As announced in a previous article (see EUROPE 11912), the European Commission on Monday 27 November adopted the final draft regulatory technical standards (RTS) on strong customer authentication and secure common communication in the framework of the revised directive on payment services (PSD2).
In a document accompanying the final text, the Commission stated that it had made a few limited changes of substance to the draft drawn up by the European Banking authority (EBA) in February 2017, to “better reflect the mandate of PSD2”.
Strong customer authentication. Basically, what will change once these standards enter into force is that in most cases, simply inputting or communicating the data on a credit card will no longer be enough to make a payment.
For transactions of €50 and above, the combination of at least two independent elements will be required in order to make a payment. For instance, these may be a physical object (a card or a mobile telephone) together with a password or biometric element, such as digital fingerprints.
However, payment service providers may be exempted if they have developed ways of assessing risks in transactions, for instance for company payments made by batch. Exemptions are also possible for contactless payments, regular transfers, transactions for small amounts (below €30) and certain types of payment, such as transport or parking charges.
Common and secured communication. To allow consumers to use new innovative payment services, banks are required to set secured communication channels in place to transmit data and initiate payments, following the client's authorisation. In order to do so, banks can decide between two options: adapting their online banking interface or creating a new dedicated interface, to include all the information necessary for the payment service providers.
The RTS also provide for emergency measures to be set in place when banks choose the dedicated interface, to ensure the continuity of the service in the event of unavailability or a breakdown of the system. As announced in a previous article (see EUROPE 11907), the Commission has kept in place its contingency solution, which authorises the much-decried practice of 'screenscraping' when the dedicated communication interface is unavailable for more than 30 seconds, after five attempts to connect or if it does not comply with the obligations applicable to interfaces.
On this matter, the Commission seems to have taken account of the criticism (see EUROPE 11839), as it is proposing that banks may be exempted from having to put a contingency solution of this kind in place if they have an entirely functional dedicated communication interface that meets the quality criteria set out by the RTS, by decision of the national authorities and following consultation of the EBA.
Initial reactions. “These security standards are like a Swiss cheese. They may look good from outside, but inside, they’re full of holes”, said Monique Goyens, CEO of the European Consumer Organisation (known by its French acronym, BEUC) in a press release, lamenting the number of exemptions to strong authentication in place.
The European Banking Federation considers that the fall-back solution adopted by the Commission is not a practical solution and seems incompatible with operational reality. It does not guarantee that the information that can be accessed by third-party service providers is limited to what is necessary to carry out the service they are providing, it considers.
“The European Parliament will now take due care to scrutinise the implementing legislation in all its details, but the first impression is favourable”, said MEP Markus Ferber (EPP, Germany), who is responsible for the dossier at the Parliament. The European Parliament and the Council now have three months to scrutinise the text and issue any objections.
The RTS and the provisions of the PSD2 directive that are directly related will apply from September 2019, following a transitional period of 18 months to run from the date of their publication in the Official Journal of the EU. They are available at the following address: htpp://bit.ly/2AdUod3 (Original version in French by Marion Fontana)