Now that the revised Payment Services Directive (PSD2) has been finalized, issues of transposition will come to the fore. This is because the PSD2 is expected to enter into force in January 2016 and to apply from January 2018.
One of the central issues of transposition will be that of internet payments security. The PSD2 introduced the mandatory use of strong customer authentication as part of the services provided by PSPs. It also indicates that that a PSP would be liable if an unauthorized transaction occurs in the event that strong customer authentication was not offered.
“Strong customer authentication” is defined as, “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”
In anticipation of this PSD2 obligation, in December 2014, the European Banking Authority (EBA) issued Guidelines on the Security of Internet Payments. The Guidelines provide further detail that the PSD2 did not delve into, especially with regard to the technical requirements to provide and support strong customer authentication. The EBA also sought to obtain confirmation from the competent authorities of the EU Member States that the licensed entities are compliant with the requirements contained in the Guidelines. In fact the MFSA issued a Financial Institution Rule (FIR/04) based on these Guidelines along with a questionnaire to be filled out to ensure such compliance.
In December 2015 the EBA issued a Discussion Paper in order to start gathering feedback for the draft of the Regulatory Technical Standards (RTS) on strong customer authentication and secure communication. This RTS seems to be a sequel to the Guidelines issued a year earlier. However, this new RTS seems to be more than just a set of requirements; it seems to be the result of feedback received in relation to the Guidelines.
This RTS would form part of the intended set of the six RTSs and five sets of Guidelines to be provided by the EBA, as mandated by the PSD2. However, the Discussion Paper implies that the increased security measures, while being beneficial to consumers as well as businesses, seems to have come across resistance from the industry. In fact, in the press release announcing the Discussion Paper, it was noted that, “the EBA and ECB will have to make difficult trade-offs between competing demands and would like to hear views from market participants on where the ideal balance should lie.”
Actually, the Discussion Paper contains a section on possible exemptions to the strong customer authentication requirement, which the EBA is suggesting would be determined by risk-based criteria (e.g. low-value payments, recurring payments, etc.). Such exemptions are already contained in the PSD2– however the EBA is seeking to clarify these exemptions.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said:
This is an early step in the development of some crucially important standards that the EBA is responsible for. These standards will define how core objectives of PSD2 will be met, operationally.
Given that the EBA has the challenge of balancing input from across the EU, it will be influenced by regions and market segments with widely differing payment cultures and propositions. So, businesses need to speak up, engage with the EBA, or risk being tied to standards that inhibit or expose them.