The European Banking Authority (EBA) has today released its final draft Regulatory Technical Standards (RTS) for implementing Strong Customer Authentication (SCA), mandated under the revised Payment Services Directive (PSD2). At the heart of these changes to RTS is the fact that, through PSD2, European lawmakers have decided to allow non-bank competitors to access the payment accounts of banks’ customers, for the purpose of retrieving account information and/or to initiate a payment transaction. Key Changes to the Regulatory Technical Standards (RTS) that will implement SCA:
1. Technology-neutrality of the RTS One the main criticisms of the previous RTS was that it was very high level in some areas but very detailed in others and in particular it had made reference to particular technologies in some cases. The new draft of RTS attempts to address these concerns by adopting a more technology neutral stance.
2. Exemptions to Secure Customer Authentication The new RTS introduces two key new exemptions, one based on "transaction risk analysis" and one for so-called 'unattended terminals' for transport or parking fares. However, the exemption for transactional risk analysis can only be used where the payment services provider has an overall fraud rate lower than the reference fraud rate mandated in the RTS. This will allow the payment services providers a lot more flexibility but only where they can show that the level of fraud is being kept at an acceptable level. The threshold for applying SCA to remote transactions will increase from €10 to €30. There will be no exemption for corporate payments
3. Banks can provide a dedicated interface The EBA has confirmed that the practice of 'screen scraping' - which automates the copying of data from a website – will be banned under PSD2 after the end of the transition period. However, banks will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers.
Commenting on the changes, John Salmon, Partner at Hogan Lovells, said: “The changes provide a pragmatic olive branch, reflecting the fact that the EBA is wrestling with an incredibly difficult task that pitted it against competing objectives under PSD2. - 2 - Hogan Lovells “One of the biggest complaints about the legislation has been it is so clunky, particularly around two-factor authentication. Fintechs , banks and online merchants should welcome the extra flexibility, particularly around the new 'transaction risk analysis' exemption. However, they are going to have to ensure that level of fraud is kept under control so that they can meet the reference level. They should also get behind the desire for technological neutrality and having principle-based regulation, as this will help foster innovation. The same goes for the new clarity around interfaces – the banks will be happy they'll be able to choose the type of interface they use, while Third Party Payment Providers will take comfort from the fact that they shouldn’t lose out through using these systems and they will have to be just as good as the systems offered direct to customers."