Blog article
See all stories »

EBA sets out plans to exempt some payments from strong customer authentication rules under PSD2

December 9th - Businesses and consumers could be able to sanction low-value payments, payments made to "trusted beneficiaries" and the transfer of funds between different payment accounts they have without having to complete a multi-factor authentication process under new EU payment services rules, according to plans under consideration by an EU regulator.

The proposals are contained in a European Banking Authority (EBA) consultation on the development of a regulatory technical standard on strong customer authentication (31-page / 300KB PDF). The EBA is responsible for drawing up such a standard under the new Payment Services Directive (PSD2), which was finalised last month.

The EBA's discussion paper invites banks, payment service providers (PSPs) and other businesses involved in the payments market to provide input into the development of the standard, which it expects to publish for consultation in the summer of 2016.

Under the remit given to the EBA under PSD2, the standard will need to help PSPs prevent unauthorised payments and access to payment accounts and ensure that innovative new applications and services developed by third parties in the payments market can connect securely to their systems at their customers' request.

PSD2 generally requires PSPs to apply "strong customer authentication" where organisations or consumers try to access their payment accounts online, initiate an electronic payment transaction or "carries out any action through a remote channel which may imply a risk of payment fraud or other abuses".

Those provisions also apply to cases where payments are initiated through payment initiation service providers (PISPs) or where account holders request information about their accounts via an account information service provider (AISP).

They accord with the wider aims of the Directive which include to enhance competition and innovation in the market by supporting PISPs to facilitate transactions and the aggregation of payment account data by AISPs on behalf of customers.

PSD2 imposes data security obligations on PSPs to account for such third party interactions with the accounts they manage and PSPs must also ensure that PISPs and AISPs can rely on the strong customer authentication measures deployed by a PSP to deliver their services.

In the case of the initiation of electronic remote payment transactions PSPs are required to "apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee". This obligation applies to payments initiated through a PISP too.

A failure to provide for strong customer authentication could result in PSPs being held liable for unauthorised transactions made from accounts they manage.

According to the new Directive, strong customer authentication is a mechanism that requires payment account holders wishing to access their accounts or make a payment to provide information that allows their identity to be verified and which is built on two or more independent factors. Those elements are something the account holder knows, something they possess or something they are themselves.

The mechanism must be built in a way that ensures that "the breach of one [factor of authentication] does not compromise the reliability of the others" and be "designed in such a way as to protect the confidentiality of the authentication data".

Some exceptions to the obligation to provide for strong customer authentication are permitted under PSD2 in accordance with criteria set out in the Directive. Those criteria are the level of risk involved in the service provided, the amount and/or the recurrence of a transaction and the payment channel used for the execution of a transaction.
The EBA is responsible for drafting a standard that accounts for the exceptions provided for. In its discussion paper the EBA clarified what exemptions it could apply under its standard.

"[The exemptions that could apply include] low-value payments as defined in the PSD2 provided that the risk for cumulative transaction are monitored; outgoing payments to trusted beneficiaries included in previously established white lists by a [payment service user (PSU)]; transfers between two accounts of the same PSU held at the same PSP; low-risk transactions based on a transaction risk analysis …; purely consultative services, with no display of sensitive payment data, taking into account data privacy laws," the EBA said.

The regulator said that it cannot currently see a justification for exempting all payments made via a certain channel from the strong customer authentication rules.
Other issues the EBA identified in its discussion paper included the potential problem for PSPs in ensuring there is independence between different customer authentication factors when payments are made using mobile devices.

It also raised questions over how PSPs can meet their obligations to ensure there is a 'dynamic link' between a transaction, its amount and a payee if authentication for payments comes via VOIP services or interactive voice response systems.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind, said: "This is an early step in the development of some crucially important standards that the EBA is responsible for. These standards will define how core objectives of PSD2 will be met, operationally."

"Given that the EBA has the challenge of balancing input from across the EU, it will be influenced by regions and market segments with widely differing payment cultures and propositions. So, businesses need to speak up, engage with the EBA, or risk being tied to standards that inhibit or expose them," he said.


Comments: (2)

Paul Love
Paul Love - Konsentus - Nottingham 10 December, 2015, 13:26Be the first to give this comment the thumbs up 0 likes

Thanks for the update Steve,

This looks dangerously like there is a chance of common sense prevailing, and that practical and usable solutions could fall within the new rules.

PSD2 promises to facilitate a whole new level of innovation, so it is good to see that consumers are being considered and usability is being balanced with absolute security.


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 10 December, 2015, 14:42Be the first to give this comment the thumbs up 0 likes

USA hardly ever implemented 3DS, with leading PSPs like Stripe hitting out openly against the friction posed by 2FA. India is waking up to the realization that, beyond a certain point, increased security is counterproductive to the basic purpose of stimulating electronic payments. Nice to see something like that happening in the EU zone. End of the day, Mitigating Fraud Does Not Pay The Bills.

Now hiring