PSD2: The EBA's standards on strong customer authentication – where are we now?
Published on 14th Nov 2017
One of the big changes introduced by the PSD2 is that all payment service providers (PSPs) will have to apply strong customer authentication (SCA) (other than where the EBA permits exceptions) when the payer:
- accesses its payment account online;
- initiates an electronic payment transaction; or
- carries out any action through a remote channel that may imply a risk of payment fraud or other abuses.
What is SCA?
PSPs must also make the payer aware of the amount of the payment and the identity of the payee. In the case of remote electronic payment transactions, SCA must include elements which ‘dynamically link’ the transaction to a specific amount and a specific payee. Any change in payment amount must make the authorisation code invalid. PSPs must also ensure the information on the payee and payment amount are kept secure and protected from fraud.
If a payer’s PSP does not require SCA, the payer will only be liable for a disputed transaction where it is committing fraud. If the payee or the payee’s PSP does not accept SCA, it must refund the financial damage caused to the payer’s PSP. PSD2 does not provide for any general exemption from the application of SCA for corporate users (though the relevant liability provisions are subject to corporate opt-out).
PSD2 requires the EBA to develop (and periodically review) RTS in relation to SCA. These RTS should specify the requirements for SCA and any exemptions from the use of SCA.
Background: the draft SCA RTS
The EBA published its first draft SCA RTS for consultation in 2016 with the aim of the final RTS being published in January 2017. The latter date ended up being delayed due to a number of questions being raised by both the European Parliament and over 200 respondents as part of the consultation process. On 23 February 2017, the report containing the final draft RTS was finally published; however, on Friday 1 June, the EBA published the EU Commission’s proposed amendments to that draft. The amendments were submitted to the EBA on 24 May but were not made public until the Friday.
A month later we saw the EBA issue an opinion in response to those proposed amendments. In relation to the four substantive changes that the Commission made, the EBA states that it agrees with the Commission’s aims but disagrees with three of the four changes. This is on the basis that it would negatively impact the fine trade-off and balances previously found in the RTS. Consequently, the EBA suggests some alternative means through which the Commission’s aims can be achieved.
The RTS are now expected to apply from Spring 2019 at the earliest, i.e. 18 months after coming into force. Regulation 1(5) of the PSRs 2017 confirms that the provisions in the regulations on secure communication and authentication come into force 18 months after the date on which the RTS come into force.
What changed following the EBA’s consultation?
Three key areas of concern were identified during the EBA’s consultation, broadly relating to the following points:
- the monetary thresholds proposed in the draft RTS – the EBA raised these in the revised RTS;
- the communication interface and direct access – this is particularly relevant for account information service providers (AISPs), payment initiation service providers (PISPs), and PSPs issuing card-based payment instruments; and
- the exemptions to SCA – these were expanded in the final draft RTS and the changes are discussed in greater detail below. In particular, a new exemption based on transaction risk analysis was introduced based on feedback from respondents that a risk-based approach will be key in reducing fraud as well as facilitating the use of user-friendly payments.
As part of its final report, the EBA confirmed that SCA applies to electronic payments initiated by the payer, or by the payer through the payee (such as credit transfers – including e-money transfers – or card payments), but does not apply to electronic payments initiated by the payee only (such as direct debits), though it does apply where a direct debit mandate is set up electronically.
Communications and access: the EBA’s final position
The EBA has maintained the obligation for account servicing payment service providers (ASPSPs) to offer at least one interface for AISPs and PISPs to access payment account information. ASPSPs that decide to use a dedicated interface must now ensure they provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability. In addition, the EBA has confirmed that the existing practice of third-party access without identification (sometimes referred to as ‘screen scraping’ or ‘direct access’) will no longer be allowed once the transition period under PSD2 has elapsed and the RTS apply. In the EBA’s view, the requirements placed on ASPSPs who decide to use a dedicated interface should go some way to address some of the concerns raised by respondents to the consultation process in relation to this area.
When are PSPs exempt from the need to apply SCA?
Chapter 3 of the draft SCA RTS set out a number of exemptions that PSPs may be able to rely on. A PSP is not bound to use these exemptions; it may choose to apply SCA on all relevant occasions.
