Frederik Mennes, Vasco Data Security – Senior Manager Market & Security Strategy
In the ongoing discussion on PSD2, in late June the European Banking Authority (EBA) published its opinion on the European Commission’s proposed amendments to the PSD2 draft Regulatory Technical Standards (RTS) on Strong Customer Authentication and Common and Secure Communication. Below, we’ve included a simplified version of the debate about the amendments to help you navigate PSD2.
The EBA’s opinions on the four amendments proposed by the Commission are as follows:
1. Independent security review of the SCA exemption based on Transaction Risk Analysis (TRA).
Payment Service Providers (PSPs) will be required to have independent security auditors review their transaction risk methodology, their risk model and the reported payment fraud rates. The EBA and Commission seem to agree on this principle, but there is some back-and-forth about the most appropriate legal wording to describe auditors qualified for this review. The Commission proposed the wording ‘statutory auditors’, while the EBA believes ‘auditors with expertise in IT security and payments and operationally independent within or from the PSP’ is more appropriate.
2. New exemption from SCA for certain corporate payment processes.
The Commission proposed to add an exemption from SCA if corporate payments are performed using certain processes or protocols that achieve a high level of security. The EBA seems to agree with this principle, but suggests a different way to incorporate this exemption into the RTS. More specifically the RTS now suggests to add a new category under the already existing TRA exemption for payments whereby the payers are not consumers, providing that the payment fraud rate is equivalent to or below a certain threshold fraud rate.
3. PSPs should report payment fraud directly to EBA.
The Commission proposed that, in addition to aggregated fraud data, PSPs should also provide data and reports about individual payment fraud cases tothe EBA. The EBA agrees with this proposal, but also suggested some changes to ensure it only receives this additional data upon request and to avoid double reporting requirements for PSPs.
4. Contingency measures in case of unavailability or inadequate performance of the dedicated communication interface (‘APIs’) of banks.
PSD2 allows banks to offer a dedicated communication interface to TPPs, such as AISPs and PISPs. For instance, banks may expose an API function allowing TPPs to check the account balance of their customers. The Commission proposed that, if the dedicated interface offered by a bank would not be available or would not be functioning adequately, then the bank must allow TPPs to use the regular, customer-facing communication interface of the bank. In other words, TPPs would be allowed to use so-called “direct access” or “screen scraping” to access a bank’s systems when they are unavailable or not performing adequately.
The EBA does not agree with this amendment for several reasons: there would be additional costs for the banks, there might be fragmentation of interfaces offered by banks to TPPs, customers might be confused about the various interfaces, etc. Instead the EBA suggests to add some requirements to the RTS that aim to guarantee the service level of the dedicated interfaces of banks. With its opinion about the dedicated communication interface, the EBA goes against the amendment of the Commission which was heavily supported byEuropean fintech companies, and comes down on the side of the banks.
It is now up to the Commission to make the final decision on the text of the RTS and to adopt the RTS. The EU Council and EU Parliament still have a scrutiny right however. Once the RTS have been adopted and published in the Official Journal of the EU, they will apply 18 months later. European Commission (EC) expected to adopt final draft RTS by September / October 2017. Meanwhile, discussion with competent authorities signal EC will make some changes. Requirements expected to become effective in March / April 2019.
