Top of main content

Strong Customer Authentication (SCA), Mobile App, OTP & E-Pin

Frequently asked questions

We're making some changes to our General Terms and Conditions and have prepared some Q&A for further guidance. If you need any further information after reading these answers, please get in touch.

General questions

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a requirement which forms part of the Payments Service Directive (PSD2) as transposed locally in Directive 1 of the Central Bank of Malta. This Directive aims to reduce fraud and make online payments safer through enhanced security.

SCA needs to have at least two of three elements:

Knowledge: Something only you know e.g. PIN or Password;

Possession: Something only you have e.g. Phone or device;

Inheritance: Something only you are e.g. Biometric (fingerprint or Face/Voice ID).

Currently you receive an SMS with a code to the mobile phone number registered with the Bank. This code is than used to verify your online purchases – this is known as an SMS One Time Password (OTP) which is a one factor authentication method. We are now introducing a two-factor authentication for a stronger security process which is safer and secure for online purchases.

When will this come into force?

In a staggered approach, starting from 22 June, the Bank started migrating customers to SCA where a two-factor authentication process is required to authorise online card payments. As from the 28 October even those currently using OTP will be required to use a two-factor authentication method by using their Phone Banking PIN together with the current OTP received on their mobile devices.

How will this affect me?

Going forward, if you make any online purchases using your HSBC credit and/or debit card, you would be required to verify these transactions using SCA - i.e. a two factor authentication process.

How will I verify and authenticate my transactions?

We have introduced new enhancements to our existing HSBC Mobile Banking App which will allow you to verify and authenticate all your online purchases through our mobile app. Alternatively, you can still authenticate transactions through the OTP and E-Pin method referred to in the next question.

What happens if I don’t want to use the HSBC Mobile Banking App?

Although we do recommend our customers to use HSBC Mobile Banking App, which is safe and a secure means of authorising your purchases, we understand that not everyone will be comfortable to use this service. If you still wish to continue making online purchases without using the HSBC Mobile Banking App, you will have to authenticate your card purchases using your 6-digit HSBC Malta phone banking PIN (E-Pin) followed by a 6-digit one-time password (OTP) that we will send to your mobile number held on our records while you are completing your purchase. This change will come into effect as from 28 October 2021.

How can I obtain a phone banking PIN to be able to continue using the OTP method rather than the mobile app?

If you do not wish to download the HSBC Mobile App and do not know your 6-digit HSBC phone banking PIN, kindly call us on +356 2380 8219 Monday to Friday 08.00 to 16.00 excluding public holidays. We suggest that you contact us at your earliest ahead of 28 October 2021 and allow a few days to receive your phone banking PIN.

I only have HSBC Online Banking. What do I need to do?

If you only use the HSBC Online Banking service, you will need to download the HSBC Mobile Banking App and register for this service. The App is user-friendly, it gives you ease of access to your accounts 24/7, provides security and swiftness when effecting banking transactions.

How can I download/register for the HSBC Mobile Banking App?

You can download the HSBC Mobile Banking App through GooglePlay or App Store. To register for the HSBC Mobile Banking App, will only take a couple of minutes.

To activate and begin using the Mobile Banking App, you will also need a Secure Key. This is mailed to you upon registration and can take a couple of days to arrive by post to the registered address on our system.

Do I have to pay for Strong Customer Authentication?

No - this service is free of charge.

Can I use both the HSBC Mobile Banking App and the SMS OTP + Phone Banking Pin?

No, once you have downloaded the HSBC Mobile Banking App you cannot utilise the latter service. It will only be available for those who do not have the HSBC app installed.

What will happen in the event I remove the HSBC Mobile Banking App?

If you decide to uninstall the HSBC Mobile Banking App, you would need to register for the SMS service and Phone Banking.

I have both a business and a personal relationship with HSBC – how will this affect me?

HSBC Personal customers going forward will need to either use HSBC Mobile Banking App which is fee free and available for download through GooglePlay or App Store or a PIN solution which will be available in due course. You will not be able to use both services.

