Final draft adopted by the EBA and submitted to the European Commission
The proposed Regulatory Technical Standards on strong customer authentication and secure communication are key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
The European Banking Authority (EBA) launched today a public consultation on the amendment of its Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2) with regard to 90-day exemption from SCA for account access. The proposed amendment aims at addressing a number of issues that the EBA has identified in the application of the exemption by some account servicing payment service providers (ASPSPs) across the EU Member States and which have resulted in a negative impact on the services offered by account information service providers (AISPs) under the PSD2. The consultation runs until 25 November 2021.
The consultation paper aims at addressing a number of issues that the EBA has identified in the application of this exemption, particularly in cases where ASPSPs have not made use of the exemption and request SCA for each account access, or where they request SCA more frequently than every 90-days, as allowed by the RTS.
To address the impact of these issues on AISPs’ services, the EBA is proposing to introduce a new mandatory exemption from SCA for the specific use case when the access is done through an AISP that is subject to certain safeguards and conditions aimed at ensuring the safety of the customers’ data.
For the other separate case where customers access the data directly, the EBA is proposing to retain the exemption in Article 10 to be voluntary as is currently the case, as no specific issues have been identified in such cases. However, in order to ensure a level playing field amongst all payment service providers, the EBA is also proposing to extend the 90-days timeline in Article 10 of the RTS on SCA&CSC for the renewal of SCA to the same 180-day period for the renewal of SCA when the account data is accessed through an AISP.
The amendments proposed in this consultation paper are those that the EBA is legally in a position to make to address the issues identified. Other mitigations to address other issues are conceivable but would require changes to the Directive itself, which is beyond the EBA’s powers.
Responses to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 25 November 2021.
A public hearing will take place online on 11 November 2021 from 10 to 12 CET.
All contributions received will be published after the consultation closes, unless requested otherwise.
The European Banking Authority (EBA) published today a Discussion Paper on strong customer authentication and secure communication. The revised Payment Services Directive (PSD2) will mandate the EBA to deliver Regulatory Technical Standards on this topic, which the EBA is required to deliver by January 2017. Prior to starting the development of these requirements, the EBA is issuing a Discussion Paper, with a view to obtaining early input into the development process. Responses can be submitted until 8 February 2016.
The revised Payment Services Directive (PSD2) is expected to enter into force in January 2016 and to apply from January 2018. The Directive will confer on the EBA the development of six technical standards and five sets of guidelines. The regulatory technical standards (RTS) on strong customer authentication and secure communication, on which the EBA has issued the DP today, is key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
The RTS, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify the requirements of the strong customer authentication; exemptions from the application of these requirements; requirements to protect the user's security credentials; requirements for common and secure open standards of communication; and security measures between the various types of providers in the payments sector.
In so doing, the EBA and ECB will have to make difficult trade-offs between competing demands and would like to hear views from market participants on where the ideal balance should lie. The EBA and ECB have also identified various issues and suggest some clarifications that would similarly benefit from stakeholder feedback.
Responses to this Discussion Paper can be sent to the EBA until 8 February 2016, by clicking on the "send your comments" button on the website. The EBA will assess the responses received, and use them as input for the development of the draft RTS, which it will publish in summer 2016, for a consultation period of three months.
The Directive of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, is expected to be published in the Official Journal in December 2015. It would then enter into force in January 2016, and would apply from January 2018.
The European Banking Authority (EBA) published today its final Report on the amendment of its Regulatory technical standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2). The changes introduce a new mandatory exemption to SCA that will require account providers not to apply SCA when customers use an account information service provider (AISP) to access their payment account information, provided certain conditions are met. The amendment aims to reduce frictions for customers using such services and to mitigate the impact that the frequent application of SCA and the inconsistent application of the current exemption have on AISPs’ services.
Following a public consultation that has attracted more than 1,200 responses, as well as an extensive analysis of such feedback, the EBA has introduced some changes to the draft amending RTS, while retaining the mandatory exemption and the extension of the frequency for the renewal of SCA from every 90 days to every 180 days proposed in the Consultation Paper.
These amendments are those that the EBA is legally in a position to make to address the issues identified. Other mitigations to address these issues are conceivable but would require changes to the Directive itself, which is beyond the EBA’s powers.
