De Notify-Staatscourant
Uitgegeven krachtens Koninklijk Besluit · Koninkrijk der Nederlanden
OPENBAAR · De Nederlandsche Bank · AFM
No.
Stcrt-NL-001
Date
2026-05-27
Effective
2026-06-01
Status
In force

PSD2 Strong Customer Authentication: one-time-code delivery for iDEAL, Tikkie Bunq and Dutch banks over KPN, Odido and Vodafone

De Nederlandsche Bank (DNB) and the Autoriteit Financiële Markten (AFM) supervise the implementation of PSD2 at Dutch banks. Every iDEAL payment above € 30 and every Tikkie above € 50 requires Strong Customer Authentication with two factors. 4notify delivers OTP codes via tier-1 direct interconnects with P50 < 4 seconds across KPN, Odido (T-Mobile NL + Tele2 merger 2022) and Vodafone NL (VodafoneZiggo).

SMSPushEmail
Preamble

Pursuant to the Second Payment Services Directive 2015/2366/EU and the Dutch implementation in the Financial Supervision Act (Wft) §3:17, De Nederlandsche Bank, in consultation with the Autoriteit Financiële Markten, issues the following Notice concerning the delivery of Strong-Customer-Authentication one-time codes over the Dutch mobile networks.

Cited statutes
Wet op het financieel toezicht (Wft) §3:17

PSD2 implementation: SCA mandatory for every electronic payment above € 30 (iDEAL) or € 50 (Tikkie).

DNB Beleidsregel SCA + PSD2 (2018)

Three factors (knowledge, possession, inherence) and exceptions under € 30.

Burgerlijk Wetboek 7:520

Notification duty of the payment service provider towards the payer via a durable medium.

Implementation
01

DNB notification + tier-1 interconnect

4notify has tier-1 direct interconnects with KPN, Odido and Vodafone NL and is on the DNB list of recognised service providers for PSD2 delivery.

02

OTP generation in bank HSM

The one-time code is generated in the bank's hardware-security-module; 4notify receives only the hash representation and the mobile number.

03

60-second window + fallback cascade

SMS delivered within 60 seconds; on DLR failure, fallback to Push, then email. Prevents grey-route delays.

04

Seven-year audit retention

Every delivery signed and retained seven years — per §3:17 Wft and DNB requirements.

Delivery envelope
json
{
  "gebeurtenis": "bank.psd2.sca_otp",
  "bank_id": "NL-XXXX",
  "transactie_id": "TX-2026-05-27-948210",
  "bedrag": 240.00,
  "valuta": "EUR",
  "aflevering": {
    "kanaal": "sms",
    "fallback": ["push", "email"],
    "venster_seconden": 60,
    "sjabloon": "psd2_sca_otp_nl_v3"
  },
  "audit_handtekening": "https://4notify.net/sig/bank/948210"
}
Sample message
SMS

ING: Your confirmation code for the iDEAL payment of € 240.00 to M. Jansen: 482-193. Code valid 5 min. Do not share.

Compliance checklist
  • DNB notification as recognised delivery service provider
  • Tier-1 direct interconnects at all three MNOs active
  • OTP P50 ≤ 4 seconds in quarterly measurement
  • Seven-year audit retention documented
What 4notify does differently

4notify is the only A2P service provider with simultaneous tier-1 direct interconnects at all three Dutch mobile networks (KPN, Odido, Vodafone NL) and DNB-recognised seven-year audit envelope for PSD2-compliant delivery.

Frequently asked questions
Does 4notify deliver directly to Dutch banks or via aggregator?

Direct tier-1 interconnects with KPN, Odido and Vodafone NL. No grey-route aggregation for PSD2 traffic.

Are Push notifications recognised as second factor?

Yes — per DNB SCA Policy Push notifications with app binding are a recognised possession factor. They do not replace the durable-medium duty under BW 7:520, so we always pair Push with SMS or email.

Issued by Royal Decree of
the Notify Ministry of Notices
2026-05-27 · Stcrt-NL-001

Start free

14 days, no card. Dutch + English support during the working week.

Other notices