Strong Customer Authentication (SCA) has become a political football passing between the European Banking Authority and the European Commission. The EBA's Opinion issued on 29 June objects to amendments that the Commission intends to make to the EBA's final draft Regulatory Technical Standards on SCA and Common and Secure Communication (the RTS). This back and forth between the EBA and the Commission is unusual, though it is part of a trend that has seen the EBA become more assertive. While the implementation date of 13 January 2018 for the recast Payment Services Directive (PSD2) is fast approaching, in contrast the expected date for the RTS to take effect is slipping further away.
The Football Pitch
The RTS have been subject to much controversy, criticism from various industry sectors and much lobbying and representations.
There are two main areas in dispute:
- the use of SCA to authenticate electronic payment transactions. In response to growing concerns about cyber crime and fraud, PSD2 seeks to enhance the security around the making of online payments mandating the use of SCA. Payment Service Providers (PSPs) are unhappy believing that SCA will make it more difficult for customers to authenticate payments while reducing the ability of firms to use technologies such as Risk Based Authentication to counter fraud; and
- the interface through which the new payment initiation (PISPs) and account information services providers (AISPs) will access customer accounts. These firms have voiced concerns that if banks and other account providers can require access through a "dedicated interface" too much power may be placed in their hands, for instance, the interface may be inferior to that used by customers.
The EBA has pushed back on the Commission's amendments made this spring to the draft RTS publishing an Opinion objecting to various aspects. The outstanding issues are these: (1) the need for a statutory audit of the application of security measures when a firm applies the transaction risk analysis exemption to SCA (i.e. who polices the exemption); (2) the scope of the Commission's new exemption for corporate payments; (3) whether fraud reporting should be just to national authorities or also to the EBA - over which the EBA has some concerns as it lacks direct supervisory powers over PSPs; and (4) the requirement for banks and other account providers to make user-facing interfaces available to AISPs and PISPs where the dedicated interface is unavailable or performing inadequately.