16 January 2018

Jeremy Light

Jeremy Light - Accenture

22Posts 121,293Views 14Comments

An alternative RTS for strong customer authentication

31 July 2017  |  5145 views  |  0

The PSD2 regulatory technical standards (RTS) for strong customer authentication and secure communication are proving difficult to finalise. With the EBA rejecting the EC's amendments to its final draft RTS, it is now up to the EC to publish the final text, subject to scrutiny by the EU Parliament and EU Council.

With this saga running on and on, for light-hearted summer reading, I have imagined what an "alternative RTS" might look like:

1. Ban manual online entry of card numbers/PANs and the use of PANs in telephone and mail ordering (MOTO) – all PANs to be tokenised with single-use tokens for POS, MOTO and e/mcommerce

2. Instruct the 50 largest EU banks to set up and fund an organisation (similar to the UK Implementation Entity) to develop a pan-EU customer identification system "EU BankID" modelled on BankID in Sweden where banks guarantee an individual's identity and allow any authorised third party to check the validity of the customer's identity and signature – to be available on smart cards, soft certificates, mobile phones and other hardware devices

3. Mandate account servicing payment service providers (ASPSPs - banks) and third parties to use the "EU BankID" for customer authentication, payment authorisation and consent authorisation for payment initiation and account information services used by authorised third parties

4. Mandate ASPSPs to provide strong customer authentication (SCA) on "EU BankID" using two factor authentication for payment initiation and account information services

5. Allow third parties (for example retailers) accessing ASPSP account information and payment initiation services to use SCA at their discretion – third parties to be liable for any payment fraud when they elect not to use SCA, otherwise ASPSPs are liable for payment fraud

6. Set a single payment fraud threshold (% of aggregate transaction value – no variations for transaction value or payment instrument), say 0.05%, for both ASPSPs and third parties (retailers), require them to monitor and report fraud against each payment instrument, and penalise ASPSPs and third parties if they consistently exceed the threshold (through fines, increased capital requirements and restricting them in how they provide/use the payment instrument)

7. Require third parties to pass customer consent information (free format, meaningful consumer-friendly description) for account information services to ASPSPs, for ASPSPs to record; and for ASPSPs to give their customers access to their consent history with the option for customers to turn off individual (ongoing) account information consents in real-time at any time; and to request any previously released, consented information to a third party to be erased by that third party.

These "alternative RTS" would keep a lid on fraud and standardise authentication, authorisation and consent across the EU for payment initiation and account information services, while giving ASPSPs and third parties freedom of choice in the technology and security they use, and the customer experience they create.

There must be a real risk the RTS will have to go back to the drawing board and be redrafted, extending their implementation date well into 2019, even beyond – in which case, the EU banking industry should consider taking a lead and implement "alternative RTS" like these or something similar anyway. 

TagsPaymentsRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Jeremy

Valuing Bitcoin and Cryptocurrencies

08 January 2018  |  4457 views  |  0 comments | recomends Recommends 0 TagsBlockchainPaymentsGroupInnovation in Financial Services

Is Bitcoin a Store of Value or a Payment System

13 November 2017  |  8093 views  |  2 comments | recomends Recommends 1 TagsBlockchainPaymentsGroupInnovation in Financial Services

The Atomisation of Payments Part 2

09 October 2017  |  5196 views  |  0 comments | recomends Recommends 0 TagsMobile & onlinePaymentsGroupPayments strategies 2015-2020-2030

The Atomisation of Payments Part1

02 October 2017  |  4192 views  |  0 comments | recomends Recommends 0 TagsPaymentsInnovationGroupFuturistic Banking

An alternative RTS for strong customer authentication

31 July 2017  |  5145 views  |  0 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

Jeremy's profile

job title Management Consultant
location London
member since 2009
Summary profile See full profile »
Jeremy Light is head of Accenture Payment Services for Europe, Africa and Latin America. He brings deep experience to his current role, focusing on origination and capability development. He relishes...

Jeremy's expertise

Member since 2009
21 posts14 comments
What Jeremy reads

Who's commenting on Jeremy's posts

James Treacher
Ketharaman Swaminathan
Alexander Peschkoff
Steven Hatton