The European Banking Authority (EBA) issued a Discussion Paper on 8 December 2015 on the future Draft Regulatory Technical Standards on strong customer authentication and secure communication under the revised Payment Services Directive (PSD2). On 12 January 2016, PSD2 entered into force.
Dr Matthias Terlau, Partner at Osborne Clarke, analyses the EBA’s Discussion Paper and what this might indicate about the future draft regulatory technical standards.
This article was originally published in ‘E-Finance & Payments Law & Policy’ (January 2016)
What’s the status of PSD2?
Before the new rules become applicable for the payment services sector, the Member States will have to transform them into national law and the EBA and the European Commission will have to enact six of the so-called regulatory standards. The EBA is authorised to issue five guidelines in order to regulate questions of detail (for example on the minimum coverage of professional indemnity insurance of payment initiation services).
Where do we stand on the draft regulatory standards on strong authentication?
One of the more important of these ancillary sets of rules will be the regulatory technical standards on strong customer authentication and secure communication. The EBA must present this standard to the Commission on 13 January 2017 at the latest. The Commission must then enact the regulatory standard as a delegated act in order to give it binding legal effect. The new provisions of PSD2 on strong customer authentication and secure communication will then enter into force 18 months after the entering into force of the regulatory standards.
These provisions could therefore come into force later than the remainder of PSD2; the deadline for the national laws is 13 January 2018 and on this day all such laws will enter into force. In the meantime, the respective EBA Guidelines published in December 2014 will be applicable in most Member States, except the UK.
Prior to submitting draft regulatory standards to the Commission for enactment, the EBA must conduct open public consultations and analyse the potential related costs and benefits. The EBA is also asked to request the opinion of the Banking Stakeholder Group, which is composed of 30 members representing in balanced proportions credit and investment institutions operating in the EU, their employees’ representatives as well as consumers, users of banking services and representatives of SMEs.
Currently the EBA is conducting – prior to the actual consultation process – a discussion. A ‘Discussion Paper’ was published on 8 December 2015 and contains 20 detailed questions to the public. The discussion process is not foreseen in the EBA regulation. Also, the basis of the discussion is not a draft document, but questions that the EBA is asking to the public and stakeholders. However, the discussion process was initiated at a stage when the final text of PSD2 had not yet been published, and thus shows the EBA’s commitment to act quickly and thoroughly and that alone deserves applause.
Nothing new in the Discussion Paper?
To find out what the EBA wishes to include in the future draft regulatory standards, one must
carefully assess and interpret the comments which the EBA makes and the questions asked by the EBA in the Discussion Paper.
New authentication procedures?
The questions asked by the EBA on authentication methods are quite technical and a good playground for technically engaged people in the industry. The legal requirements of PSD2 will make the procedure more complicated with the new rule on dynamic linking of the transaction to the amount and the payee. The EBA introduces a discussion on behaviour-based characteristics. If this approach becomes commonly recognised, payment services providers (PSPs) may have a secure and at the same time – from the perspective of the customer – convenient means of authentication. However, recent consumer polls show that behaviour-based customer screening is not seen positively by the public. In this context the EBA also wishes to make use of the new e-IDAS Regulation. However it remains to be seen as to what kind of role the e-IDAS Regulation will play in practice. If accepted by the market and consumers, qualified trust services under the e-IDAS Regulation could facilitate authentication.
Exemptions – the lifesavers?
PSD2 requires strong authentication for accessing payment accounts online, for initiation of all electronic payment transactions and any other action through remote channels with risk of payment fraud and other abuses. Strong authentication under PSD2 therefore has a larger scope of application than the EBA Guidelines from December 2014. Therefore, it will be important for the industry to achieve reasonable exemptions from these requirements in order to facilitate day-to-day online and mobile payments. While the customer is sensitive and open-minded towards more security in payments, convenience will remain highly important.
However, the EBA proposes to mainly include exemptions in the new regulation that are similar to those found in the EBA Guidelines: low-value payments as defined in PSD2, payments to trusted beneficiaries, and low-risk transactions based on transaction risk analysis.
New to the Discussion Paper is the proposal that transfers between accounts of the same PSP will only be exempted if they are between the accounts of the same payment service user. This is wider in scope than in the EBA Guidelines (the accounts of different payment service users with the same PSP, the so-called lex PayPal). The EBA introduces a new exemption of ‘purely consultative services with no display of sensitive payment data.’ The reduction of the lex PayPal is one of the most striking changes (in comparison to the 2014 EBA Guidelines) that the EBA wishes to propose. It may also be an indication of a more severe standpoint being taken by the regulatory authorities vis-à-vis the security of remote payments.
The EBA very extensively addresses the question of transaction risk analysis. This exemption will play the most important role in the payment industry’s (together with online retailers’) attempts to preserve or increase the volume of online commerce. In its comments the EBA addresses the problem that such analysis must rely on sufficiently detailed information and history from both the payer and payee. It speaks of real-time risk analysis of the payer’s transaction history and the device used for payment and at the same time the detailed risk profile of the payee.
The payment industry (on behalf of its customers, i.e. online retailers and consumers) is now asked to provide suggestions to the EBA. Here it seems that the industry must try to limit the efforts of the regulator to provide small-grained criteria in order to protect payment service providers and consumers from relatively small damages (credit card fraud in 2012 having been 0.038% of the total payment volume). The exemptions should therefore cover certain types of goods and services rather than an individual approach, looking at each payer and payee separately.
In addition to this latter method being complicated, it will also be quite costly. Purchases of regular consumer goods and services (books, household articles, food, music, software, tickets, information services, donations to recognised charities) on the internet should be exempted up to a reasonable total price (e.g. €200) per purchase. These transactions are less risky per se, regardless of the individual consumer and online shop. The regulator could, as a complementary measure, ask payment service providers to monitor transactions such that certain payers or payees with a conspicuous transaction history can then – in the individual case – be made subject to a strong authentication requirement. Such payers or payees may complain about this more severe and – in their eyes – discriminatory treatment, but these cases can be dealt with on an individual level by the PSPs.
Communication with account information services and payment initiation services
The most disputed topic of PSD2, the admission of account information services and payment initiation services, seems to continue at the level of the EBA. The EBA is asked by PSD2 to define an open and common standard of communication between those and the account servicing payment service provider, the payer and the payee. There are technical issues on one side, consisting mainly of the definition of a common interface between online banking platforms. How should a communication standard be defined to include all available standards and at the same time be open for technical development? The industry will have to keep a close eye on these efforts of the EBA as it is likely that this new standard will simultaneously trigger implementation costs and will also replace – in many respects – all current interfaces for online banking platforms.
The industry should make intensive use of the great opportunity for discussion which the EBA provides in the Discussion Paper of December 2015. It is important that security regulation does not paralyse the growing online retail industry.