We have PSD2 though; I think we're voluntarily (or perhaps conditional in the exit negotiation) signed up to it anyway, perhaps so that 'open banking' works internationally still?
Just from a cursory 'psd2 sms multifactor' search, I can't see anything definitively saying it's not allowed though? I can see 'must use secure MFA' (implying it might be pretty open to interpretation) and blogspam type sites saying 'the short answer is yes [SMS can be used]' or 'can be as simple as implementing SMS and voice'.
This one seems reasonable - https://www.onespan.com/blog/psd2-end-sms-based-authenticati... - and though his opinion is that it's not up to scratch, it does make it seem like it comes down to interpretation and your willingness to defend your position. Unless you know that it literally says 'must not use SMS' now?
Two examples I can think of are Santander, and NS&I (run by UK gov). The latter might not be a 'payment service' though I suppose (savings accounts only). I think NewDay (rebadged credit card aaS provider) too.
Just from a cursory 'psd2 sms multifactor' search, I can't see anything definitively saying it's not allowed though? I can see 'must use secure MFA' (implying it might be pretty open to interpretation) and blogspam type sites saying 'the short answer is yes [SMS can be used]' or 'can be as simple as implementing SMS and voice'.
This one seems reasonable - https://www.onespan.com/blog/psd2-end-sms-based-authenticati... - and though his opinion is that it's not up to scratch, it does make it seem like it comes down to interpretation and your willingness to defend your position. Unless you know that it literally says 'must not use SMS' now?
Two examples I can think of are Santander, and NS&I (run by UK gov). The latter might not be a 'payment service' though I suppose (savings accounts only). I think NewDay (rebadged credit card aaS provider) too.