Annála
4notify Ireland · Iris Oifigiúil
OF RECORD · Central Bank of Ireland
Annal No
ANN-IE-001
Recorded
2026-05-27
Status
In force
Category
Banking & Payments

Strong Customer Authentication: OTP delivery to Irish banks across Vodafone, Three and Eir

The Central Bank of Ireland supervises Strong Customer Authentication under the EU Payment Services Directive (PSD2), transposed by S.I. No. 6 of 2018. Every electronic payment above €30 requires two-factor authentication. 4notify delivers OTPs with P50 under 4 seconds across Vodafone Ireland, Three Ireland and Eir using tier-1 direct connections.

SMSPushEmail
Preamble

Item 1 — Pursuant to the European Union (Payment Services) Regulations 2018 (S.I. No. 6 of 2018) and the Central Bank of Ireland's supervisory framework, this Annal is recorded concerning the delivery of Strong Customer Authentication one-time passcodes across Irish mobile networks.

Statutory Basis
S.I. No. 6 of 2018 (PSD2 Regulations)

Transposes the EU Payment Services Directive into Irish law; Central Bank of Ireland designated as competent authority.

Commission Delegated Regulation (EU) 2018/389

Regulatory technical standards for Strong Customer Authentication; two-factor requirement on electronic payments above €30.

Central Bank (Supervision and Enforcement) Act 2013

Powers of the Central Bank of Ireland to supervise regulated payment service providers and impose administrative sanctions.

Implementation
01

Central Bank notification + tier-1 connectivity

4notify holds tier-1 direct connections with all three Irish operators and appears on recognised delivery provider lists for PSD2 traffic.

02

OTP generated in the bank HSM

The one-time passcode is generated in the bank's hardware security module; 4notify receives only the hash and the phone number.

03

60-second window + fallback chain

SMS is delivered within 60 seconds; on DLR failure, push then email. Grey-route latency is avoided across all three networks.

04

Five-year audit retention

Every delivery is signed and retained for five years — aligned with Central Bank record-keeping and AML expectations.

Delivery Envelope
json
{
  "event": "bank.psd2.sca_otp",
  "bank_id": "IE-XXXX",
  "transaction_id": "TX-2026-05-27-948210",
  "amount": 240.00,
  "currency": "EUR",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "psd2_sca_otp_ie_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/948210"
}
Sample Message
SMS

AIB: your authorisation code for a €240.00 transfer to M. Murphy is 482193. Valid 5 min. Never share this code.

Compliance Checklist
  • Recognised PSD2 delivery provider arrangement in place
  • Tier-1 direct connections active across all three operators
  • OTP P50 ≤ 4 seconds measured each quarter
  • Five-year audit retention documented
The 4notify difference

4notify is the only A2P provider with simultaneous tier-1 direct connections across Vodafone Ireland, Three Ireland and Eir, plus a five-year signed audit envelope aligned with Central Bank of Ireland record-keeping for PSD2-compliant delivery.

Frequently Asked Questions
Does 4notify deliver to Irish banks directly or through an aggregator?

Tier-1 direct connections with Vodafone Ireland, Three Ireland and Eir. No grey-route aggregation for PSD2 traffic.

Are push notifications accepted as a second factor?

Yes — app-bound push notifications are a recognised possession factor. However, push alone may not satisfy durable-medium expectations, so we always pair push with SMS or email.

Recorded by
4notify Operations Office
2026-05-27 · ANN-IE-001

Start for free

14 days, no card required. Weekday support in English.

Other Annals in This Edition