Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
(a) Lack of consideration of risk-based authentication. By requiring equivalent levels of strong authentication regardless of the transaction-specific risk at the time, lower risk transactions may be discouraged. The complexity, inconvenience and/or time needed may outweigh the desire of the customer to transact. Meanwhile, while Chapter 1 sets out the need for mechanisms to prevent, detect and block fraudulent transactions, it does not allow for any anticipated variance in mechanisms based on the currently observed risk. Removing any scope for risk-based authentication is likely to result in more friction in the consumer’s experience, with negative consequences.
(b) The role of inherence in strong authentication, and the demarcation between inherence and behaviour-based characteristics. The rules correctly specify that one factor is insufficient to achieve strong authentication, recognising that no measure is infallible and that it is possible for some physical characteristics to potentially be spoofed. However, the reliability of behaviour-based elements could reach a level of comfort of authentication equal to that of biometric approaches, given continuing rapid advances in this area. It may well prove unnecessarily prescriptive to insist that behaviour based elements cannot take a primary role in the authentication requirements under any circumstances. Flexibility is needed to ensure that future advances are accommodated. Guidance could assist with this and also flesh out helpful information to assist users in having confidence in compliance.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
Strong customer authentication, and confidence in security, are key to achieving the aims of PSD2. The general proposals for Chapter 1 look reasonable. The principles are sound and attention has generally been paid to the need for balance. However, there are some details of concern. Foremost amongst these are:(a) Lack of consideration of risk-based authentication. By requiring equivalent levels of strong authentication regardless of the transaction-specific risk at the time, lower risk transactions may be discouraged. The complexity, inconvenience and/or time needed may outweigh the desire of the customer to transact. Meanwhile, while Chapter 1 sets out the need for mechanisms to prevent, detect and block fraudulent transactions, it does not allow for any anticipated variance in mechanisms based on the currently observed risk. Removing any scope for risk-based authentication is likely to result in more friction in the consumer’s experience, with negative consequences.
(b) The role of inherence in strong authentication, and the demarcation between inherence and behaviour-based characteristics. The rules correctly specify that one factor is insufficient to achieve strong authentication, recognising that no measure is infallible and that it is possible for some physical characteristics to potentially be spoofed. However, the reliability of behaviour-based elements could reach a level of comfort of authentication equal to that of biometric approaches, given continuing rapid advances in this area. It may well prove unnecessarily prescriptive to insist that behaviour based elements cannot take a primary role in the authentication requirements under any circumstances. Flexibility is needed to ensure that future advances are accommodated. Guidance could assist with this and also flesh out helpful information to assist users in having confidence in compliance.