On February 23, 2017, the European Banking Authority (EBA) published its final report on the draft regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication. The EBA was tasked to develop the RTS under Article 98 of EU Directive 2015/2366 (PSD2).
This final report was awaited with anxiety by the market. The consultation document published in August 2016 contained some controversial proposals, in particular related to authentication of online transactions. The draft RTS specified that strong (dual factor) authentication by the payer was required for all online transactions exceeding a threshold of 10 euros, with a few exceptions. This was perceived by market participants as a step back for online commerce in terms of customer experience. Payment service providers (PSPs) have enabled their merchant customers to offer “one-click” payments to consumers, reducing friction in the sales process and increasing conversion. Risk is managed by using advanced techniques for transaction analysis and fraud monitoring, allowing risk-based authentication.
The EBA Delivered Solid Work; Applicability of the RTS by November 2018 at the Earliest
Having digested the 153 pages of the final report, the EBA deserves credit for the results. Within the limits set by the PSD2, the authority has produced an improved version of the RTS that takes into account a number of market concerns. The 224 (!) responses to the consultation are addressed in detail as well, specifying EBA’s analysis for each category of responses and clarifying if amendments to the proposals were made based on this analysis.
The final draft RTS will be submitted to the European Commission and the Parliament for approval. The RTS will be applicable 18 months after its entry into force. According to the EBA, this would suggest an application date of the RTS in November 2018 at the earliest.
Here are a few highlights of the new RTS:
- Payment instruments in scope clarified: In scope of the RTS are electronic payments initiated by the payer, or by the payer through the payee, such as credit transfers or card payments. Out of scope are payments initiated by the payee, such as direct debits and card-on-file payments, as understood from the EBA’s guidance.
- Wider exemptions for applying SCA: The set of exemptions that relieve PSPs of applying SCA has been extended and new thresholds have been introduced. (E.g., the low-value exemption for remote payments has been increased to 30 euros.)
- New exemption for low-risk transactions following TRA: PSPs are now allowed to implement risk-based authentication under certain conditions (Article 16). This exemption is linked to the PSP’s overall fraud rate for a specified payment instrument as follows (see table). These reference fraud rates seem rather challenging for PSPs to meet, as current fraud rates are significantly higher. Nevertheless, PSPs that can show such low fraud rates will gain a competitive advantage in the market, as they can offer the best user experience for their customers (“click and pay”).
|Exemption threshold value||Reference fraud rate for remote card-based payments||Reference fraud rate for credit transfers|
- “Screen scraping” no longer allowed: When banks offer a communication interface to third-party providers, the latter are no longer allowed to perform screen scraping (after the transitional period) for account information or payment initiation services.
- The mobile device may be used as a “multipurpose device” not requiring separate hardware to apply SCA: The independence of the elements constituting SCA does not require different devices and can be hosted on the same device under specified conditions.
With the RTS now nearly final, the industry can get ready to implement solutions compliant with the RTS. The main concern is that standards are not specified in the RTS (with the exception of ISO20022 data fields to be used for the communication interface). Indeed, the RTS have on purpose been written on an abstract level, without specifying specific technologies or standards, to remain technologically neutral and to allow future innovation. Although understandable from the regulator’s point of view, the lack of standards raises a real risk of market fragmentation, hampering the implementation of the PSD2 requirements and raising costs for PSPs and their customers. Hopefully, the EU industry will be able to reconvene and agree on a common approach and standards, similar to what is happening in the U.K. around the open banking initiative.
Aite Group will continue to closely watch this space on behalf of our customers and will publish an Impact Note on the topic within the coming weeks.