Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

It is important to clarify that a unique identification ticket used in PKI solutions, such as mobile identification based on security module on a SIM-card, fulfils the requirement of a code that is accepted only once.

It is essential to link the requirements to the eIDAS Regulation so that eIDAS Level of Assurance 3 (substantial) always fulfils the criteria for SCA according to the articles 97 and 98 of PSD2.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

We support EBA reasoning in article 2.2. of the proposed delegated regulation.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?


Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

There is an evident need for exemptions from SCA in order to guarantee that there is a possibility to use one-click payments for low-value transactions. It is of greatest importance that the threshold values are applied in coherent manner. On the proposal, there are different limits for contactless payments and electronic payments. The limits proposed in article 8.2 point (d) should be the same as in para 1 point b, i.e. 50 euros and 150 euros or, alternatively, the same as used in the PSD2 article 42, including the option to double the amounts for national payments. This would bring coherence to regulatory environment. It can be confusing also to users of payment services to have a great number of differing threshold values.

Additionally, payments for voice-based services that exceed the limits meant in article 3 of PSD2, point (l), are in the scope of the requirement of SCA according to article 97 of PSD2. It is very challenging to incorporate SCA to voice-based services as it would seriously compromise user experience.

It should be kept in mind that substantial share of electronic payments are carried out via mobile phones. According to the EU and national telecoms regulations and practice users of mobile phones have a duty of care to protect their devices by PIN numbers in order to avoid unauthorised usage. Due to this practice, a lost mobile phone is not as likely to be used for unauthorised payments as a lost credit card allowing contactless payments.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

Yes we do. It is not clear from article 74.2 of PSD2 that payment service is not liable if it does not employ SCA in cases where an exemption according to article 98 is applicable or, furthermore, would be prevented from using SCA. It should be clarified in the RTS that PSPs are not liable when they are exempted or prevented from using SCA according to the RTS. Otherwise the risk position of service providers offering low-value payments may become too challenging, which may have very negative impact for European micro payment market.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?


Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?


Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

FiCom strongly supports the use of open, standardised requirements, such as ISO.

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

Website certificates can be deployed here as e-IDAS provides common European standards for certificates.

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.


Please select which category best describes you and/or your organisation

[Credit institution"]"

If you selected "Other", please provide details

FiCom, Finnish Federation for Telecommunications and Teleinformatics represents Finnish telecoms and IT industry. Finnish mobile operators provide their users both eID and mobile payment services.

Please select which category best describes the services provided by you/your organisation

[Cash related services"]"

If you selected "Other", please provide details

Electronic mobile payments, electronic identification.

Name of organisation

Finnish Federation for Telecommunications and Teleinformatics, FiCom