Strong Customer Authentication (SCA) has proven to be a hugely controversial issue in the implementation of the Second Payment Services Directive (PSD2). We have all become accustomed to the ease of making on-line purchases. However, there are obvious tensions between the ease of on-line payments and security concerns.
PSD2 introduces strict new mandatory requirements around electronic banking and payments. When making on-line purchases or accessing on-line accounts, consumers will, according to current proposals, need to complete a two stage authentication process. Whilst these new requirements address security concerns, they will mean that on-line transactions will be less straightforward.
Requirements around SCA are set out in Article 97 of the Directive and the European Banking Authority (EBA) has been consulting on Regulatory Technical Standards (RTS) which give effect to the Directive's requirement that payment service providers apply SCA. The question that has arisen is whether the EBA's draft RTS strike the right balance. In particular, many providers currently take a risk based approach in determining whether to apply authentication to particular transactions and do not apply SCA for all transactions. The RTS approach of mandating SCA would have the effect of removing payment services providers' ability to take a risk based approach and require SCA to be applied in all cases other than those within the scope of limited exemptions.
These additional obligations are being introduced in the context of a liability environment in which payment services providers will continue to be liable for unauthorised transactions so that the consumer detriment being addressed is not clear. Accordingly, the present proposals whilst welcome from the perspective of addressing growing fraud and cyber-crime risks, appear to strike the wrong balance in this innovative industry.
On 29 November 2016, the EU Parliament's Economic and Monetary Affairs Committee (ECON) held scrutiny hearings at which the EBA reported on its mandates to develop technical standards under PSD2, where progress generally is likely to be delayed due to resourcing constraints.
At centre stage were the technical standards on SCA and secure communications. Reflecting the controversy over this measure the EBA Chairman, referring to receipt of over 260 distinct concerns or requests for clarification, explained to the Committee that difficult trade-offs between competing demands had been necessary. The EBA, however, affirmed that it is prepared to listen and make changes if appropriate.
|Strong Customer Authentication - Key Points |
This briefing provides an update on SCA and considers the issues in play and their likely impact.
The EBA's current draft RTS could be regarded as a backwards step in customers' payment experience acting as a disincentive to customers carrying out purchases. Exemptions from SCA are limited and retailers unable to choose to take on payment risk to facilitate ease of payment. In this respect, technologies such as Risk Based Authentication (RBA) will not be available.
The EBA believes that RBA complements SCA and should not replace it. In contrast, an industry grouping advocates a specific exemption based on the "risk of the service provided" and also allowing retailers and their PSPs to adopt alternative methods of authentication for low-risk transactions given that under PSD2 the customer will always be protected unless there has been fraud on their part.
One of the challenges of SCA is the requirement in the draft standards that electronic remote payment transactions need to have a separate authentication window or card reader. For example, authentication within the same app used to initiate the payment will not be permitted. Technologies such as 3-D Secure (used by major card issuers), which requires entry by the customer of a password on their issuer's page may, however, be adaptable and help alleviate these obstacles.
As for the regulation under PSD2 of payment initiation and account information services, there are concerns about the communication standards between them and with account providers and other PSPs. The use of a so-called "dedicated interface" may put too much power in the hands of the account providers, and additionally, there are currently no designated e-IDAS trust service providers to authenticate PSPs, although this may change in the two years before the RTS are expected to take effect. As to whether access for third parties should be through the interface used by customers with their account provider or a "dedicated" interface, the EBA has said it would like to hear further views.
Incumbent banks and those other PSPs that provide customers with credit transfers (as opposed to card issuers), may benefit from the fact that making payment by means of the latter may become less straight forward because of SCA. Many UK account providers already require separate authentication. The EBA has, nonetheless, committed itself to consider the concerns expressed over exemptions to the monetary thresholds and whether the standards achieve the right balance between security and customer convenience.
Strong Customer Authentication: the objective
There has been tremendous growth in online payments over recent years accompanied by a rising risk of fraud and loss. According to Payments UK, the use of online banking or mobile banking rose in 2015, with over two-thirds of adults regularly using online banking and a third using mobile banking. The provisions in the current Payment Services Directive with its focus on credit transfers, direct debits and card payments at the point of sale are no longer considered adequate in this regard.
