On February 23 the EBA published the final draft of the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (the revised Payment Services Directive). During the consultation period 224 responses to EBA’s questions were submitted by a wide and representative group of stakeholders. Once EBA reviewed the responses, 3 key issue areas were identified: Scope and technological neutrality of the requirements; exemptions, including scope, thresholds and the addition of an exemption for low risk transactions based on TRA (transaction risk analysis) and access to payment accounts by third party providers and requirements concerning the information communicated.
EBA has reviewed all submitted responses and made changes to the original draft version in various articles in the above-mentioned categories. Some of the most notable changes include:
1. Certain details of the knowledge element of Secure Customer Authentication (SCA) were removed to ensure technological neutrality and room for innovation. Similarly, details of the possession element were also removed.
2. References to compliancy with ISO 27001 on processing and routing of personalized security credentials and authentication codes were removed from Article 21 due to concerns that adopting some industry standards against others may disadvantage specific parts of the industry.
3. Exemption from the principles of SCA for ‘unattended terminals’ (i.e. for transportation or parking fares) was added.
4. A TRA-based exemption from the principles of SCA was added in Article 16 of the RTS. The exemption applies to specific remote electronic transactions that have been classified as low risk by a transaction monitoring mechanism (TMM) and fulfil the conditions described in paragraph 2.
5. The limit for remote payment transactions was increased from EUR10 to EUR30. And an exemption for a series of credit transfers was made more generic by referring to it as a series of payments.
6. ASPSPs must now offer at least one interface for AISPs and PISPs for access to payment account information and ‘screen scraping’ (or the so-called ‘direct access’) will no longer be allowed once the transition period has elapsed and the RTS applies (November 2018 the earliest). In addition, ASPSPs should provide the same level of availability and performance for that interface as they do for their own interfaces used by their customers. Same level of contingency measures are expected in case of unplanned unavailability. AISPs can issue automatic information access to a payment account a maximum of four times per day, unless agreed bilaterally between the parties, however active requests (initiated by the payment service user), still remain unlimited.
Business models and profitability drivers is the number one supervisory priority for the ECB for 2017. Furthermore IT disruptions and non-bank competition have been identified as significant drivers for risk for banks. PSD2 is an opportunity for banks to address those drivers and the risks associated with them by looking at how the new regulation can help them change their business models and new product development and prepare them better for non-bank competition. For more details on the changes and implications for banks and other stakeholders, please refer to our article, which can be found here.