The EBA has now published the EU Commission’s proposed amendments to its draft RTS on Strong Customer Authentication (SCA) and common and secure communication under the revised Payment Services Directive (PSD2), as well as the Commission’s accompanying letter setting out the main changes introduced. Both documents were submitted to the EBA on Wednesday 24 May, but were not made public until Friday 1 June.
As per the Commission’s letter, the main amendments are:
- Independent auditing of the security measures in cases where the transaction risk analysis exemption is applied. (Ref. Chapter 1, Article 3(2) of the EBA draft and of the Commission’s amended RTS).
Payment Service Providers (PSPs) making use of the SCA “Transaction risk analysis” exemption (as per Article 18) shall have a statutory audit performed for the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The Commission has introduced this to ensure that the risk analysis methodology employed is objective and consistent.
- Introduction of a new exemption to SCA for certain corporate payment processes. (Ref. Chapter III, NEW Article 17)
PSPs shall be allowed not to apply SCA in respect of legal persons initiating electronic payment transactions through the use of dedicated corporate payment processes or protocols, provided the relevant competent authority confirms ex-ante, that they are satisfied that those processes or protocols guarantee at least equivalent levels of security to those aimed for by PSD2.
Fraud reporting by PSPs directly to the EBA. (Ref. Chapter III, Articles 16(2) and 17(2) of the EBA draft - Article 18 and 19 of the Commission’s amended RTS)
The Commission added more details to the way that PSPs need to calculate the risk score of each payment transaction. In addition, the methodology and any model used by the PSP to calculate the fraud rates, as well as the fraud rates themselves, shall be documented and made fully available to competent authorities as well as to EBA. This means that the EBA will have access to individual fraud data from PSPs rather than relying on high-level, aggregated data reported by competent authorities.
Contingency measures in case of unavailability or inadequate performance of the dedicated communication interface. (Ref. Chapter 5, Article 28 of the EBA draft – Article 33 of the Commission’s amended RTS)
As expected, the Commission introduced an amendment to the RTS stating that, if the dedicated interface is unavailable for more than 30 seconds during a communication session between PSPs, or where it does not operate in compliance with the requirements under Articles 30 and 32 (General obligations for a dedicated interface), Payment Initiation Services Providers (PISPs) and account information services providers (AISPs) should be allowed access to the interfaces made available to the payment service users for directly accessing their payment account online, until the dedicated interface has resumed functioning. Several conditions apply (see Article 33 (3) for more details), including identification and authentication procedures, but effectively this provision reintroduces an element of screen scraping as a contingency measure.
The EBA proposal to ban screen scraping had been welcomed by banks, but was hotly contested by the FinTech sector, which thought it would leave third parties providers (TPPs) at a disadvantage. To allay concerns, the Commission made this change to ensure that unavailability or inadequate performance of the dedicated interface does not prevent PISPs and AISPs from offering their services to their users. Otherwise a bank would be able to offer its own payment services through the user-facing interfaces, which operate without any difficulties, while PISPs and AISPs would not be able to do so.
While the compromise makes sense in theory, it remains to be seen how workable it is in practice. On one hand, banks will need to upgrade their user-facing interfaces to be able to identify TPPs, make sure they are only allowed access if the dedicated interface is unavailable, and safeguard the sensitive customers’ information TPPs do not have permission to access. On the other, as communication interfaces may differ for each bank, TPPs will need to build and maintain different connectivity solutions for every bank they wish to connect to, and for both the bank’s dedicated and user-facing interfaces – which could prove costly and time consuming.
Finally, whereas the additional SCA exemption for corporate payments and the additional assurances on Transaction Risk Analysis and fraud models are welcome, the proposed amendments further prolong the period of transition between the implementation date of PSD2 (January 2018) and the date when the provisions included in this RTS will become applicable – now estimated in Spring 2019. This creates additional challenges for both new entrants, which for example will not be able to rely on APIs for almost another two years, and for incumbent banks, which will have to continue supporting existing solutions (e.g. screen scraping), while at the same time developing their RTS compliant communications interfaces.
- The EBA has until 5 July to give its opinion on the amended RTS
- After this period, the Commission can adopt the RTS taking into account the EBA’s opinion or disregarding it
- Once the Commission has officially adopted the RTS, the three months scrutiny period of the Parliament and Council will start
For further reading on this topic please visit:
- PSD2 opens the door to new market entrants
- Payments disrupted
- PSD2 RTS on authentication and communication | The devil is in the (lack of) details
- PSD2 – EBA dials up flexibility to achieve a more balanced approach