Strong customer authentication, and confidence in security, are key to achieving the aims of PSD2. The general proposals for Chapter 1 look reasonable. The principles are sound and attention has generally been paid to the need for balance. However, there are some details of concern. Foremost amongst these are:

(a) Lack of consideration of risk-based authentication. By requiring equivalent levels of strong authentication regardless of the transaction-specific risk at the time, lower risk transactions may be discouraged. The complexity, inconvenience and/or time needed may outweigh the desire of the customer to transact. Meanwhile, while Chapter 1 sets out the need for mechanisms to prevent, detect and block fraudulent transactions, it does not allow for any anticipated variance in mechanisms based on the currently observed risk. Removing any scope for risk-based authentication is likely to result in more friction in the consumer’s experience, with negative consequences.

(b) The role of inherence in strong authentication, and the demarcation between inherence and behaviour-based characteristics. The rules correctly specify that one factor is insufficient to achieve strong authentication, recognising that no measure is infallible and that it is possible for some physical characteristics to potentially be spoofed. However, the reliability of behaviour-based elements could reach a level of comfort of authentication equal to that of biometric approaches, given continuing rapid advances in this area. It may well prove unnecessarily prescriptive to insist that behaviour based elements cannot take a primary role in the authentication requirements under any circumstances. Flexibility is needed to ensure that future advances are accommodated. Guidance could assist with this and also flesh out helpful information to assist users in having confidence in compliance.

Again, the primary need is for flexibility in the standards, to support future developments.

Again, our concerns here mainly relate to the need for greater flexibility in the standards.

No. We however agree with the comments of previous respondents to the discussion paper, as noted in paragraph 55 of the consultation paper, that PSPs should always be in a position to apply strong customer authentication in case of fraud.

It is important to avoid unnecessary prescription which may limit the ability to innovate and take alternative approaches. Standards of communication must provide suitably advanced levels of security, and sufficient commonality for a harmonised approach, but beyond this, standards should be left as high level as possible.

The use of elements, components or approved message definitions may prove appropriate, but it would not be appropriate to require adoption of ISO20022 in its entirety. It is also vital to take into account their current uptake and the use of other existing standards in the industry, and the potential costs associated with this change, before enshrining such elements into the RTS.

Yes, assuming that suitable certificates are accessible by the industry at the time of implementation.

We believe that some additional flexibility in wording is called for in relation to situations where the payment service user is not themselves requesting the information, but where the information is needed to support the fulfilment of another active payment service user request which by inference calls for updated information.

Credit reference agency and provider of tools to assist consumers and banks with information needs.