The European Banking Authority is to relax proposed rules on a requirement for strong customer authentication for all payments under EUR10, after being on the receiving end of a volley of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout.
In a speech in London on the EU's revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to EUR30 for remote consumer transactions, although there would be no exemption for corporate payments.
Firms which use 'transaction risk analysis' to keep a lid on fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.
The European Banking Authority has been struggling to keep pace with the timetable for the delivery of Regulatory Technical Standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.
"The EBA identified 300 distinct concerns and clarification requests by respondents," says Enria. "Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft."
Particular bugbears concern the drafting of standards for strong customer authentication on the one hand, and common open communications between banks and third parties for account access on the other, which Enria says are fostering difficult trade-offs between competing demands.
On the issue of third party access to consumer data, Enria says that the EBA has come to the conclusion that 'screen-scraping' will be banned under PSD2, instead shifting the burden to banks to maintain access arrangements.
"In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability." the conference was told.