The final PSD2 draft regulatory technical standards (RTS) issued by the European Banking Authority last week clearly set out the very limited circumstances in which risk-based assessments may be used in authenticating online transactions. The standards are
much more stringent than many had hoped after EBA Chairman Andrea Enria revealed in a speech in London that "transaction risk analysis" would be permitted.
What the final draft RTS sets out in Chapter 3 and elsewhere is that banks may run risk-based authentication so long as fraud remains below certain defined levels for five set payment and transfer value bands. Online payments below €30 will certainly not
be subject to strong customer authentication while payments over €500 certainly will. Payments between these amounts (at different bands of up to €100 and €250) have been assigned set fraud thresholds. This will create 10 different risk profiles across cards
and credit transfers that will have to be managed by banks.
Banks which breach the stated fraud levels will be forced to turn off exemptions and strongly authenticate all transactions until the institution is deemed to have come back into compliance. The final draft RTS sets out a quarter-by-quarter mechanism of
analysing and reprimanding fraud.
Overall, the RTS set out that banks will no longer decide themselves what their tolerance is for customer payments fraud. Under the new standards, banks are being told what acceptable rates of fraud look like and that if they breach these rates, they will
be forced to adopt strong customer authentication for all transactions until their fraud record comes down below the acceptable threshold.
A major, but often overlooked, implication of PSD2 is that the prevalence of risk-based solutions on the Issuer side will increase issuing banks’ fraud liability by as much as 10 times. Completely frictionless authentication on the Issuer domain makes it
likely that the majority of merchants who currently disable 3-D Secure to avoid shopping cart abandonment will begin to enable it.
Because fraud liability is shifted to the issuing bank when a merchant enables 3-D Secure, and because currently as few as 1 in 10 merchants currently enable this protocol, banks’ liability for online retail fraud will be effectively multiplied by 10 when
the remaining 90% of merchants follow suit.
The existence of risk-based solutions on the Issuer domain makes merchant-domain authentication next to obsolete, since merchants have no downside in terms of fraud liability or user experience in passing the burden to the bank. Since fraud liability requires
an increased capital requirement (an already pressing challenge for banks), the question must be asked if now is really the time for banks to choose low friction, risk-based solutions over the more robust Strong Customer Authentication which the EBA has clearly
outlined and continues to view as the standard rather than an exception.
Perhaps this is why the EBA has been so stringent in setting tough standards for online payments and defining clear negative consequences for failing to meet the new fraud thresholds.