The PSD2 regulatory technical standards (RTS) for strong customer authentication and secure communication are proving difficult to finalise. With the EBA rejecting the EC's amendments to its final draft RTS, it is now up to the EC to publish the final text,
subject to scrutiny by the EU Parliament and EU Council.
With this saga running on and on, for light-hearted summer reading, I have imagined what an "alternative RTS" might look like:
1. Ban manual online entry of card numbers/PANs and the use of PANs in telephone and mail ordering (MOTO) – all PANs to be tokenised with single-use tokens for POS, MOTO and e/mcommerce
2. Instruct the 50 largest EU banks to set up and fund an organisation (similar to the UK Implementation Entity) to develop a pan-EU customer identification system "EU BankID" modelled on BankID in Sweden where banks guarantee an individual's identity and
allow any authorised third party to check the validity of the customer's identity and signature – to be available on smart cards, soft certificates, mobile phones and other hardware devices
3. Mandate account servicing payment service providers (ASPSPs - banks) and third parties to use the "EU BankID" for customer authentication, payment authorisation and consent authorisation for payment initiation and account information services used by
authorised third parties
4. Mandate ASPSPs to provide strong customer authentication (SCA) on "EU BankID" using two factor authentication for payment initiation and account information services
5. Allow third parties (for example retailers) accessing ASPSP account information and payment initiation services to use SCA at their discretion – third parties to be liable for any payment fraud when they elect not to use SCA, otherwise ASPSPs are liable
for payment fraud
6. Set a single payment fraud threshold (% of aggregate transaction value – no variations for transaction value or payment instrument), say 0.05%, for both ASPSPs and third parties (retailers), require them to monitor and report fraud against each payment
instrument, and penalise ASPSPs and third parties if they consistently exceed the threshold (through fines, increased capital requirements and restricting them in how they provide/use the payment instrument)
7. Require third parties to pass customer consent information (free format, meaningful consumer-friendly description) for account information services to ASPSPs, for ASPSPs to record; and for ASPSPs to give their customers access to their consent history
with the option for customers to turn off individual (ongoing) account information consents in real-time at any time; and to request any previously released, consented information to a third party to be erased by that third party.
These "alternative RTS" would keep a lid on fraud and standardise authentication, authorisation and consent across the EU for payment initiation and account information services, while giving ASPSPs and third parties freedom of choice in the technology and
security they use, and the customer experience they create.
There must be a real risk the RTS will have to go back to the drawing board and be redrafted, extending their implementation date well into 2019, even beyond – in which case, the EU banking industry should consider taking a lead and implement "alternative
RTS" like these or something similar anyway.