PSD2 Regulatory Technical Standards. What has changed?
March 1, 2017 - Discussing the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC), formulated by the European Banking Authority (EBA), as part of the second Payment Services Directive (PSD2).
As part of the second Payment Services Directive (PSD2), the European Banking Authority (EBA) was mandated to formulate Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC). These standards have strong implications for the implementation of the concepts introduced by PSD2, such as Access to Accounts (XS2A).
A first version of the draft RTS was released in August 2016 and was met with a strong response from the industry. UL also sent an official response to the EBA and published a blog post about this response. In the past months, the market has been eagerly awaiting the updated RTS, while the EBA had difficulties coping with the large amount of feedback. On February the 23rd, the final version of the draft RTS were published online by the EBA.
First version of the RTS
The EBA successfully solicited a wide industry response to the first draft RTS. Around 300 different issues or requests for clarification were distilled from 4000 pages of feedback. According to the EBA, the key issues identified were related to (1) the scope and technology-neutrality of the draft RTS, (2) the exemptions including thresholds and a request for ‘transaction-risk analysis’ (TRA), and (3) the XS2A including the requirements around the information communicated.
These key points, amongst others, were also addressed by UL in our previous blog post and our official response to the EBA’s consultation paper. UL found that while the draft RTS contained a valid authentication framework, it did not seem to take into account the latest market trends and offerings in the field of authentication. For example, the definition of authentication elements was generic and did not include a possibility for Risk-Based Authentication (also referred to as ‘transaction-risk analysis’). Other concepts such as Federate Access, and Federate Identity Management, 3rd party or distributed authenticators were not possible or not addressed in the first RTS. Regarding communication protocols, EBA proposed the use of ISO 20022 but did not provide sufficient details for implementation. Additionally, problems were identified in the areas of the generation of authentication codes, dynamic linking, localization of thresholds, and the requirements for XS2A.
UL concluded at that time that the EBA should consider setting clearer standards around security and interoperability and let the market find ways to innovate and manage the customer experience. In the following section we will show the most important changes in the final RTS and review whether the concerns from the industry, and the ones raised by UL, were properly addressed.
What’s new on the Final Draft RTS?
We recognize the difficult task that the EBA had in balancing the various objectives of PSD2 and taking into account the viewpoints of the many stakeholders. The final draft RTS on SCA and CSC bring significant changes from its previous version. Among those changes, the following topics deserve closer attention:
- References to ISO 27001 and other specific technological characteristics are removed, to ensure technology neutrality and allow for future innovations. Reference to ISO 20022 remain, but are further clarified with regards to scope.
- New exemptions from SCA are introduced:
- ‘Transaction-risk analysis’: This exemption is linked to predefined levels of fraud rates, so as to provide incentives to strengthen the protection of customers. This exemption will be reviewed after 18 months after the RTS have been introduced.
- Unattended terminals. This exemption will cover transport or parking fares.
- The EBA agreed to modify or extend existing exemptions, such as to increase the limit for remote payment transactions from EUR 10 to EUR 30.
- ‘Screen scraping’ will no longer be allowed once the transition period under the PSD2 has elapsed and the RTS apply. However, additional requirements are included that require Account Servicing Payment Service Providers (ASPSP) to provide the same level of availability, performance and contingency for access by Account Information Service Providers (AISP) as compared to customers accessing the service via the AISP’s own web applications.
UL partly agrees with the reasoning of EBA regarding the removal of reference to ISO 27001 and other standards, to achieve the goal of the RTS being technologically neutral. However, it remains to be seen if industry players have enough freedom within the current RTS to provide both a secure and smooth customer experience. And more importantly, the lack of proper guidance regarding standards can create a fragmented market, with e.g. many different API solutions, which will not be beneficial to innovation and perhaps customer experience.
In the first version of the RTS the ISO 20022 was referred to in a very generic way. ISO 20022 itself is only a standard for developing standards for different services in the financial industry. It is good to hear that EBA has now somewhat detailed the scope to mean financial messaging, although clear and detailed protocol requirements are still missing. As a result, this can potentially lead to a fragmented market in terms of different protocols and interoperability requirements.
Exemptions from SCA
The lack of mention of risk-based authentication, a proven industry practice, was a problem in the first draft RTS identified by UL and many other industry parties. As the requirements for SCA were very strict, this would have impacted many players by, for example, reduced conversion rates in e-commerce environments.
UL welcomes the introduction of risk based analysis or transaction-risk analysis as a means for the market to offer and keep offering a better customer experience, while requiring banks to maintain fraud levels under specific thresholds in order to be entitled to use such exemption.
The monetary limits for different channels were not consolidated as UL proposed, but the SCA limit for remote payment transactions was raised from EUR 10 to EUR 30. This is a move that will be welcomed by many e-commerce businesses. The suggestion of letting member states decide the monetary limits (in their own currency) was not implemented by the EBA.
Last (but not least), by creating specific exemptions to scenarios not covered in the previous version, like transport and parking fees and contactless payments at point of sale, EBA shows a clear willingness to create specific rules for SCA, without impacting existing payment products or consolidated use cases.
Access to Accounts
UL welcomes the fact that ‘screen scraping’ will not be allowed anymore. This will improve security and interoperability. Nevertheless, in practice, it must be verified that ASPSP’s interfaces are implemented in such a way that Third Party Providers (TPP) are still able to offer their services without the, admittedly dubious, technique of screen scraping.
Related to this, a specific change where the industry was understandably divided, was the allowed frequency of non-user initiated access to accounts by AISPs. The arbitrary limit of two times a day has been changed to four times a day, partly alleviating concerns from TPPs, but not addressing concerns related to varying requirements of different services, and possible impact on ASPSP infrastructure.
UL recognizes the challenge of balancing consumer protection and payment experience, especially in the e-commerce world. In the first draft RTS, we found that some requirements regarding SCA were very strict, potentially impacting innovation and even services that are currently offered. The addition of transaction-risk analysis in the RTS is a very welcome change for the industry, as it allows ASPSPs to compete on the offer of better user experiences, while monitoring and implementing measures to keep fraud levels within specific thresholds.
Many industry frameworks and concepts are still not fully explored by the final draft RTS, and some references to industry standards were even removed. Related to this, the EBA has made requirements less specific, leaving more room for the industry to implement their own standards. The reasoning of the EBA is that the RTS need to be technologically-neutral and not stifle innovation. We partly agree with the reasoning, but it remains to be seen whether the RTS offer enough freedom for industry players to offer innovative, interoperable and customer-friendly services, and at the same time do not create a fragmented market regarding, for example, secure communication using APIs. Such fragmentation could undermine the effectiveness of PSD2’s objective.
The final draft RTS treated here will be submitted by the EBA to the European Commission for adoption. It will be applicable 18 months after its entry into force, which, according to the EBA, would suggest an application date of the RTS in November 2018 at the earliest.