On 27 November 2017, the European Commission adopted a Delegated Regulation (and supporting Annex) in which it sets out its regulatory technical standards (RTS) for both strong customer authentication and ensuring common and secure open standards of communication under the Second Payment Services Directive (PSD2).
The RTS provide security standards which players in the payment services market will need to adopt alongside implementing PSD2, and cover both traditional payment service providers and the new third party payment service providers (notably account information services providers (AISPs) and payment initiation service providers (PISPs).
The European Banking Authority (EBA) submitted its final draft RTS to the European Commission in February 2017, but the Commission announced its intention to amend the draft RTS in May 2017. The Commission has made "some limited substantive amendments to the draft RTS submitted by the EBA", but they largely follow the position taken by the EBA in conjunction with the European Central Bank.
Strong Customer Authentication (SCA)
The RTS makes strong customer authentication (SCA) the basis for accessing payment accounts, as well as for making payments online.
To prove their identity to gain access to payment accounts, users will have to provide at least two separate elements of either:
- something they know (a password or PIN code);
- something they own (a card or a mobile phone); or
- something they are (such as their biometrics, e.g. fingerprint or iris scan).
The Commission does accept that some other authentication methods may be as safe and secure as SCA, and so the RTS do set out some exemptions. However, if a payment service provider wants to be exempt from SCA, it has to first put in place transaction monitoring procedures to assess whether the risk of fraud is low. The Commission has also introduced an exemption to allow corporate batch payments, where security is achieved through other means than the authentication of a particular individual, to be exempt. This is, however, subject to competent authorities being satisfied that these payment methods achieve the high level of security of payments required by PSD2.
Common and Secure Communication
As PSD2 brings third party payment service providers under the regulatory umbrella, the RTS specify the requirements for common and secure standards of communication between banks and these newly regulated third party providers.
Banks will have to put in place a communication channel that allows third party payments providers to access the data that they need. This communication channel will also enable banks and third party payments providers to identify each other when accessing customer data, ensure that all communications are through secure messaging.
Under the RTS, and in light of the new requirements on secure communication, third party providers will no longer be allowed to access customer data through the use of "screen scraping". However, there will be a transition period from the launch of PSD2 on 13 January 2018, and the application date of the RTS (likely to be September 2019), where screen scraping can continue to be used.
When will the new rules become applicable?
PSD2 will become applicable as of 13 January 2018, except for the security measures outlined in the RTS. The next step is for the Council of the EU and the European Parliament to consider the RTS. If neither of them objects, the RTS will come into force on the day after publication in the Official Journal of the EU. The security measures will become applicable 18 months after the date of entry into force of the RTS, which is expected to be around September 2019.