The European Banking Authority (EBA) published its long-awaited final draft Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and common and secure communication at the end of February 2017. These RTS are mandated under the revised Payment Services Directive (PSD2) – which enters into force in January 2018 – and are required by the European payment industry to implement PSD2.
These final draft RTS are the result of the public consultation organised in 2016 and of the EBA’s trade-offs between security and convenience to address some issues raised by the payment industry while still respecting the objectives of PSD2. The EBA reported that an “unprecedentedly wide number of stakeholders' views and input” were collected during the public consultation.
The final draft RTS have been softened in some key aspects, with the introduction of exemptions from the application of SCA in certain situations. The EBA has introduced two new exemptions:
- For payments made at ‘unattended terminals’ for transport and parking fares.
- For remote payments where a transaction risk analysis is performed provided fraud levels are kept below specific thresholds. This exemption will be reviewed by the EBA 18 months after the application date of the RTS.
Both new exemptions address EPC’s concerns, raised during the public consultation.
The final draft RTS introduce another major change that answers a concern raised by many e-retailers: the threshold for remote payments has been increased from ten to thirty euros. The principles of the SCA (and constraints in terms of authentication) will therefore not need to be applied for consumers making online payments of less than thirty euros.
Account Servicing Payment Service Providers (ASPSPs) will be obliged to offer at least one interface for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs — the EPC created an infographic about PSD2, describing all players, in case further information is needed) to access payment accounts. A noteworthy change included in the final draft RTS is that ASPSPs using a dedicated interface will have to provide the same level of availability and performance as for the interface used by their customers.
The next step towards the finalisation of these RTS is their approval and publication by the European Commission, which is expected after the summer. They will enter into effect 18 months later.
Related link (EBA's press release: EBA paves the way for open and secure electronic payments for consumers under the PSD2)
[1]
[2]
[3]
[4]
[5]