05
Guide 05 of 08 · Banking
AvailableSMSWhatsApp

OTP for Greek banking services: Piraeus, Alpha, Eurobank, Ethniki — PSD2 SCA in under 3 seconds

The four systemic Greek banks — Piraeus Bank, Alpha Bank, Eurobank, National Bank of Greece — rely heavily on SMS OTP for strong customer authentication (SCA) under PSD2. The Bank of Greece (BoG) and the ECB have issued clear guidance: OTP must be one-time, time-bound (typically 5 minutes), dynamically linked to the specific payment and impossible to replay.

Problem

An OTP arriving in 9 seconds drives the user away from checkout. In big Greek e-banking flows, P95 latency > 6 s means cart abandonment +18%. Add the fact that the customer may be roaming (Aegean cruise ships, etc) and routing becomes a real concern.

Legal framework
PSD2 RTS on SCA — Άρθρο 4

Two independent factors (knowledge + possession or inherence). SMS OTP fulfils „possession" if it is dynamically linked and time-bound.

EBA/GL/2017/13 — Risk mitigation

Max TTL set by the bank; ≤ 5 minutes recommended. A successful code may not be reused.

ΕΛ. Πλαίσιο 4537/2018 (PSD2 μεταφορά)

National PSD2 transposition; BoG oversight; covers incident reporting on serious SCA failures.

Architecture
01

Premium routing only

OTPs route exclusively through the tier-1 premium channel; no fallback to standard rate. Latency target P95 < 3 s.

02

Generate-and-sign API

Bank calls POST /v1/otp/generate and receives { code, transaction_hash, ttl_seconds }. The hash enables verification without storing the raw code.

03

Dynamic linking to the payment

OTP is bound to the amount + recipient IBAN. If either changes before confirmation, the OTP is automatically voided.

04

Roaming/MNP-aware delivery

Before send, HLR check reveals if the handset is roaming. In that case a premium roaming route is chosen or WhatsApp fallback is activated.

Code
json
{
  "channel": "sms",
  "template_id": "psd2_sca_otp_v3",
  "recipient": "+306987123456",
  "ttl_seconds": 300,
  "dynamic_linking": {
    "amount_eur": 248.50,
    "creditor_iban": "GR1601100400000004012345678"
  },
  "variables": {
    "code": "$generated",
    "merchant_name": "YourBrand"
  }
}
Sample message
SMS

YourBrand: Confirmation code 482917 for the €248.50 transaction to GR16…5678. Valid for 5 minutes. Do not share.

Before launch
  • Premium-only routing enabled on the OTP template
  • TTL = 300 s, single-use enforced at the verifier
  • Dynamic linking (amount + IBAN) baked into the template
  • Roaming detection on; WhatsApp fallback
  • PSD2 incident reporting to BoG on Major Incident
  • P95 latency monitor < 3 s with auto-alarm
What 4notify does differently

Premium-only routing with P95 < 3 s, out-of-the-box dynamic linking and roaming-aware fallback — PSD2 SCA-ready from day one.

FAQ
Is WhatsApp OTP allowed under PSD2?

Yes, provided the same criteria are met (single-use, time-bound, dynamic linking). EBA has stated explicitly that the rule is channel-agnostic.

How long should OTP last for large transactions?

For > €50,000 banks often shorten TTL to 60–120 s or require additional in-app biometric confirmation.

Is the OTP code logged?

Not the raw code. We log the hash plus generation/use timestamps. The hash is sufficient for audit without exposing sensitive data.

Start free

14 days, no card. Greek-language support.

Other guides