New regulatory requirements are changing the payment markets

The Regulatory Technical Standards on strong customer authentication and secure communication (RTS on SCA & CSC) officially took effect on 14 September 2019.

The RTS, which were published in March 2018 in the Official Journal of the European Union, are the key to achieving the objectives of the revised Payment Service Directive (PSD2) for ensuring consumer protection, fostering innovation and enhancing the level playing field in the payment markets.

Background

PSD2, which entered into application on 13 January 2018, aims at creating an EU-wide harmonized payment system characterized by a high level of consumer protection and payment security.

In order to increase consumer protection, PSD2 postulates that all electronic payment services should be carried out in a secure manner and promotes technologies that are able to guarantee the safe authentication of the users and thus to reduce the risk of fraud. To this end, the European Banking Authority (EBA) developed regulatory technical standards (RTS) specifying the requirements of strong customer authentication (SCA), which payment service providers (PSPs) such as banks and other payment institutions should observe when they process payments or provide payment-related services. Even though the intention of the PSD2 is to make SCA a requirement for all online transactions, there are still some exemptions. They aim to ensure that consumers still enjoy an easy shopping experience with additional security on larger and less frequent payments.

In order to promote innovation and completion, PSD2 requires account servicing payment service providers (ASPSPs) to provide at least one interface for third party payment service providers (TPPs) enabling them to initiate payments and access account information. In this context, the regulatory technical standards outline the requirements for common and secure communication between the ASPSPs and the TPPs, such as account information service providers (AISPs) and payment initiation service providers (PISPs).  

Strong customer authentication

With the entry into force of the RTS, strong customer authentication becomes a necessary precondition for accessing one’s payment account or for making payments online. The SCA rules require banks and other payment service providers to verify user identity by using at least two of the following three elements:

Strong Customer Authentication is applicable to “customer-initiated” online payments. Hence, most card payments and all bank transfers should meet the new authentication criteria. The “merchant-initiated” payments such as recurring debit card payments and in-person payments, however, do not require strong customer authentication.

Common and secure communication

PSD2 requires banks to open their IT infrastructure to TPPs and thus improves the level playing field for payment service providers. In other words, banks have to have a communication channel that allows TPPs to access the data they need. In addition, the channel should allow market participants to identify each other and to communicate in a secure way. In order to meet this requirement, AISPs may either adapt their client online banking interfaces or create a new dedicated interface.

The RTS on SCA and CSC specify the requirements for common and secure standards of communication and define the contingency safeguards that need to be implemented by the banks that have decided to develop an integrated interface. The so-called fallback mechanism aims to ensure the continuity of the service of TPPs and the fair market competition.

Strong customer authentication (SCA) enforcement date

As already stated, the SCA requirements have become officially applicable from 14 September 2019. However, the EBA has acknowledged the complexity of the payment markets in the EU and published on 21 June 2019 an Opinion on SCA and CSC. Therein, the EBA accepts that on an exceptional basis for some PSPs that are not directly subject to the application of the PSD2, such as e-merchants, it may be possible to apply for an extension of the implementation deadline. In this respect, the EBA allows the national authorities of Member States to work with these PSPs, acquirers and relevant stakeholders in order to provide them limited additional time to become compliant with the RTS requirements. Thus, a temporary enforcement extension may allow issuers to migrate to SCA-compliant authentication approaches and acquirers to migrate their merchants to solutions supporting SCA. This extension is only permissible if the PSPs have a migration plan that is agreed with their NCA and shall execute it in an expedited manner.

In our next post we will provide you with an overview of the national regulators who have published an official statement about the enforcement timeline for online payments issued in their jurisdiction.

Sources

Regulatory Technical Standards on strong customer authentication and secure communication under PSD2
Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2