On 23 February the European Banking Authority (EBA) proposed its final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) under PSD2 to the European Commission (EC). On 24 May the Commission sent a letter to the EBA, stating its intent to amend the final draft RTS. The EBA published this letter as well as the amended RTS on its website.
The Commission proposes four amendments to the RTS. None of these amendments propose any significant changes to the core requirements of Strong Customer Authentication and Transaction Risk Analysis (TRA) as laid out in the EBA’s final draft RTS. In other words, the key requirements related to two-factor authentication, dynamic linking, replication protection for the possession element (e.g. mobile app), and application protection to ensure independence of the authentication elements, all remain untouched.
The amendments envisaged by the Commission relate to following four topics:
1. Independent security review of the SCA exemption based on TRA. Payment Service Providers (PSPs) will be required to have independent security auditors review their transaction risk methodology, their risk model and the reported payment fraud rates. The purpose of this amendment is to ensure objectivity in the application of the exemption from SCA based on TRA. It can be expected that PSPs will (partly) shift the responsibility to have their TRA processes reviewed to the vendors of TRA products.
2. New exemption from SCA for certain corporate payment processes. PSPs do not have to apply SCA to corporate payments if they are performed using certain processes or protocols that achieve a high level of security.
3. PSPs should report payment fraud directly to EBA. In addition to aggregated fraud data, PSPs should also provide data and reports about individual payment fraud cases to the EBA.
4. Contingency measures in case of unavailability or inadequate performance of the dedicated communication interface of banks. PSD2 mandates Account Servicing Payment Service Providers (better known as “banks”) to offer a dedicated communication interface to Third Party Providers (TPPs). For instance, banks must expose a dedicated interface (e.g. API) allowing TPPs to check the account balance of their users. The amendment from the Commission stipulates that, if the dedicated interface offered by a bank would not be available or would not be functioning adequately, then the bank must allow TPPs to use the regular, user-facing communication interface of the bank. In other words, TPPs are allowed to use so-called “direct access” or “screen scraping” to access a bank’s systems when they are unavailable or not performing adequately. This amendment, which to a certain extent addresses considerations from about 70 TPPs in their recent Manifesto for the impact of PSD2 on the future of European FinTech, has already met significant concerns from the European Banking Federation.
As a next step, the EBA will review the amendments proposed by the Commission. The EBA has until 5 July to give its opinion on the amended RTS. After 5 July, the Commission can adopt the final RTS, taking into account or disregarding the EBA’s opinion. Once the Commission has adopted the final RTS, it will be subject to scrutiny by the European Parliament and the Council of the European Union.