Europe’s New Rules on Strong Authentication and Account Access Meet the Industry Half Way
A review of EBA’s Final Report on Regulatory and Technical Standards to complement PSD2
On February 23, 2016, the European Banking Authority (EBA) presented the Regulatory Technical Standards that are the final piece of legislation to complete the revised Payment Services Directive (PSD2).
The EBA was tasked by the European Commission with providing additional detail in a number of key areas, including Strong Authentication and Open Account Access. The draft guidelines (see our analysis in the October 2016 Navigator), received critical comments from the industry, many of which are reflected in the final standards.
PSD2 mandates all remote transactions to carry two-factor authentication, unless they qualify for exemption. The exemption language in the draft guidelines created much uncertainty; the final RTS clarified the three exemptions:
- Low Value: ‘Low value transactions’ were redefined as transactions below €30, up from €10 in the draft. First Annapolis analysis suggests that up to 5 times more e-commerce transactions will be exempt from strong authentication requirements as a result of the change.
- Trusted Beneficiary: Beneficiaries that are previously designated ‘trusted’ by the consumer are also exempt. This section did not change.
- Low Risk Transactions: Transactions that are deemed ‘low risk’ after a risk assessment by the PSP will also be exempt from Strong Authentication. This exemption was added in response to broad industry critique, and is important in that it enables the use of wallets and card vaults. Wallets and card vaults are responsible for an important and growing part of e-commerce, and applying a risk analysis enables players like PayPal and Amazon to forgo authentication and retain their smooth checkout experience.
Altogether, the authentication rules in the final RTS are more business-friendly than the draft.
Open Account Access
Account Access outlines the rules under which banks will have to open up consumers’ accounts for third parties. While the RTS still do not address the many open questions regarding technical connections, authentication, and other key functional categories of access-to-account, it now clearly states that the practice of ‘screen scraping’ is no longer allowed. The elements of technical design remain at the discretion of individual banks. Our expectation is that there will be pockets of standardization (in countries such as the UK) through a combination of coalitions formed by banks, providers of banking automation and independent aggregators, but certainly no universal standard.
In summary, the final RTS reflects a compromise between banks and politicians looking to promote innovation. The rules take into account points of criticism, but also leave important areas open for interpretation; as such, areas of legal uncertainty remain.
For more information, please contact Jip de Lange, Manager, firstname.lastname@example.org, specializing in PSD2 and Payments Innovation.
To read the rest of this article, please subscribe to