23 March 2018
visit www.nextgenbanking.co.uk

EBA to relax controversial PSD2 authentication rules

21 February 2017  |  22174 views  |  8 euro

The European Banking Authority is to relax proposed rules on a requirement for strong customer authentication for all payments under EUR10, after being on the receiving end of a volley of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout.

In a speech in London on the EU's revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to EUR30 for remote consumer transactions, although there would be no exemption for corporate payments.

Firms which use 'transaction risk analysis' to keep a lid on fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.

The European Banking Authority has been struggling to keep pace with the timetable for the delivery of Regulatory Technical Standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.

"The EBA identified 300 distinct concerns and clarification requests by respondents," says Enria. "Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft."

Particular bugbears concern the drafting of standards for strong customer authentication on the one hand, and common open communications between banks and third parties for account access on the other, which Enria says are fostering difficult trade-offs between competing demands.

On the issue of third party access to consumer data, Enria says that the EBA has come to the conclusion that 'screen-scraping' will be banned under PSD2, instead shifting the burden to banks to maintain access arrangements.

"In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability." the conference was told.

Comments: (8)

Lu Zurawski
Lu Zurawski - ACI Worldwide - London | 21 February, 2017, 16:28

Having peeked at the speech on the EBA web site, it wasn't the rise from 10 to 30 EURO that grabs the attention - it is the new exemption from Strong Customer Authentication in the case of "Transaction Risk Analysis" usage. Presumably common sense has prevailed. But it'll be interesting to see how many permutations of transaction flows and auth methods get spawned as a result.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 21 February, 2017, 17:14

It needs a layer for the API to hit, a jam jar of funds that minimises the risk to the consumer and the bank. Having watched and mitigated mass account takeover the only way to protect the consumer and the bank is if minimal funds are alloctaed to this payment method. A sort of middleware account layer. Otherwise as Lu says above it will only be used for Coffee and rail tickets, maybe phone top ups. 

1 thumb up! 1 thumb up! (Log in to thumb up)
Roberto Garavaglia
Roberto Garavaglia - Innovative Payments Strategy Advisor - Milan | 21 February, 2017, 17:25

I'm afraid the TRA usage will transform the exception into the rule ...

Anyway, another thing let me doubtful about the level-playing-field peace of mind: the current practice of third party access without identification (also called ‘screen scraping’), will no longer be allowed only once the transition period under the PSD2 has elapsed and the RTS applies. What happens meanwhile ...?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ralf Ohlhausen
Ralf Ohlhausen - PPRO Financial Ltd - London | 22 February, 2017, 08:13

Driving competition into Financial Services by banning screen-scraping is like promoting electrical cars without allowing them on to public streets. Banks can always be a step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use. How naive can one be?

On the other side, I can easily imagine many banks not wanting to bear the cost and effort of duplicating their access channels and maintaining them to the same performance level.

Allowing both direct and indirect access is a win-win, because banks are not forced into unnecessary API investments, but those who do are motivated to really keep it at par with the direct access offered to their own clients. Or – dare I say – make it even better, because that is the secret of companies who managed to build a whole ecosystem around them!

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Bill Trueman
Bill Trueman - Riskskill.com - London | 22 February, 2017, 09:43

@Ralf - I think you may have posted this in the wrong place - as this is not the issue here; or at least I can see no linkage that you have made clear. This issue is about the PSD2 additional-identification requirements: which no-one has quite understood what in practice is required: and is becoming clearer. 

It has nothing to do with direc/indirect access or the 'so called rails' that you refer to, not API issues. You clearly have a 'cause' that you want to expand upon: but here (on this issue) it is irrelevent.

1 thumb up! 1 thumb up! (Log in to thumb up)
Tom Hay
Tom Hay - Icon Solutions Ltd - London | 22 February, 2017, 10:31

It's not clear from the speech whether it's the bank or the PISP who is allowed to use Transaction Risk Analysis to bypass Strong Customer Authentication. Mr. Enria also said the analysis will be "linked to predefined levels of fraud rates", which is somewhat opaque. I'd like to think these will be clarified in the final draft - to be published today, according to the speech, so not long to wait!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Arturo González Mac Dowell
Arturo González Mac Dowell - Eurobits Technologies - Madrid | 22 February, 2017, 14:53

What the EBA proposes and what the Commission and the Parliament are willing to accept may be totally different things.

1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 February, 2017, 15:46

Good to know that @ArturoGonzálezMacDowell. I hope the Commission and Parliament scrap the SCA provision altogether. Going by the experience in India, 2FA tends to throw the fraud baby out with the transaction bathwater. Even if the Commission / Parliament permit Merchants to invoke TRA in lieu of SCA, that'd be fine - most merchants know that Mitigating Fraud Does Not Pay The Bills.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

EBA bends under weight of PSD2 mandates

EBA bends under weight of PSD2 mandates

07 December 2016  |  16213 views  |  2 comments | 39 tweets | 55 linkedin
EBA told that tougher authentication will have a "chilling" effect on single market

EBA told that tougher authentication will have a "chilling" effect on single market

28 November 2016  |  7964 views  |  5 comments | 18 tweets | 21 linkedin
Visa slams European plans for stronger online transaction authentication rules

Visa slams European plans for stronger online transaction authentication rules

22 November 2016  |  12814 views  |  7 comments | 22 tweets | 38 linkedin
EBA looks into financial institutions' use of consumer data

EBA looks into financial institutions' use of consumer data

05 May 2016  |  8452 views  |  0 comments | 5 tweets | 13 linkedin

Related company news


Related blogs

Create a blog about this story (membership required)
Register your place todaywww.currencycloud.com

Top topics

Most viewed Most shared
hands typing furiouslyBitcoin at 50,000 USD?
14299 views 0 | 8 tweets | 5 linkedin
BBVA tests 'invisible payments' technology at inhouse cafeBBVA tests 'invisible payments' technology...
11648 views comments | 15 tweets | 34 linkedin
RBS hatches plan to create digital challenger bankRBS hatches plan to create digital challen...
11217 views comments | 12 tweets | 23 linkedin
Barclays partners seven watch brands for contactless timepiecesBarclays partners seven watch brands for c...
10379 views comments | 14 tweets | 30 linkedin
Germany's N26 readies for US launch with EUR110 million capital injection led by Allianz and TenCentGermany's N26 readies for US launch with E...
8110 views comments | 14 tweets | 10 linkedin

Featured job

Competitive base + commission + benefits
New York City, NY - USA

Find your next job