Regulation
PSD2 SCA and the weakness of SMS OTP
PSD2's Regulatory Technical Standards on Strong Customer Authentication, in force across the EU from 14 September 2019, require two independent factors from knowledge, possession and inherence for most electronic payments. SMS OTP is widely used to demonstrate possession of a registered phone number. A SIM swap breaks the independence that requirement relies on: once a number is moved to an attacker's SIM, they hold the very thing the OTP was meant to prove the account holder still had. This page describes what SCA asks for and where a SIM swap check fits. It is not legal advice.
This page summarises publicly available regulatory material in general terms. It is not legal advice. Confirm any control design with your own compliance and legal teams and against the current text of the RTS on SCA and, once finalised, the incoming PSR.
What SCA actually requires
The RTS on SCA requires payment service providers to apply authentication based on at least two independent elements from three categories: something the customer knows (a password or PIN), something the customer has (a registered device or SIM), and something the customer is (a biometric factor). The requirement applied EU-wide from 14 September 2019. In the UK, the FCA ran a phased implementation plan, and after pandemic-era extensions, full enforcement for e-commerce card transactions applied from 14 March 2022 rather than the original EU date. Source: FCA, "FCA agrees plan for a phased implementation of Strong Customer Authentication", checked July 2026.
Established exemptions, including low-value transactions, transaction risk analysis and merchant-initiated transactions, remain part of the framework and are unaffected by anything on this page.
Why SMS OTP is a weaker possession factor than it looks
SMS OTP is popular because it is cheap and familiar, and it is commonly treated as evidence of possession: only the person holding the registered SIM should receive the code. A SIM swap defeats that assumption directly. Once a number has been transferred to a SIM the attacker controls, the OTP is delivered to the attacker, not the account holder, and the "possession" check is satisfied by the wrong person. The authentication event still technically passes two factors, but the independence the regulation intends between them has collapsed into one: whoever controls the SIM.
This is a different weakness from SMS interception at the network signalling layer, which is a separate, more infrastructure-level concern. The SIM swap case is simpler and, for most retail fraud, more common: the attacker does not need to intercept anything, they only need to convince a mobile operator to reissue the SIM.
Where a SIM swap check fits under SCA
A SIM swap check does not replace a possession factor; it verifies that the possession factor is still meaningful before relying on it. Querying whether a number has recently changed SIMs, immediately before an SMS OTP is sent, tells you whether the OTP is likely to reach the genuine account holder or an attacker. If a recent swap is detected, routing to a different factor, such as an app-based push authentication or a call to a previously verified device, preserves the intent of SCA rather than the letter of "an SMS was sent". See how to detect a SIM swap before sending an OTP for the integration pattern.
What's coming: PSD3 and the PSR
PSD2 is in the process of being replaced by a new Payment Services Directive (PSD3) and a directly applicable Payment Services Regulation (PSR). As of the checked date below, this is legislative work in progress and not yet in force: the European Parliament and Council reached provisional political agreement on the texts on 27 November 2025, and COREPER endorsed the agreed compromise text on 23 April 2026, with formal adoption and publication in the EU Official Journal still to follow. Firms should treat PSD3/PSR as upcoming, not current, law until that publication happens and the applicable transposition and application dates are confirmed. Source: Norton Rose Fulbright, "PSD3 and PSR: From provisional agreement to 2026 readiness", checked July 2026.
Of particular relevance here, published summaries of the agreed text describe an expanded list of SCA trigger events that explicitly includes changes to a payment account's registered contact details, alongside the existing triggers. That is a direct regulatory acknowledgement that the phone number and contact details behind an account are part of the authentication picture, not just the OTP delivery channel. This detail should be re-verified against the final published text once PSD3/PSR is formally adopted, since provisional agreements can change before publication.
Signals available today
Live in every response
- Active status: whether the number is currently reachable on the carrier network
- Carrier: the network operator serving the number
- Country: ISO country code of the number
- Number type: mobile, landline, fixedVoip, nonFixedVoip, tollFree or voicemail