Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

Strong customer authentication, and confidence in security, are key to achieving the aims of PSD2. The general proposals for Chapter 1 look reasonable. The principles are sound and attention has generally been paid to the need for balance. However, there are some details of concern. Foremost amongst these are:

(a) Lack of consideration of risk-based authentication. By requiring equivalent levels of strong authentication regardless of the transaction-specific risk at the time, lower risk transactions may be discouraged. The complexity, inconvenience and/or time needed may outweigh the desire of the customer to transact. Meanwhile, while Chapter 1 sets out the need for mechanisms to prevent, detect and block fraudulent transactions, it does not allow for any anticipated variance in mechanisms based on the currently observed risk. Removing any scope for risk-based authentication is likely to result in more friction in the consumer’s experience, with negative consequences.

(b) The role of inherence in strong authentication, and the demarcation between inherence and behaviour-based characteristics. The rules correctly specify that one factor is insufficient to achieve strong authentication, recognising that no measure is infallible and that it is possible for some physical characteristics to potentially be spoofed. However, the reliability of behaviour-based elements could reach a level of comfort of authentication equal to that of biometric approaches, given continuing rapid advances in this area. It may well prove unnecessarily prescriptive to insist that behaviour based elements cannot take a primary role in the authentication requirements under any circumstances. Flexibility is needed to ensure that future advances are accommodated. Guidance could assist with this and also flesh out helpful information to assist users in having confidence in compliance.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Again, the primary need is for flexibility in the standards, to support future developments.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

No.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

Again, our concerns here mainly relate to the need for greater flexibility in the standards.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

No. We however agree with the comments of previous respondents to the discussion paper, as noted in paragraph 55 of the consultation paper, that PSPs should always be in a position to apply strong customer authentication in case of fraud.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Yes.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

It is important to avoid unnecessary prescription which may limit the ability to innovate and take alternative approaches. Standards of communication must provide suitably advanced levels of security, and sufficient commonality for a harmonised approach, but beyond this, standards should be left as high level as possible.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

The use of elements, components or approved message definitions may prove appropriate, but it would not be appropriate to require adoption of ISO20022 in its entirety. It is also vital to take into account their current uptake and the use of other existing standards in the industry, and the potential costs associated with this change, before enshrining such elements into the RTS.

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

Yes, assuming that suitable certificates are accessible by the industry at the time of implementation.

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

We believe that some additional flexibility in wording is called for in relation to situations where the payment service user is not themselves requesting the information, but where the information is needed to support the fulfilment of another active payment service user request which by inference calls for updated information.

Please select which category best describes you and/or your organisation

[IT services provider "]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Credit reference agency and provider of tools to assist consumers and banks with information needs.

Name of organisation

Callcredit Information Group