In December 2014, the EBA issued new Guidelines on the Security of Internet Payments addressed to national supervisors and firms with a view to improving the position, pending more radical change. To date, the Financial Conduct Authority has chosen not to apply the Guidelines in the UK, preferring to wait until implementation of the security measures in PSD2.
Under PSD2 all PSPs will need to increase online transaction security. SCA must be used and this is defined in the Directive as a means of authentication based on the use of two or more elements:
- Knowledge - something only the user knows (e.g., a password or PIN)
- Possession - something only the user holds (e.g., a card or a token)
- Inherence - something only the issuer is (e.g., a finger print or voice recognition)
The rationale is that the breach of one element should not compromise the reliability of the others, and authentication will be designed to protect the confidentiality of customer's personalised security credentials (PSCs).
PSPs must use SCA where customers access a payment account online, initiate an electronic payment transaction, or carry "out any action, through a remote channel which may imply a risk of payment fraud or other abuses.” Moreover, for "remote" online payment transactions, (i.e., payments over the internet and smart phone), these will be subject to further steps and will have to “dynamically link” the transaction to a specific amount and to a specific payee. Although the draft RTS provide exemptions for low value transactions, including contactless payments at the point of sale, PSPs may find implementing the requirements of SCA (in their current form) challenging and might encounter customer resistance. Where, however, a PSP fails to use SCA, the customer (or payment service user) will not bear any financial loss unless they have acted fraudulently.
PSD2 allows for the EBA, working with the European Central Bank (ECB), to develop exemptions based on the following criteria:
- the level of risk involved in the service provided;
- the amount, the recurrence of the transaction, or both; and
- the payment channel used for the execution of the transaction.
The EBA is also charged with developing the requirements for common and secure open standards of communication between account providers, payment initiation and account information service providers, that are necessary for them to operate. An account provider will have to allow the new service providers to rely on its authentication procedures with its customer.
In August 2016, the EBA published a consultation paper on the draft RTS specifying the requirements for SCA and common and secure communication under PSD2. This was open to consultation with a public hearing on 23 September 2016 and closed on 12 October 2016. PSD2 requires the EBA to submit draft standards to the European Commission for adoption by 13 January 2017 after which the EU Parliament and Council of Europe will have three months to object. Given the amount of feedback received to the consultation and the EBA's commitment to provide a detailed response, the draft RTS is not now expected to be submitted until mid February or March 2017.
In any event, PSD2 provides that the obligation to use SCA applies 18 months after the entry into force of the RTS. This is likely to be in autumn 2018, more than six months after PSD2 takes effect. In the meantime to provide PSPs with a reference point, in addition to the EBA’s Guidelines, there are also the Recommendations for the Security of Payment Account Services and Mobile Payments published by the ECB.
|12 August 2016||12 October 2016||13 January 2017||Feb / March 2017||13 January 2018||Autumn 2018|
|Consultation on Regulatory Technical Standards||Official closing date for consultation||PSD2 deadline for submission of standards by EBA to Commission||Likely delayed date for submission to Commission||PSD2 enters into force||Obligation to use SCA under PSD2 and application of SCA RTS|
Draft Technical Standards on Strong Customer Authentication
The authentication requirements in the RTS have been drafted at a high-level rather than being overly granular. This to ensure these are technology and business-model neutral to cater for new security threats and the development over time of solutions to counter them. This approach reflects the EBA's mandate under PSD2 that provides for:
- an appropriate level of security through the use of effective and risk-based requirements;
- the safety of customer’ funds and personal data;
- fair competition;
- technology and business-model neutrality; and
- the development of user-friendly, accessible and innovative means of payment.
We set out below a non-exhaustive summary of the key provisions in the current draft RTS together with comments and observations.