The amendments to the RTS are envisaged to apply 7 months after the publication of the amending RTS in the Official Journal of the EU.
The European Banking Authority (EBA) published today an Opinion on the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The Opinion sets the deadline to 31 December 2020 and prescribes the expected actions to be taken during the migration period.
Today's Opinion also recommends national competent authorities (NCAs) to take a consistent approach toward the SCA migration period across the EU and to require their respective payment service providers (PSPs) to carry out the actions set out in the Opinion.
In addition, the Opinion recommends that, where required, NCAs communicate to PSPs in their jurisdiction that the supervisory flexibility they have exercised does not represent a delay in the application date of the SCA requirements in PSD2 and the EBA's Technical Standards. Rather, it means that NCAs will focus on monitoring migration plans instead of pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements.
Furthermore, the EBA notes that consumers will be protected against fraud as required by the law and NCAs should, therefore, communicate to their PSPs that the liability regime under Article 74 of the PSD2 applies and that issuing and acquiring PSPs are still liable for unauthorised payment transactions.
Today's Opinion is a follow-up to the Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) that the EBA published in June 2019. At the time, the EBA acknowledged the complexity of the payments markets across the EU and the challenges that arise from the changes that are required, in particular for some actors in the payment chain that are not PSPs who may not be ready by 14 September 2019. Against this backdrop, the EBA accepted that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.
When publishing the Opinion in June, the EBA announced that, in order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, it would communicate later in 2019 the deadlines for the completion of the SCA migration plans, which today's Opinion provides.
The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches the EBA considers to be compliant with SCA. The Opinion also addresses concerns about the preparedness and compliance of some actors in the payments chain with the SCA requirements that apply as of 14 September 2019.
Today's Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.
The Opinion also responds to the concerns about market preparedness, by clarifying that the EBA is legally not able to postpone an application date that is set out in EU law. The Opinion also explains that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition of SCA had been set out in PSD2 when it was published in 2015, which gave clear indications that existing authentication approaches would need to be phased out, and because PSD2 already granted an additional 18-month period for the industry to implement SCA.
However, the Opinion acknowledges the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by actors that are not payment service providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA's technical standards, such as e-merchants, which may lead to some actors in the payments chain not being ready by 14 September 2019.
The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, NCAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their NCA, and will execute the plan in an expedited manner.
In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.
The revised Payment Services Directive was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
SCA is defined in the Directive as an "authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data." The Directive also provides that SCA is to be applied to all electronic payments, unless one of the exemptions applies.
The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.
The RTS were developed in 2015/16, consulted on during 2016/17, adopted as Commission Delegated Regulation (EU) 2018/389 on 27 November 2017, published in the Official Journal on 13 March 2018, and will legally apply from 14 September 2019. The RTS deliberately refrains from referring to any particular authentication approaches in the industry, in order to ensure that the RTS remains technology neutral and future-proof.
The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The European Banking Authority (EBA) published today an Opinion on the use of eIDAS certificates under the Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication (SCA&CSC). In the Opinion, the EBA clarifies specific aspects on the use of qualified certificates for electronic seals (QSealCs) and qualified certificates for website authentication (QWACs) for the purpose of identification of payment service providers (PSPs) under the RTS, the content of these certificates, and the process for their revocation.
The Opinion aims at addressing questions and concerns raised by market participants related to the use of eIDAS certificates. More specifically, the Opinion clarifies that ASPSPs are the party that should choose whether to use a QSealC or a QWAC for identification purposes, because they are providing the interface and ensuring the security of the communication. In addition, in the Opinion, the EBA highlights three potential alternative approaches for the use of eIDAS certificates, but it recommends that QSealCs and QWACs should be used in parallel.
The Opinion also clarifies which payment services correspond to each of the roles specified in Article 34(3)(a) of the RTS and the roles that have to be assigned in the certificates to payment institutions, electronic money institutions and credit institutions, including when these institutions act in their capacity as a third party provider or an ASPSP.