- Payment account information – SCA need not be applied where payment service users (PSUs) are limited to accessing an account balance or viewing details of payment transactions executed in the last 90 days (provided the PSU is not accessing the account for the first time or has viewed payment transaction details online in the last 90 days and SCA has been applied within this period).
- Contactless payments at point of sale – PSPs are exempt from the application of SCA where the payer initiates a contactless electronic payment transaction provided that:
- the individual amount of the contactless electronic payment transaction does not exceed €50; and
- the cumulative amount, or the number, of previous contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of SCA does not, respectively, exceed €150 or five consecutive individual payment transactions.
- Transport and parking fares – SCA need not be applied to electronic transactions at unattended payment terminals for paying for transport or parking fares. There is no monetary limit for this exemption.
- Trusted beneficiaries and recurring transactions – SCA need not be applied where: (i) a payer initiates a payment to one of a list of ‘trusted beneficiaries’ previously created or confirmed by the payer through its ASPSP; and (ii) the payer initiates a series of transactions with the same amount and the same payee. The exemption will not apply to any creation of or use for the first time or amendments to either the list of trusted beneficiaries or the series of payments.
- Payments to self – SCA need not be applied to credit transfers initiated by a payer where the payer and the payee are the same person and both payment accounts are held by the same ASPSP.
- Low-value transactions – SCA need not be applied to remote electronic payment transactions initiated by a payer provided that the following conditions are met:
- the amount of the transaction does not exceed €30; and
- the cumulative amount, or the number, of previous remote electronic payment transactions initiated by the payer since the last application of SCA does not, respectively, exceed €100 or five consecutive individual remote electronic payment transactions.
- Transaction risk analysis – SCA need not be applied to remote electronic transactions which have been identified by the PSP as low risk according to the detailed transaction monitoring mechanisms set out in the SCA RTS. Broadly the amount of the transaction must not exceed the ‘Exemption Threshold Value/ ETV’ specified in a table for remote card-based payments or credit transfers (as the case may be) for the corresponding fraud rate (set as a percentage of the relevant category of transactions) and subject to an overall transaction limit of €500. The PSP must have sufficient transaction monitoring mechanisms in place to enable it to perform a real-time risk analysis, taking into account certain specified factors and behaviours, and must identify the relevant transaction as ‘low risk’ only where it meets certain conditions like the absence of any abnormal spending or behavioural pattern or unusual information about the device or access used to initiate the payment transaction. PSPs must monitor their fraud rates as well as the performance of the transaction risk analysis used, which must also be assessed by independent auditors, with their report available on request to regulators. Lastly, PSPs must notify regulators of their intention to use this exemption and where appropriate inform users also.
It is worth noting that the EBA refused to exempt payments by corporate users, despite numerous comments from respondents during the consultation process.
In order to rely on any of these exemptions, PSPs must have transaction monitoring mechanisms in place to enable them to detect unauthorised transactions. Those mechanisms should include real-time risk monitoring that takes into account a number of criteria including a customer’s payment transaction history and spending patterns. PSPs must record and monitor all of their fraud rates as well as the performance of the transaction-risk analysis method used. In addition, security procedures must be documented and periodically tested, as well as being audited by internal or external independent and qualified auditors on at least an annual basis. The report must be made available to regulators on request.
What changes is the European Commission seeking?
As the industry expected, the focus of the European Commission’s amendments was on the exemptions to SCA and the question of access to customer data. There were four key changes in addition to a number of clarifications:
- Statutory audit – where a PSP makes use of the transaction risk analysis exemption, it would be required to have a statutory audit performed on an annual basis (as a minimum) in relation to the methodology, the model and the reported fraud rates.
- Corporate payment processes – the European Commission proposed a new exemption for corporate payments when they use dedicated payment processes and protocols that competent authorities are satisfied achieve the same level of security for payments required under PSD2.
- Fraud reporting – the European Commission added more detail to the way that PSPs need to calculate the risk score of each payment transaction. In addition, PSPs would be required to report the outcome of their monitoring and the methodology for calculation of fraud rates to both national competent authorities and the EBA.
- Change to the contactless payments and low value transactions exemption – the European Commission suggested that in order to fall within these exemptions, PSPs would need to comply with three conditions instead of two – a monetary limit on single transactions, a cumulative limit and a limit based on the number of consecutive transactions.
