PSD2: EBA discussion paper on strong customer authentication and secure communication

Written on 9 Feb 2016

The European Banking Authority (“EBA”) issued a discussion paper on strong customer authentication and secure communication on 8 December 2015. Responses to this discussion paper will inform the development of the Regulatory Technical Standards that the EBA is mandated to deliver on this topic under PSD2.

PSD2 and strong customer authentication 

Article 97(1) of PSD2 obliges PSPs (and, where relevant Payment Initiation Service Providers (“PIS”) and/or Account Information Service Providers (“AIS”) to apply strong customer authentication where the payer:

  • accesses his/her payment account online;
  • initiates an electronic payment transaction; or
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuses. 

Under PSD2, ‘strong customer authentication’ is defined as:

authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data“. 

In order to help service providers meet these obligations, Article 98 of PSD2 requires the EBA to develop draft Regulatory Technical Standards (“RTS”) for submission to the Commission by 13 January 2017. The RTS will be developed in close cooperation with the European Central Bank, and will specify:

  • the requirements of the ‘strong customer authentication’ referred to in Article 97;
  • exemptions from the application of these requirements;
  • requirements to protect the user’s security credentials; and
  • requirements for common and secure open standards of communication. 

The consultation: competing demands 

As explained by the EBA, and expressly provided for under Article 98, the RTS should be drafted following consultation with all relevant stakeholders. The EBA acknowledges that in developing the RTS it will have to make “difficult trade-offs between competing demands“. For example, paragraph 18 of the paper points to:

  • security requirements (which may suggest a high degree of prescription in the requirements so as to avoid circumvention) versus facilitation of innovative security solutions in years to come (which may require certain flexibility);
  • high security requirements versus customer convenience; and
  • very detailed requirements for common and open standards of communication to be implemented by all account servicing PSPs to avoid divergent solutions becoming a barrier for AIS and PIS (which may limit future innovations) versus less detailed requirements which could allow future innovation (but which could end up creating barriers for AIS and PIS PSPs). 

The purpose of the discussion paper is to hear views from participants as to where the balance should lie in relation to these considerations, to seek clarification on certain issues and to identify and characterise problems that the RTS are to mitigate. 

Next steps: role of Payments UK

Responses to the paper were being accepted by the EBA until 8 February 2016. Payments UK has coordinated a response from its members and is expected to communicate further on this in due course. The EBA will assess the responses received, and will use them as input for the development of the draft RTS which it plans to publish in summer 2016 for a further consultation period of three months.