Finally, in order for all payment service providers (PSPs) to be in a position to rely on the eIDAS certificates, the Opinion identifies a few measures that competent authorities may apply, including by requesting the revocation of certificates issued to a PSP that has had its authorisation withdrawn. However, the EBA acknowledges that the validity of the information contained in the certificates is within the responsibility of PSPs and qualified trust service providers that issue the certificates.
The Opinion is addressed to national competent authorities, but it is also useful for account servicing payment service providers (ASPSPs), account information service providers, payment initiation service providers, card-based payment instrument issuers, third party providers, and industry initiatives, including initiatives of application of programming interface (API).
Legal basis
The EBA has drafted the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union.
The Opinion is issued in support of the EBA's RTS on SCA&CSC, which was published in the Official Journal of the EU as Commission Delegated Regulation (EU) 2018/389.
The European Banking Authority (EBA) launched today a public consultation on the amendment of its Regulatory Technical Standards (RTS) on strong customer authentication and secure communication (SCA&CSC) under the Payment Services Directive (PSD2) with regard to 90-day exemption from SCA for account access. The proposed amendment aims at addressing a number of issues that the EBA has identified in the application of the exemption by some account servicing payment service providers (ASPSPs) across the EU Member States and which have resulted in a negative impact on the services offered by account information service providers (AISPs) under the PSD2. The consultation runs until 25 November 2021.
The consultation paper aims at addressing a number of issues that the EBA has identified in the application of this exemption, particularly in cases where ASPSPs have not made use of the exemption and request SCA for each account access, or where they request SCA more frequently than every 90-days, as allowed by the RTS.
To address the impact of these issues on AISPs’ services, the EBA is proposing to introduce a new mandatory exemption from SCA for the specific use case when the access is done through an AISP that is subject to certain safeguards and conditions aimed at ensuring the safety of the customers’ data.
For the other separate case where customers access the data directly, the EBA is proposing to retain the exemption in Article 10 to be voluntary as is currently the case, as no specific issues have been identified in such cases. However, in order to ensure a level playing field amongst all payment service providers, the EBA is also proposing to extend the 90-days timeline in Article 10 of the RTS on SCA&CSC for the renewal of SCA to the same 180-day period for the renewal of SCA when the account data is accessed through an AISP.
The amendments proposed in this consultation paper are those that the EBA is legally in a position to make to address the issues identified. Other mitigations to address other issues are conceivable but would require changes to the Directive itself, which is beyond the EBA’s powers.
Responses to this consultation can be sent to the EBA by clicking on the "send your comments" button on the consultation page. Please note that the deadline for the submission of comments is 25 November 2021.
A public hearing will take place online on 11 November 2021 from 10 to 12 CET.
All contributions received will be published after the consultation closes, unless requested otherwise.
The European Banking Authority (EBA) published today a Discussion Paper on strong customer authentication and secure communication. The revised Payment Services Directive (PSD2) will mandate the EBA to deliver Regulatory Technical Standards on this topic, which the EBA is required to deliver by January 2017. Prior to starting the development of these requirements, the EBA is issuing a Discussion Paper, with a view to obtaining early input into the development process. Responses can be submitted until 8 February 2016.
The revised Payment Services Directive (PSD2) is expected to enter into force in January 2016 and to apply from January 2018. The Directive will confer on the EBA the development of six technical standards and five sets of guidelines. The regulatory technical standards (RTS) on strong customer authentication and secure communication, on which the EBA has issued the DP today, is key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
The RTS, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify the requirements of the strong customer authentication; exemptions from the application of these requirements; requirements to protect the user’s security credentials; requirements for common and secure open standards of communication; and security measures between the various types of providers in the payments sector.
In so doing, the EBA and ECB will have to make difficult trade-offs between competing demands and would like to hear views from market participants on where the ideal balance should lie. The EBA and ECB have also identified various issues and suggest some clarifications that would similarly benefit from stakeholder feedback.
Responses to this Discussion Paper can be sent to the EBA until 8 February 2016, by clicking on the "send your comments" button on the website. The EBA will assess the responses received, and use them as input for the development of the draft RTS, which it will publish in summer 2016, for a consultation period of three months.
The Directive of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, is expected to be published in the Official Journal in December 2015. It would then enter into force in January 2016, and would apply from January 2018.