23 August 2017

Jeremy Light

Jeremy Light - Accenture

18Posts 90,666Views 14Comments

An alternative RTS for strong customer authentication

31 July 2017  |  4132 views  |  0

The PSD2 regulatory technical standards (RTS) for strong customer authentication and secure communication are proving difficult to finalise. With the EBA rejecting the EC's amendments to its final draft RTS, it is now up to the EC to publish the final text, subject to scrutiny by the EU Parliament and EU Council.

With this saga running on and on, for light-hearted summer reading, I have imagined what an "alternative RTS" might look like:

1. Ban manual online entry of card numbers/PANs and the use of PANs in telephone and mail ordering (MOTO) – all PANs to be tokenised with single-use tokens for POS, MOTO and e/mcommerce

2. Instruct the 50 largest EU banks to set up and fund an organisation (similar to the UK Implementation Entity) to develop a pan-EU customer identification system "EU BankID" modelled on BankID in Sweden where banks guarantee an individual's identity and allow any authorised third party to check the validity of the customer's identity and signature – to be available on smart cards, soft certificates, mobile phones and other hardware devices

3. Mandate account servicing payment service providers (ASPSPs - banks) and third parties to use the "EU BankID" for customer authentication, payment authorisation and consent authorisation for payment initiation and account information services used by authorised third parties

4. Mandate ASPSPs to provide strong customer authentication (SCA) on "EU BankID" using two factor authentication for payment initiation and account information services

5. Allow third parties (for example retailers) accessing ASPSP account information and payment initiation services to use SCA at their discretion – third parties to be liable for any payment fraud when they elect not to use SCA, otherwise ASPSPs are liable for payment fraud

6. Set a single payment fraud threshold (% of aggregate transaction value – no variations for transaction value or payment instrument), say 0.05%, for both ASPSPs and third parties (retailers), require them to monitor and report fraud against each payment instrument, and penalise ASPSPs and third parties if they consistently exceed the threshold (through fines, increased capital requirements and restricting them in how they provide/use the payment instrument)

7. Require third parties to pass customer consent information (free format, meaningful consumer-friendly description) for account information services to ASPSPs, for ASPSPs to record; and for ASPSPs to give their customers access to their consent history with the option for customers to turn off individual (ongoing) account information consents in real-time at any time; and to request any previously released, consented information to a third party to be erased by that third party.

These "alternative RTS" would keep a lid on fraud and standardise authentication, authorisation and consent across the EU for payment initiation and account information services, while giving ASPSPs and third parties freedom of choice in the technology and security they use, and the customer experience they create.

There must be a real risk the RTS will have to go back to the drawing board and be redrafted, extending their implementation date well into 2019, even beyond – in which case, the EU banking industry should consider taking a lead and implement "alternative RTS" like these or something similar anyway. 

TagsPaymentsRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Jeremy

An alternative RTS for strong customer authentication

31 July 2017  |  4132 views  |  0 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

Sleepwalking towards a cashless society

06 February 2017  |  4178 views  |  1 comments | recomends Recommends 0 TagsPaymentsInnovation

The three Cs of PSD2 success - compliance, collaboration and consent

23 January 2017  |  6150 views  |  1 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

PSD2 APIs and the risk of fraud

10 January 2017  |  8045 views  |  2 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

Bitcoin, a Living Service

14 November 2016  |  7931 views  |  1 comments | recomends Recommends 0 TagsBlockchainPayments

Jeremy's profile

job title Management Consultant
location London
member since 2009
Summary profile See full profile »
Jeremy Light is head of Accenture Payment Services for Europe, Africa and Latin America. He brings deep experience to his current role, focusing on origination and capability development. He relishes...

Jeremy's expertise

Member since 2009
14 posts14 comments
What Jeremy reads

Who's commenting on Jeremy's posts

Alexander Peschkoff
Steven Hatton
Rodney Farmer
João Bohner