December 9th - Businesses and consumers could be able to sanction low-value payments, payments made to "trusted beneficiaries" and the transfer of funds between different payment accounts they have without having to complete a multi-factor authentication
process under new EU payment services rules, according to plans under consideration by an EU regulator.
The proposals are contained in a European Banking Authority (EBA) consultation on the development of a regulatory technical standard on strong customer authentication (31-page / 300KB PDF). The EBA is responsible for drawing up such a standard under the
new Payment Services Directive (PSD2), which was finalised last month.
The EBA's discussion paper invites banks, payment service providers (PSPs) and other businesses involved in the payments market to provide input into the development of the standard, which it expects to publish for consultation in the summer of 2016.
Under the remit given to the EBA under PSD2, the standard will need to help PSPs prevent unauthorised payments and access to payment accounts and ensure that innovative new applications and services developed by third parties in the payments market can connect
securely to their systems at their customers' request.
PSD2 generally requires PSPs to apply "strong customer authentication" where organisations or consumers try to access their payment accounts online, initiate an electronic payment transaction or "carries out any action through a remote channel which may
imply a risk of payment fraud or other abuses".
Those provisions also apply to cases where payments are initiated through payment initiation service providers (PISPs) or where account holders request information about their accounts via an account information service provider (AISP).
They accord with the wider aims of the Directive which include to enhance competition and innovation in the market by supporting PISPs to facilitate transactions and the aggregation of payment account data by AISPs on behalf of customers.
PSD2 imposes data security obligations on PSPs to account for such third party interactions with the accounts they manage and PSPs must also ensure that PISPs and AISPs can rely on the strong customer authentication measures deployed by a PSP to deliver
their services.
In the case of the initiation of electronic remote payment transactions PSPs are required to "apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee". This obligation applies
to payments initiated through a PISP too.
A failure to provide for strong customer authentication could result in PSPs being held liable for unauthorised transactions made from accounts they manage.
According to the new Directive, strong customer authentication is a mechanism that requires payment account holders wishing to access their accounts or make a payment to provide information that allows their identity to be verified and which is built on
two or more independent factors. Those elements are something the account holder knows, something they possess or something they are themselves.
The mechanism must be built in a way that ensures that "the breach of one [factor of authentication] does not compromise the reliability of the others" and be "designed in such a way as to protect the confidentiality of the authentication data".
Some exceptions to the obligation to provide for strong customer authentication are permitted under PSD2 in accordance with criteria set out in the Directive. Those criteria are the level of risk involved in the service provided, the amount and/or the recurrence
of a transaction and the payment channel used for the execution of a transaction.
The EBA is responsible for drafting a standard that accounts for the exceptions provided for. In its discussion paper the EBA clarified what exemptions it could apply under its standard.
"[The exemptions that could apply include] low-value payments as defined in the PSD2 provided that the risk for cumulative transaction are monitored; outgoing payments to trusted beneficiaries included in previously established white lists by a [payment
service user (PSU)]; transfers between two accounts of the same PSU held at the same PSP; low-risk transactions based on a transaction risk analysis …; purely consultative services, with no display of sensitive payment data, taking into account data privacy
laws," the EBA said.
The regulator said that it cannot currently see a justification for exempting all payments made via a certain channel from the strong customer authentication rules.
Other issues the EBA identified in its discussion paper included the potential problem for PSPs in ensuring there is independence between different customer authentication factors when payments are made using mobile devices.
It also raised questions over how PSPs can meet their obligations to ensure there is a 'dynamic link' between a transaction, its amount and a payee if authentication for payments comes via VOIP services or interactive voice response systems.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "This is an early step in the development of some crucially important standards that the EBA is responsible for. These standards will define how core
objectives of PSD2 will be met, operationally."
"Given that the EBA has the challenge of balancing input from across the EU, it will be influenced by regions and market segments with widely differing payment cultures and propositions. So, businesses need to speak up, engage with the EBA, or risk being
tied to standards that inhibit or expose them," he said.