Electronic payment is facing a tremendous growth in today’s world. We are already accustomed not to pay with notes and coins for a significant number of daily purchases, such as lines tickets, movies, and grocery shopping. Mobile payments, in particular, are evolving more and more across the globe thanks to the continuous expansion of apps payment systems agreements between tech companies and financial institutions.
Moreover, the integration of the Internet of Things (IoT) with payment applications will soon provide significant opportunities to transform traditional accessories like watches and jewellery in high-tech wearable contactless payment devices.
According to a recent report, nearly 3 billion users will access retail banking services via smartphones, tablets, PCs and smart watches globally by 2021. Also, Transparency Market Research forecasts that the global mobile payment technologies market will be worth about $1.773.17 billion by the end of 2024. The e-payment system will also have an horizontal development, with the increasing adoption of immediate payment technologies by developing regions such as Asia Pacific, Middle East and Africa.
In this situation, financial institutions need more than ever to improve the security of payment services offered. In this respect, the European Banking Authority (EBA) published on February 23, 2017 its final draft of the Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS, which were mandated under the revised Payment Services Directive (PSD2) and developed in close cooperation with the European Central Bank (ECB), pave the way for an open and secure market in retail payments in the European Union.
The previous draft, submitted to consultation last year, required for the application of a strong authentication system based on the use of two or more elements categorised as knowledge, possession and inherence, for every remote payment transaction above 10 Euros. Although its substance did not undergo major changes, the new draft resulting from the consultation process raised the micro-payments threshold of exemption for low-value contactless payments from 10 to 30 Euros and introduced two new exemptions from the application of strong customer authentication: one for payments at so called “unattended terminals” for transport or parking fares, and the other based on a transaction-risk analysis (TRA). The TRA, in particular, allows payment service providers to be exempted from the application of the strong customer authentication if the remote e-payment transaction initiated by the payer is identified as posing a low level of risk.
The TRA is based on monitoring payment mechanisms and user behaviours as well as risk-based factors such as signs of malware infection in any sessions of the authentication procedure, the amount of each payment transaction and known fraud scenarios.
With regards to the communication between account servicing payment service providers (ASPSPs), account information service providers (AISPs) and payment initiation service providers (PISPs), EBA decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. The final RTS draft also confirmed the ban on the practice of third party access without identification, referred to as “screen scraping”, in order to avoid that PISPs access the customer’s online account by pretending to be that customer. However, in order to address the concerns raised in some consultation responses, the new draft also requires that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, the same level of contingency measures in case of unplanned unavailability (business continuity and disaster recovery procedures), and an immediate response to PISPs on whether or not the customer has funds available to make a payment.
The draft, now submitted to the EU Commission, will apply 18 months after the adoption of the RTS by the EU Commission as a Delegated Act. However, until that moment, other significant changes might emerge. In particular, it is not clear if the new exemptions will be enough to provide the flexibility required not to hinder future innovations in the e-payment system (including those relating to the blockchain and API technologies). We will have to wait for that moment in order to see if the Commission will tip the balance towards security or flexibility.
We will no doubt keep you posted.