Regulatory Technical Standards on strong customer authentication and secure communication under PSD2

Status: Final draft adopted by the EBA and submitted to the European Commission

The proposed Regulatory Technical Standards on strong customer authentication and secure communication are key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.

EBA publishes its Opinion in response to the European Commission intention to amend the EBA Technical Standards for open and secure electronic payments under the PSD2

EBA publishes its Opinion in response to the European Commission intention to amend the EBA Technical Standards for open and secure electronic payments under the PSD2

29 June 2017

The European Banking Authority (EBA) published today an Opinion responding to the European Commission's (EC) intention to amend the EBA's draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. In its Opinion, while agreeing with the aims sought in the EC's amendments, the EBA voices its disagreement with three of the four concrete amendments the Commission proposes on the basis that it would negatively impact the fine trade-off and balances previously found in the RTS.
 
The EBA's draft RTS, published in February, sought to establish the legislative framework as mandated under PSD2 and to contribute to confidence and trust in the new payment services that PSD2 will bring about from 13 January 2018. In the process of developing the RTS, the EBA had to make difficult trade-offs between the various, at times competing, objectives of the PSD2, such as enhancing security, promoting customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation, and enhancing competition through new payment initiation and account information services. 
 
In its letter dated 24 May 2017, the Commission expressed its intention to amend the EBA's draft RTS in four main areas. These included the proposal for the audits to be performed by statutory auditors; an additional, standalone exemption to be added for specific types of corporate transactions; for payment service providers to report the outcome of the monitoring and calculation of the fraud rate to the EBA; and, finally, to require Account Servicing Payment Service Providers (ASPSPs) that have set up a dedicated interface to ensure that Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) can access the ASPSP's customer interface as a fall-back in case the dedicated interface is not performing as required under the RTS.
 
While the EBA agrees with the aims sought in the European Commission's amendments, the EBA disagrees with some of the means by which the Commission is proposing to achieve that aim. More specifically, the EBA disagrees with three of the four proposed amendments and is of the view that the suggested changes would negatively impact the fine trade-off previously found by the EBA in achieving the various competing objectives of the PSD2. With that in mind, the EBA is suggesting in its Opinion some alternative means through which the Commission's aims can be achieved. 

Next Steps

The publication and submission to the EU Commission of today's Opinion concludes the EBA's work on this regulatory mandate. It is now for the EU Commission to make the final decision on the text of the RTS and to adopt the standards as a delegated Act in the Official Journal of the EU. During the adoption process, the EU Council and EU Parliament have a scrutiny right. Once the RTS have been published in the Official Journal, they will enter into force the following day and will apply 18 months after that date.

Legal basis and background

The draft RTS have been developed according to Article 98 of the revised Payment Services Directive (EU) 2015/2366 (PSD2), which mandates the EBA, in close cooperation with the ECB, to draft Regulatory Technical Standards (RTS) specifying the requirements of the strong customer authentication (SCA), the exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users' personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers (PSPs).
 
The EBA published its final draft report in February 2017, following 18 months of intensive policy development work and consultation with the different payment market players.
 
With today's Opinion, the EBA exercise its competence under Article 10 of the EBA Founding Regulation (Regulation (EU) No 1093/2010), which mandates the EBA to deliver an Opinion on the Commission's proposed amendments to the RTS as well as revised RTS within six weeks of receiving the EC's letter. 
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772

EBA paves the way for open and secure electronic payments for consumers under the PSD2

EBA paves the way for open and secure electronic payments for consumers under the PSD2

23 February 2017

The European Banking Authority (EBA) published today its final draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS, which were mandated under the revised Payment Services Directive (PSD2) and developed in close cooperation with the European Central Bank (ECB), pave the way for an open and secure market in retail payments in the European Union.
 
Following 18 months of intensive policy development work and an unprecedentedly wide number of stakeholders' views and input, these final draft RTS are the result of difficult trade-offs between the various, at times competing, objectives of the PSD2, such as enhancing security, facilitating customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation, and enhancing competition through new payment initiation and account information services. 
 
The EBA received 224 responses to its Consultation Paper, in which more than 300 distinct concerns or requests for clarifications were raised. In the feedback table published today as part of the RTS, the EBA has summarised each one of them and provided its assessment as to whether changes have been made to the RTS as a result of such concerns. 
 
In particular, one of the key concerns addressed by these final draft RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. In this respect, the EBA has introduced two new exemptions: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so called ‘unattended terminals' for transport or parking fares. The exemption on transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS. 
 
In addition, the EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication, so as better to ensure the technological neutrality of the RTS and to facilitate future innovations.  
 
With regards to the communication between account servicing payment service providers (ASPSPs), account Information service providers (AISPs) and payment initiation service providers (PISPs), the EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. This is linked to the PSD2 no longer allowing the existing practice of third party access without identification (at times referred to as ‘screen scraping' or, mistakenly, as ‘direct access') once the transition period provided for in PSD2 has elapsed and the RTS applies. 
 
However, in order to address the concerns raised by a few respondents, the final RTS now also require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.
 

Legal basis and background

The draft RTS have been developed according to Article 98 of the revised Payment Services Directive (EU) 2015/2366 (PSD2), which mandates the EBA, in close cooperation with the ECB, to draft Regulatory Technical Standards (RTS) specifying the requirements of the strong customer authentication (SCA), the exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users' personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers (PSPs).
The PSD2 provides that the RTS will apply 18 months after adoption of the RTS by the EU Commission as a Delegated Act.

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772