Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

EMOTA is very concerned about the negative effects the EBA proposed standard could have on our sector if adopted with the proposed measures. EMOTA does not support a blanket approach as proposed by the EBA for Strong Customer Authentication (SCA). It risks reducing competition in the market, hamper consumer convenience and restrict the development of the Digital Single Market. EMOTA calls on policy makers to ensure the needed flexibility so that traders can use their knowledge of the consumer and of the market to assess risk (e.g., behavioral data, strong customer authentication via login and data from past purchases, etc.). A clearer risk based approach is needed. EMOTA also stresses that the criteria proposed for the authentication elements is far too restrictive (static passwords with sufficient combinations and special characters). EMOTA would also question the approach proposed by the EBA whereby regulatory bodies are also auditing Payment Service Providers, an aspect, in our view, not required by the PSDII and which is not practical.
EMOTA calls on policy makers to avoid imposing any measures which would reduce the eCommerce volumes and create a clear disadvantage for eCommerce, compared to offline sales (pin in offline vs 3D Secure in online). Our concerns are justified by the lack of adapted solutions to eCommerce which would facilitate a good customer experience. Similarly, some of the measures will be very difficult or impossible to implement in some instances such as Direct Debit.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

EMOTA stresses the EBA should not confuse authentication and authorization. The EMOTA Members question whether or not the dynamic linking process would be the most practical and efficient mechanism for online transactions, because of the reasons mentioned above, linked to convenience and effectiveness. For example, it is not clear how and when the authentication code should be displayed. It is not clear what should happen in cases where a single charge is authorized at different times by the payee, as it would be the case for split orders.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

EMOTA questions the EBA approach regarding SCA and would rather support a targeted risk based approach, which is more likely to encourage a growth in the sector and through innovation and experience reduce the levels of fraud. The diversity on the market is too great for a single list of elements and a centralized minimum threshold approach to risk. The EBA standard drafting should recognize that across the various sectors and various players in the market the approaches to fraud are different and industry best practices can be identified and agreed upon. The EBA should acknowledge these industry best practices and engage with the stakeholders in order to best incorporate these into the standards, ensuring a proper enforcement mechanisms aimed at increasing compliance and consumer convenience.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

EMOTA has strong concerns with the extremely rigid framework proposed by the EBA which is unlikely to achieve the intended results. As an example, as part of the consultation process many of the stakeholders mentioned the paradox of certain low-value transactions presenting a high risk of fraud, which is a reality experienced also by the EMOTA Members. This risk is not being captured by the EBA approach. Providers should retain the flexibility to apply SCA where they have identified a risk a fraud, regardless of the amount of the transaction. Similarly, they should be able to not trigger SCA if they have not identified a risk of fraud, regardless of the amount of the transaction.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

EMOTA has strong concerns that the approach of the draft RTS will lead to reduced competition in the market and ultimately less favorable conditions for eCommerce. EMOTA fears that as the proposal stands now some of the market players, namely banks, will be in a privileged position over some of the other players such as Payment Initiation Services. Non-bank third-party payment initiation service providers (TPPs) must be allowed to continue using direct access via the customer facing online interfaces of the banks in order to initiate payments on behalf of consumers. This direct access technology is well established and is already transforming the market, allowing innovation and promoting competition. The final regulatory standards must be amended so as to guarantee the right for TPPs to always use the customer facing online interfaces to initiate payments, rather than, as the current draft does, force TPPs to give up their own IT solution. EMOTA urges the EBA and policy makers not to support any measures which could lead to a reduction in competition.

Please select which category best describes you and/or your organisation

[Retailer"]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Trade association representing online and distance retailers

Name of organisation

EMOTA European eCommerce and Omni Channel Trade Association