Access to customer data
As expected, the European Commission proposed an amendment to the RTS which states that in the event that the dedicated interface provided by ASPSPs is unavailable for more than 30 seconds (or its performance is inadequate because it does not meet the requirements of PSD2), AISPs and PISPs should be allowed to access information using the customer interface until such time as the dedicated interface has resumed functioning. Several conditions apply, including identification and authentication procedures.
Why does the EBA disagree?
On 29 June 2017, the EBA published an opinion on the EU Commission’s proposed amendments to the draft RTS. As a general observation, the EBA points out that the RTS submitted had to balance a number of competing objectives of PSD2, including enhancing security, promoting competition, ensuring technological and business-model neutrality, contributing to the integration of payments in the EU, protecting consumers, facilitating innovation and enhancing customer convenience.
In relation to the four substantive changes that the EU Commission made, the EBA states that whilst it agrees with the EU Commission’s aims, it disagrees with three of the four changes. This is on the basis that it would negatively impact the fine trade-off and balances previously found in the RTS. Consequently, the EBA suggests some alternative means through which the Commission’s aims can be achieved – these are discussed further below. The EBA also discuss a number of ‘clarifications’ made by the EU Commission which the EBA believe lead to an “undesirable substantive change”. For example, in relation to the proposed changes.
- Statutory audit – in the EBA’s view, requiring a ‘statutory’ audit might be confusing and misleading for a number of reasons, for example, because the use of statutory auditors may differ between Member States. The EBA does agree with the EU Commission that the audit should be independent and conducted by auditors with the appropriate expertise. The EBA therefore proposes that the reference to ‘statutory audit’ should be replaced by reference to ‘an audit performed by an auditor with expertise in IT security and payments and operationally independent within or from the payment service provider’.
- Corporate payment processes – the EBA notes the lack of a definition for the term ‘corporate’ and highlights that defining an exemption on the basis of the use of a specific technology, would contravene the objective of the RTS to be technologically neutral. As a result, rather than adding a new exemption, the EBA suggests adding a new category under the transaction risk analysis exemption for remote electronic payment transactions where “dedicated payment processes and protocols that are only made available to payers who are not customers are used”, without a monetary threshold, providing that the fraud rate is equivalent to or below a specific reference fraud rate (proposed to be 0.005%).
- Fraud reporting – the EBA consider there to be a risk that the additions from the EU Commission (as currently drafted) may overlap with the obligations under Article 96(6) of PSD2. As a result, it suggests reinstating the words “upon request” and adding the “with prior notification to the relevant competent authority (ies)” to the draft RTS.
- Access to customer data – the EBA is of the view that imposing the proposed fall-back requirement would go beyond the legal mandate given to the EBA under Article 97 PSD2. The EBA is also sceptical about the extent to which the proposed amendment would achieve the desired objectives and efficiently address market concerns. Indeed, the EBA has identified a number of risks that would arise were PSPs to implement the Commission’s proposal. As a result, the EBA proposes the following four-fold alternative approach, which it believes will achieve the objectives sought by the EU Commission:
- to ensure that ASPSPs deliver reliable and continuous access to the data that TPPs need, the requirements set out in the RTS need to be reinforced;
- to build trust between competing actors, transparency needs to be increased;
- to facilitate a smooth transition from PSD1 to PSD2, cooperation needs to be facilitated by requiring ASPSPs to allow early testing of their interfaces; and
- to enable the EBA to review the practical implementation of the RTS, the EBA should monitor the performance of the interfaces.
What happens next?
The European Commission now needs to confirm the final text of the RTS and adopt the standards as a delegated act in the Official Journal of the EU. During the adoption process, the Council of the EU and the European Parliament have the right of scrutiny.
As a result of the European Commission’s partial endorsement and related amendments, the timing has been extended meaning that an approved text may now not be forthcoming until late 2017, meaning the RTS may not apply until as late as Spring/Summer 2019. Such delay could have knock-on effects including a longer period of uncertainty between the implementation of PSD2 and application of the SCA RTS (which could increase risk for consumers, businesses and the industry), as well as an impact on building PSD2-compliant interfaces.