|Technical Standards Provision||Description||Commentary|
|Chapter 1 Strong Customer Authentication|| ||Aside from favouring a principle-based approach as opposed to a more prescriptive one, the EBA has weighed what it regards as the competing demands of customer protection and the need to ensure fair competition between PSPs. The need to have a separate authentication window for "electronic remote payment transactions" (i.e., independent or segregated from the application used to make the payment) will potentially discourage the use of smart phones to make payments. Authentication within the app used to make the payment will not be allowed. The EBA consider there is flexibility as the authentication code could be a single piece of data inputted on the interface of the PSP by the customer or, for example, generated from several items of data including a one-time password. The RTS requirements on dynamic linking are different to those in the EBA's Guidelines. Applications may need updating. The EBA has rejected calls to allow "transaction risk analysis" as a basis for allowing exemptions from SCA, as lacking a reliable means of validating the data. The EU Parliament has taken issue with this approach.|
|Chapter 2 Exemptions from Strong Customer Authentication under the current draft of the RTS|| ||The EU Parliament considers it is unclear from the draft standards whether the exemptions are optional or mandatory. A number of these have been carried over from the EBA's 2014 Guidelines. The EBA itself has questioned the scope of payment instruments that are subject to the requirement to use SCA. PSD2 refers to electronic payments initiated by the payer (e.g., credit transfers or card payments), but not to electronic payments initiated by a payee only, such as direct debits, which might in future grow in popularity as a result. The EU Parliament wants to see higher maximum limits for contactless payments and considers that insufficient weight has been given to the negative impact on PSPs of the proposed thresholds. Similarly, the Parliament has questioned the proposed maximum amount of €10 for remote electronic payment transactions and has called for an increase in the limit. It also questions if the cumulative limit is workable as some transactions take place "online" and others "offline." The proposed threshold would impact retailers which offer customers one click payment such as retail high-tech giants. A failure to use SCA, (assuming their PSP was willingly to carry out the transaction), would place payment risk with them. The EBA considers that the lower threshold compared to contactless payments, reflects the higher susceptibility to fraud of remote electronic payment transactions.|
|Chapter 3 Personalised Security Credentials|| ||The Bank Stakeholders Group had opposed direct access of PSC by payment initiation and account information service providers. In any event, the EBA state that they have adopted high-level principle based requirements for PSCs to facilitate competition and adaptability. PSPs providing acquiring services will need to ensure that their contractual documentation with retailers incorporates these security measures to protect PSC. These provisions have much in common with the Payment Card Industry Data Security Standard (PCI DSS) used by major card schemes.|
|Chapter 4 Communication Standards|| ||As for granting payment initiation and account information service providers access to customer accounts, the EBA has decided to give "sufficiently concrete guidance" and in doing so (in the Parliament's view) appears to favour a single technological solution to the development of principles for access. The Parliament is concerned that a mandatory "dedicated interface" may allow account providers to exclude or limit "direct access" to a customer's account by payment initiation and account information service providers. It considers this runs contrary to the objectives in PSD2. The EBA has stated that neither PSD2, nor its mandate, specify the nature of the access or that it should be "direct access" (however defined). Further, that the draft RTS do not prescribe whether access should be through the account provider-customer interface or a "dedicated" interface specifically created for this purpose, but merely the principles governing access. ISO 20022 is one of a number of standards already in use for payments. There may be cost implications for those PSPs which need to transition over to it. As for the authentication of PSPs requiring access, recognising that the technical standards will not apply at the earliest until October 2018, the EBA have assumed, that one or more qualified trust service providers under e-IDAS will have been designated where there are none now. The EBA have said that e-IDAS will need to be considered on case by case basis to see if it will deliver compliance. Secure encryption must be applied to communications, although there is no reference to any standard, nor any requirement for an agreement between PSPs which might make provision.|
As part of your preparation for implementation of PSD2 and SCA you should consider amongst other matters:
- carrying out a GAP analysis of current security policy, the EBA's 2014 Guidelines (if relevant), and the draft SCA RTS;
- reviewing the impact of SCA and the application of the new exemptions to the different payment channels you offer;
- more particularly, where you use RBA, the impact, and (if applicable), what changes might be required to the use of 3-D Secure technology;
- in the context of your security objectives and risk appetite, review whether there are any mitigating steps available in respect of the SCA requirements such as strategies to bring the amount of payments within exemption thresholds or the increased innovative use of direct debits;
- whether you comply with ISO 20022 in respect of account provider communication interfaces and similarly, website authentication under e-IDAS; and
- review potential amendments to framework contracts with customers and/or other terms and conditions.
For more information and to discuss any of the issues arising from the implementation of PSD2 and Strong Customer Authentication, please contact Arun Srivastava ([email protected]), Julian Hui ([email protected]) or Richard Powell ([email protected]).