For Business customers, specifically HSBC Fusion customers, those who do not have mobile banking will automatically be receiving a phone banking PIN to be used in conjunction with the current OTP authentication method.

I used to receive the OTP by email, what will happen now?

Such service has been discontinued. There are now two options:

Either opt to download our HSBC Mobile Banking App which is free to download through GooglePlay or App Store; or register for SMS service and Phone Banking.

Should you opt for the latter option, it is very important that we have your correct mobile phone number in our records as otherwise you will not receive your SMS OTP. If you have not yet advised us of your current mobile number or you know that we hold incorrect details, it is important that you update your personal details. You can do so by sending us a -secure message through your Online Banking dashboard, or by going into any of our branches. 

Using HSBC Mobile Banking App for SCA

How do I download the Mobile Banking App?

Download the HSBC Mobile Banking App through GooglePlay or App Store. You can also find out more on our Mobile Banking page.

How do I register for the Mobile Banking App?

To register for Mobile Banking, you will need to be an Online Banking User first.

Then once you have downloaded the application, you will need to register by inputting your personal details. An activation code will be sent to your registered mobile number.

Create your log on details.

Have a look at our helpful video guide on registering for mobile banking.

How do I activate the Mobile Banking App?

You can only activate your registration once you receive your Secure key. Note that this is mailed to you to your registered mailing address with the bank and will take a couple of days.

When you receive the Secure Key - activate by using your log in credential details, your Secure Key and a one-time code sent to your registered mobile phone number.

How do I authenticate purchases in the Mobile Banking App?

As you go through the steps to approve a purchase online, you will need to log into you HSBC Mobile Banking App at the same time. You will be prompted with a pop-up screen to authenticate your purchase.

Select – 'Approve or Decline';

Enter your HSBC Mobile Banking App log in (Password, Biometric or Fingerprint);

Transaction ‘Approved’ notification or if cancelled ‘Payment Cancelled’ notification;

Go back to merchant website.

Personal Data

Why does HSBC need my contact details?

In order to communicate effectively with our customers, we use email, mobile or post. It is important that all your details held with us are correct and up to date in order for you not to miss any important notification or correspondence.

How do I update my personal details?

If you wish to update your details, you need to visit any of our HSBC Branches. Find your nearest branch.

How can I keep my data and my bank accounts safe?

HSBC will never ask for your payment security details such as your PIN numbers. These are yours to keep securely and cannot be shared. They are to be used only by you when you are effecting payments or requiring a payment-related service.

HSBC will never ask for your passwords and will never send links to reset or change your passwords.

If you are ever in receipt of a call, email, SMS or contacted via digital platforms (e.g. Facebook or Instagram), do not divulge your security details (such as your PINs or One-Time Passwords) - Hang up the call, don't click any suspicious links provided.

If you are asked to transfer money - verify the details of who is requesting the payment and what it is for before doing so.

If you are asked to divulge your SMS OTP PIN or Phone Banking PIN - never reveal it. This is an important security detail and should never be disclosed to third parties.

Always verify the source of a query and never divulge your security details.

Visit our online security centre for more tips and advice.

What do I do if I have noticed fraudulent activity on my accounts?

Call us immediately on +356 21483809 to stop your card.

Changes to General Terms and Conditions and other Terms

Further details on the changes being made to our General Terms and Conditions can also be obtained from Please take time to go through these changes and feel free to contact us should you require additional information or further assistance.

Other changes to the Card Conditions of Use to explain our two-factor authentication process in more detail are being introduced. The Card Account Fees document is also being updated to explain that going forward for cash advances with a credit card, credit interest will be charged not only on the amount advanced but also on the transaction fee itself applicable to that cash advance.

Our updated General Terms and Conditions are uploaded on our website and available for you to download for free. Alternatively, you can ask for a copy of our updated General Terms and Conditions from any of our branches or by calling us on +356 2380 8219 Monday to Friday 08.00 to 16.00 excluding public holidays.

Listening to what you have to say about our services matters to us.