(As anticipated) the European Banking Authority (EBA) has published a “Consultation Paper on the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“.

The Consultation Paper includes the EBA’s thoughts on what the relevant parts of the second Payment Services Directive (PSD2) mean; and its first draft Regulatory Technical Standards (RTS).

The EBA is holding a public hearing on its first draft RTS in London on 23 September 2016. The consultation period closes on 12 October 2016. The EBA will publish the final draft RTS by 12 January 2017; and it anticipates that the RTS will be directly applicable in the EU from October 2018, at the earliest.

PSD2 came into force on 12 January 2016. The Member States of the EU must transpose it into their national laws by, and all relevant payment service providers (PSPs) must comply with those laws from, 13 January 2018. It’s not yet clear how the UK will meet these obligations – although a new statutory instrument (amending or replacing the UK’s Payment Services Regulations) and/or FCA rules seem likely. UK PSPs will be required to comply with (a) the new SI and rules from 13 January 2018; and (b) the RTS from (say) October 2018, until (in each case) at least the moment when Brexit occurs. In all probability, UK PSPs will also be required to comply with the SI, rules and RTS long after after that.

Article 97 of PSD2, provides that:

(1) Member States shall ensure that a [PSP] applies strong customer authentication where the payer (a) accesses its payment account online; (b) initiates an electronic payment transaction; [or] (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

(2) With regard to … paragraph 1[(b)], Member States shall ensure that, for electronic remote payment transactions, PSPs apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.

(3) With regard to paragraph 1, Member States shall ensure that [PSPs] have in place adequate security measures to protect the confidentiality and integrity of payment service users’ [PSUs’] personalised security credentials.

(4) Paragraphs 2 and 3 shall also apply where payments are initiated through a payment initiation service provider [(PISP)]. Paragraphs 1 and 3 shall also apply when the information is requested through an account information service provider [(AISP)].

(5) Member States shall ensure that the account servicing [PSP] [(ASPSP)] allows the [PISP] and the [AISP] to rely on the authentication procedures provided by the [ASPSP] to the [PSU] in accordance with paragraphs 1, 2 and 3.”

Article 98 of PSD2 provides that:

(1) [The] EBA shall … develop draft [RTS] … specifying: (a) the requirements of … strong customer authentication …; (b) the exemptions from the application of Article 97(1), (2) and (3) …; (c) the requirements with which security measures have to comply … in order to protect the confidentiality and the integrity of the [PSUs’] personalised security credentials; and (d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between [ASPSPs], [PISPs], [AISPs], payers, payees and other [PSPs].

In the narrative part of the Consultation Paper, the EBA explains its approach to (for example) strong customer authentication; and PSD2 standard setting.

The 23 Articles of the draft RTS are principles based, technology neutral, and divided into 5 chapters:

  1. Strong customer authentication (articles 1 to 7):
  2. Exemptions from strong customer authentication (article 8);
  3. Protecting the confidentiality & integrity of the PSUs’ personalized security credentials (articles 9 to 15);
  4. Common and secure open standards of communication (articles 16 to 22); and
  5. Final provisions / Entry into force (article 23).

This consultation paper will be of most interest to PSPs in the EU; and those who are developing payment related services and technology – especially if the services or technology are secure communication and/or customer authentication related.

Consultation responses must be submitted using the “Send your comments” button on the EBA’s website.

The EBA is holding a public hearing on the draft RTS in London on the afternoon of 23 September 2016. If you would like to attend, you must register before 1pm (UK time) on 9 September 2016. Good luck.