNB-compatible format.

Architecture

Priority OTP channel

OTP messages run on a separate track with priority over marketing; SLA guarantees P95 latency below 3 s, weekends included.

Generation and TTL

6-digit numeric OTP generated by 4notify (CSPRNG), TTL 90 s; expires automatically and the client must request a fresh one.

Voice fallback

If SMS doesn't ACK within 20 s, 4notify automatically dials and uses a TTS robot to read out the OTP.

ČNB audit log

Every OTP carries a structured record: dispatch time, delivery, use, client IP, device fingerprint; export in JSON, CSV and XAdES.

Code

bash
# 1. Banka požádá o vygenerování OTP:
curl -X POST https://api.4notify.net/v1/otp/issue \
  -H "Authorization: Bearer $OTP_API_KEY" \
  -H "X-Idempotency-Key: $TRANSACTION_ID" \
  -d '{
    "channel": "sms",
    "fallback_channel": "voice",
    "recipient": "+420777123456",
    "ttl_seconds": 90,
    "template": "psd2_payment_authorization",
    "variables": { "amount": "1248 Kc", "merchant": "VasFirma" }
  }'
# 200 OK
# { "otp_id": "otp_abc123", "delivered_at": "2026-05-29T14:01:02.481Z" }

# 2. Banka ověří OTP zadané uživatelem:
curl -X POST https://api.4notify.net/v1/otp/verify \
  -d '{ "otp_id": "otp_abc123", "code": "284913" }'
# 200 OK { "verified": true, "used_at": "2026-05-29T14:01:34.812Z" }

Sample message

SMS

YourBank: Verification code for 1,248 CZK payment to YourBrand is 284913. Don't share with anyone. Valid 90 s.

Before launch

Privacy-by-design audit (DPIA) per ČNB template
Data processing agreement (DPA) signed with 4notify
SLA with P95 ≤ 3 s on the OTP channel
Enable voice fallback (voiceOTP)
Test audit export in JSON, CSV and XAdES
Penetration test OTP TTL and brute-force protections

What 4notify does differently

Priority OTP track with P95 ≤ 3 s, voice fallback and SIM-swap check via the Czech MNP database — ČNB-audit-ready.

FAQ

Does ČNB accept SMS as an SCA element?

Yes, provided the channel is reliable. It recommends push notification as primary and SMS as fallback in parallel. 4notify handles both paths.

What about non-CZ phone numbers?

OTP to 240 countries via international A2P connection; latency degrades (P95 6–8 s), so we always enable push-primary for international users.

How do you handle SIM-swap attacks?

4notify connects to the MNP database of the three Czech operators; every OTP request checks the last SIM change date and warns the bank if it was in the last 24 hours.