Under the Recast Payment Services Directive (PSD2), payment service providers must apply strong customer authentication (SCA) to a wide range of payment methods. The detail of these requirements has now been clarified by the European Banking Authority (EBA) through its Final Report on draft Regulatory Technical Standards (RTS) (published on 23 February 2017). The draft RTS will be submitted to the European Commission for approval.
In order to understand the opportunities and risks, it is useful to understand the background requirements and how these are changing.
What is strong customer authentication?
In the context of PSD2, SCA means that a payer must authorise their payment transaction using two out of three independent authentication 'elements', which, in turn, generate a one-time authorisation code.
The three authorisation elements consist of:
- knowledge (i.e. something only the payer knows, such as a password or PIN);
- possession (i.e. something only the payer possesses, such as a token or smart device); or
- inherence (i.e. something that is inherent to the payer, such as biometric characteristics).
These elements must be independent from each other, so that a security breach of one will not compromise another (although the EBA has clarified that independent authentication elements can be hosted within the same multi-purpose device).
Payment service providers must also adopt measures to mitigate the risk of the payer's use of those authorisation elements becoming compromised by unauthorised parties. To ensure technological neutrality, there is flexibility about the risk mitigation measures a payments provider can apply, although in some cases the burden is a high one. For example, payment providers relying on authorisation from devices or software applying the 'inherence' element must apply measures that ensure the software or device "guarantee resistance against unauthorised use of the elements".
In the case of remote electronic payments, there are further requirements that the authorisation code must be specific to the amount of the transaction and the payee identified by the payer – this is called "dynamic linking".
When will payment providers need to apply SCA?
Under PSD2 (article 97), SCA applies to a wide range of payment transactions where the payer:
- accesses their payment account online;
- initiates an electronic payment transaction; or
- carries out any action through a remote channel which implies a risk of payment fraud.
The scope of SCA is made uncertain by not defining in the RTS or PSD2 what an "electronic payment transaction" is – given that most payments operate through some means of electronic communication or device, it is potentially very wide.
Furthermore, the EBA understands that card payments are electronic payments "initiated by the payer" through a payee and, therefore, within scope. To date, card payments have been viewed by the sector as 'payee initiated' payments and the EBA view could challenge how firms apply other provisions in PSD2 which depend on whether payments are initiated by the payer or payee.
Despite the wide scope of when SCA applies, a range of exemptions are available – they are in order but the final one is perhaps the most interesting:
- accessing account balances or 90 day transaction history (provided the customer has accessed this information using SCA within the past 90 days);
- contactless payments not exceeding €50. There are cumulative limits to this exemption so that SCA must be applied after five consecutive contactless payments, or where the cumulative value of previous contactless payments exceeds €150. Some banks are already front-running the requirement to authorise contactless payments once cumulative thresholds have been met;
- payments made at unattended transport or parking payment terminals;
- payments made to a list of trusted recipients previously created or confirmed by the payer, or recurring payments for the same amount to the same payee;
- payments between the payer's own accounts held with the same account provider;
- low value remote electronic payments that do not exceed €30. As is the case for contactless payments, there are cumulative limits to this exemption so that SCA must be applied after five consecutive remote electronic payments, or where the cumulative value of previous remote electronic payments exceeds €100; and
- remote electronic payment transactions that are identified as posing a low level of risk. To qualify as "low risk", the payment provider must conduct a detailed transaction risk analysis and fraud monitoring exercise which will 'red flag' certain risk factors (for example, abnormal spending or location, or a known fraud scenario is identified). Furthermore, any payment providers relying on this exemption must be able to demonstrate that the fraud rate for the relevant payment instrument does not exceed a specified reference fraud rate designated for that transaction value.
This last exemption is a significant development in the final RTS from earlier iterations. Key stakeholders strongly advocated an exemption where data demonstrated there was a low risk of fraud. However, the final rules place the burden relatively high. Even so, the EBA's concession towards risk-based authentication is likely to be welcomed by a sector that has already invested heavily in this area.
In addition to applying SCA, the RTS also require payment providers to maintain transaction monitoring mechanisms to detect unauthorised or fraudulent payments that must be subject to periodic internal and external audits.
What are the consequences of not applying SCA?
In a move designed to mitigate against regulatory arbitrage, there are strict consequences for not adopting SCA under PSD2.
Under PSD1 (and subject to the EBA's Guidelines on Internet Payments), the application of payment authentication procedures is flexible although liability provisions in the Directive should incentivise payment providers to adopt techniques to mitigate the risk of fraudulent payments and demonstrate the customer's consent for a payment.
PSD2 is stricter in two respects:
- first, it places a strict liability on payment providers that do not require strong customer authentication (other than for a customer's fraud). This is regardless of whether that choice is made because of an exemption and arguably applies whether or not the payment is even within scope of the SCA requirements. Where the payee or the payee's payment provider does not accept SCA, then they must indemnify the payer's payment provider (who has the strict liability to its customer) for its loss;
- second, strong customer authentication is not optional – all payer payment providers must require it and payee payment providers must accept it. The EBA has made this clear in its Final Report.
What will this mean for payments?
This step up in authentication requirements will be felt in the sector. SCA will impact on consumers, payment providers and retailers alike and the debate surrounding it embodies a tension between providing frictionless customer experiences whilst also enhancing security.
In Europe, where many Member States have already adopted existing EBA guidelines on SCA for internet payments, the change may be more incremental. However, in the UK (which declined to adopt earlier EBA guidelines), it will be the first time for many that SCA is applied to their payments or online account.
From a user and retailer perspective, SCA will have a particular impact for online payments. Increasingly, online merchants use pre-saved payment details to provide one-click payments. Unless an exemption applies, this frictionless consumer journey will now be interjected with two separate authentication requests. Similar bumps in the road crop up for e-money products that simultaneously involve two payments potentially subject to SCA – the first payment being the card payment that funds the customer's e-money account, the second payment being the transfer of funds from that e-money account to the merchant.
From a payment provider's perspective, the required upgrade in technical capabilities to support SCA and investment in fraud monitoring capabilities should not be underestimated. SCA is also likely to change the competitive landscape for payment providers. Providers with the most sophisticated risk analysis tools will be best placed to utilise exemptions from SCA and deliver more convenient payment methods. Similarly, providers that make the best use of technology to deliver more seamless SCA techniques will be positioned to benefit. As these features might be important specification details for retailers, this could be the making of innovative market entrants.
While PSD2 must be transposed into national law by 13 January 2018, the SCA requirements will only apply 18 months after the RTS has come into force – SCA will only be mandatory from late 2018 at the earliest – so there is time to plan for a slightly more bumpy customer journey.