EBA to relax controversial PSD2 authentication rules

EBA to relax controversial PSD2 authentication rules

The European Banking Authority is to relax proposed rules on a requirement for strong customer authentication for all payments under EUR10, after being on the receiving end of a volley of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout.

In a speech in London on the EU's revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to EUR30 for remote consumer transactions, although there would be no exemption for corporate payments.

Firms which use 'transaction risk analysis' to keep a lid on fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.

The European Banking Authority has been struggling to keep pace with the timetable for the delivery of Regulatory Technical Standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.

"The EBA identified 300 distinct concerns and clarification requests by respondents," says Enria. "Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft."

Particular bugbears concern the drafting of standards for strong customer authentication on the one hand, and common open communications between banks and third parties for account access on the other, which Enria says are fostering difficult trade-offs between competing demands.

On the issue of third party access to consumer data, Enria says that the EBA has come to the conclusion that 'screen-scraping' will be banned under PSD2, instead shifting the burden to banks to maintain access arrangements.

"In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability." the conference was told.

Comments: (8)

Lu Zurawski
Lu Zurawski - Lu Zurawski - London 21 February, 2017, 16:281 like 1 like

Having peeked at the speech on the EBA web site, it wasn't the rise from 10 to 30 EURO that grabs the attention - it is the new exemption from Strong Customer Authentication in the case of "Transaction Risk Analysis" usage. Presumably common sense has prevailed. But it'll be interesting to see how many permutations of transaction flows and auth methods get spawned as a result.

A Finextra member
A Finextra member 21 February, 2017, 17:14Be the first to give this comment the thumbs up 0 likes

It needs a layer for the API to hit, a jam jar of funds that minimises the risk to the consumer and the bank. Having watched and mitigated mass account takeover the only way to protect the consumer and the bank is if minimal funds are alloctaed to this payment method. A sort of middleware account layer. Otherwise as Lu says above it will only be used for Coffee and rail tickets, maybe phone top ups. 

Roberto Garavaglia
Roberto Garavaglia - Innovative Payments & blockchain Strategic Advisor - Milan 21 February, 2017, 17:25Be the first to give this comment the thumbs up 0 likes

I'm afraid the TRA usage will transform the exception into the rule ...

Anyway, another thing let me doubtful about the level-playing-field peace of mind: the current practice of third party access without identification (also called ‘screen scraping’), will no longer be allowed only once the transition period under the PSD2 has elapsed and the RTS applies. What happens meanwhile ...?

Ralf Ohlhausen
Ralf Ohlhausen - Pay Practice - Stuttgart 22 February, 2017, 08:13Be the first to give this comment the thumbs up 0 likes

Driving competition into Financial Services by banning screen-scraping is like promoting electrical cars without allowing them on to public streets. Banks can always be a step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use. How naive can one be?

On the other side, I can easily imagine many banks not wanting to bear the cost and effort of duplicating their access channels and maintaining them to the same performance level.

Allowing both direct and indirect access is a win-win, because banks are not forced into unnecessary API investments, but those who do are motivated to really keep it at par with the direct access offered to their own clients. Or – dare I say – make it even better, because that is the secret of companies who managed to build a whole ecosystem around them!

Bill Trueman
Bill Trueman - Riskskill.com - London 22 February, 2017, 09:431 like 1 like

@Ralf - I think you may have posted this in the wrong place - as this is not the issue here; or at least I can see no linkage that you have made clear. This issue is about the PSD2 additional-identification requirements: which no-one has quite understood what in practice is required: and is becoming clearer. 

It has nothing to do with direc/indirect access or the 'so called rails' that you refer to, not API issues. You clearly have a 'cause' that you want to expand upon: but here (on this issue) it is irrelevent.

Tom Hay
Tom Hay - Payment Systems Europe - London 22 February, 2017, 10:31Be the first to give this comment the thumbs up 0 likes

It's not clear from the speech whether it's the bank or the PISP who is allowed to use Transaction Risk Analysis to bypass Strong Customer Authentication. Mr. Enria also said the analysis will be "linked to predefined levels of fraud rates", which is somewhat opaque. I'd like to think these will be clarified in the final draft - to be published today, according to the speech, so not long to wait!

A Finextra member
A Finextra member 22 February, 2017, 14:53Be the first to give this comment the thumbs up 0 likes

What the EBA proposes and what the Commission and the Parliament are willing to accept may be totally different things.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 22 February, 2017, 15:46Be the first to give this comment the thumbs up 0 likes

Good to know that @ArturoGonzálezMacDowell. I hope the Commission and Parliament scrap the SCA provision altogether. Going by the experience in India, 2FA tends to throw the fraud baby out with the transaction bathwater. Even if the Commission / Parliament permit Merchants to invoke TRA in lieu of SCA, that'd be fine - most merchants know that Mitigating Fraud Does Not Pay The Bills.