23 May 2017
Visit cib.db.com

EBA to relax controversial PSD2 authentication rules

21 February 2017  |  18666 views  |  8 euro

The European Banking Authority is to relax proposed rules on a requirement for strong customer authentication for all payments under EUR10, after being on the receiving end of a volley of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout.

In a speech in London on the EU's revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to EUR30 for remote consumer transactions, although there would be no exemption for corporate payments.

Firms which use 'transaction risk analysis' to keep a lid on fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.

The European Banking Authority has been struggling to keep pace with the timetable for the delivery of Regulatory Technical Standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.

"The EBA identified 300 distinct concerns and clarification requests by respondents," says Enria. "Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft."

Particular bugbears concern the drafting of standards for strong customer authentication on the one hand, and common open communications between banks and third parties for account access on the other, which Enria says are fostering difficult trade-offs between competing demands.

On the issue of third party access to consumer data, Enria says that the EBA has come to the conclusion that 'screen-scraping' will be banned under PSD2, instead shifting the burden to banks to maintain access arrangements.

"In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability." the conference was told.
KeywordsE-COMMERCE

Comments: (8)

Lu Zurawski
Lu Zurawski - ACI Worldwide - London | 21 February, 2017, 16:28

Having peeked at the speech on the EBA web site, it wasn't the rise from 10 to 30 EURO that grabs the attention - it is the new exemption from Strong Customer Authentication in the case of "Transaction Risk Analysis" usage. Presumably common sense has prevailed. But it'll be interesting to see how many permutations of transaction flows and auth methods get spawned as a result.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Simon Lyons
Simon Lyons - Cashfac PLC - London | 21 February, 2017, 17:14

It needs a layer for the API to hit, a jam jar of funds that minimises the risk to the consumer and the bank. Having watched and mitigated mass account takeover the only way to protect the consumer and the bank is if minimal funds are alloctaed to this payment method. A sort of middleware account layer. Otherwise as Lu says above it will only be used for Coffee and rail tickets, maybe phone top ups. 

1 thumb up! 1 thumb up! (Log in to thumb up)
Roberto Garavaglia
Roberto Garavaglia - Innovative Payments Strategy Advisor - Milan | 21 February, 2017, 17:25

I'm afraid the TRA usage will transform the exception into the rule ...

Anyway, another thing let me doubtful about the level-playing-field peace of mind: the current practice of third party access without identification (also called ‘screen scraping’), will no longer be allowed only once the transition period under the PSD2 has elapsed and the RTS applies. What happens meanwhile ...?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ralf Ohlhausen
Ralf Ohlhausen - PPRO Financial Ltd - London | 22 February, 2017, 08:13

Driving competition into Financial Services by banning screen-scraping is like promoting electrical cars without allowing them on to public streets. Banks can always be a step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use. How naive can one be?

On the other side, I can easily imagine many banks not wanting to bear the cost and effort of duplicating their access channels and maintaining them to the same performance level.

Allowing both direct and indirect access is a win-win, because banks are not forced into unnecessary API investments, but those who do are motivated to really keep it at par with the direct access offered to their own clients. Or – dare I say – make it even better, because that is the secret of companies who managed to build a whole ecosystem around them!

2 thumb ups! 2 thumb ups! (Log in to thumb up)
Bill Trueman
Bill Trueman - Riskskill.com - London | 22 February, 2017, 09:43

@Ralf - I think you may have posted this in the wrong place - as this is not the issue here; or at least I can see no linkage that you have made clear. This issue is about the PSD2 additional-identification requirements: which no-one has quite understood what in practice is required: and is becoming clearer. 

It has nothing to do with direc/indirect access or the 'so called rails' that you refer to, not API issues. You clearly have a 'cause' that you want to expand upon: but here (on this issue) it is irrelevent.

1 thumb up! 1 thumb up! (Log in to thumb up)
Tom Hay
Tom Hay - Icon Solutions Ltd - London | 22 February, 2017, 10:31

It's not clear from the speech whether it's the bank or the PISP who is allowed to use Transaction Risk Analysis to bypass Strong Customer Authentication. Mr. Enria also said the analysis will be "linked to predefined levels of fraud rates", which is somewhat opaque. I'd like to think these will be clarified in the final draft - to be published today, according to the speech, so not long to wait!

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Arturo González Mac Dowell
Arturo González Mac Dowell - Eurobits Technologies - Madrid | 22 February, 2017, 14:53

What the EBA proposes and what the Commission and the Parliament are willing to accept may be totally different things.

1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 22 February, 2017, 15:46

Good to know that @ArturoGonzálezMacDowell. I hope the Commission and Parliament scrap the SCA provision altogether. Going by the experience in India, 2FA tends to throw the fraud baby out with the transaction bathwater. Even if the Commission / Parliament permit Merchants to invoke TRA in lieu of SCA, that'd be fine - most merchants know that Mitigating Fraud Does Not Pay The Bills.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

EBA bends under weight of PSD2 mandates

EBA bends under weight of PSD2 mandates

07 December 2016  |  12668 views  |  2 comments | 39 tweets | 55 linkedin
EBA told that tougher authentication will have a "chilling" effect on single market

EBA told that tougher authentication will have a "chilling" effect on single market

28 November 2016  |  6897 views  |  5 comments | 18 tweets | 21 linkedin
Visa slams European plans for stronger online transaction authentication rules

Visa slams European plans for stronger online transaction authentication rules

22 November 2016  |  11501 views  |  7 comments | 22 tweets | 38 linkedin
EBA looks into financial institutions' use of consumer data

EBA looks into financial institutions' use of consumer data

05 May 2016  |  6849 views  |  0 comments | 5 tweets | 13 linkedin

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit www.events.sap.comvisit www.response.ncr.comVisit www.capgemini.com/worldreports

Top topics

Most viewed Most shared
European banks lobby Commission to push ahead with screen scraping banEuropean banks lobby Commission to push ah...
8809 views comments | 29 tweets | 35 linkedin
Time for data-driven banking to come of ageTime for data-driven banking to come of ag...
8674 views comments | 28 tweets | 35 linkedin
Google and PayPal partner for mobile shopping by fingerprintGoogle and PayPal partner for mobile shopp...
8570 views comments | 27 tweets | 27 linkedin
Banks must get on AI bandwagon now – new Finextra researchBanks must get on AI bandwagon now – new F...
8359 views comments | 22 tweets | 31 linkedin
Twins fool HSBC voice biometrics - BBCTwins fool HSBC voice biometrics - BBC
8289 views comments | 19 tweets | 24 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job