BITKOM - The German Association for Information Technology, Telecommunications and New Media
The benefits of the ‘one step approach’ are very difficult to assess at the time of this consultation. The PSD2 is currently far from being finalized: the draft compromise text - current under discussions at the EU Council - will have to be finalized and then negotiated with the EU Parliament. It can be expected that especially Chapter 5 (Operation and security risks and authentication) of the PSD2 draft will be subjects to further aments and revised during the next few months.
BITKOM clearly prefers a two-step approach for the implementation of the Recommendation on the security of internet payments and strongly objects the idea of introducing the strong authentication rules of the draft PSD 2 already by 1 August 2015, which is probably 1,5 years earlier than the expected transfor-mation of PSD 2 into national law of the Member states.
Furthermore, the strong authentication rules of PSD 2 are seen highly critical by market participants as an appropriate “one fits all” solution and are highly con-tested between EU institutions and Member States. The EBA should wait for the final results of the trialogue negotiations (depending on the date of coming into force of the PSD 2). A prior enactment of the strong authentication rules would also clearly leverage off the national implementation process of PSD 2 in the Member States.
It is therefore more appropriate to stay with a two-step approach from the perspective of democratic legitimation of the requirements and also because of a transitional period for the companies concerned to implement such require-ments.
For the reasons outlined above, we would consider it to be ideal to await finalization of the PSD2 text and then review the SecuRe Pay Recommendations against these new requirements before issuing draft EBA guidelines and/or technical standards. At the very least, we recommend that the EBA Guidelines will enter into force on the 1st of August without introducing any additional authentication requirements to those already set forth by the SecurRe Pay Recommendations.