Out-Law News 2 min. read

Final payment authentication standards face delay amidst industry criticism of proposals

The European Banking Authority (EBA) is unlikely to meet its deadline for finalising new regulatory technical standards (RTS) on strong customer authentication under new EU payment services laws (PSD2), the chair of the regulator has said.

In a statement (6-page / 124KB PDF) delivered before the European Parliament's Committee on Economic and Monetary Affairs (ECON) earlier this week, Andrea Enria said the EBA is likely to publish the final standards "a month or so later than the deadline of 13 January 2017 stipulated in the PSD2".

"The timescale for implementation by the industry is 18 months after entry into force so a one month delay shouldn’t create too much of an issue," said Chris Davidson of Pinsent Masons, the law firm behind Out-Law.com, who is an expert in the regulation of payment services. "However, it does not ease up the pressure on the industry to implement what will be significant technological and strategic security changes in a short timescale."

PSD2 is the reformed Payment Services Directive which came into force earlier this year. The directive needs to be implemented into national laws across the EU by 13 January 2018. The EBA is responsible for defining eleven sets of regulatory technical standards under PSD2, including those relating to the use of strong customer authentication. The European Commission has the power to adopt those standards.

Enria said that the reason for the likely delay was the combination of the importance and complexity of the mandates it has been given, which he said had necessitated a high level of engagement with stakeholders and the balancing of competing priorities, together with a lack of resources for coping with the additional work demanded of the EBA under the directive.

In respect of its mandate on strong customer authentication alone, Enria revealed that the EBA had received 226 responses to its August 2016 consultation paper, which in total contained "approximately 260 distinct concerns and/or requests for clarifications".

A recent letter addressed to the EU's commissioner for financial services and signed by 39 industry organisations, including bodies representing major banks, retailers, credit card providers and technology companies, warned that the EBA's proposals "would create unnecessary hurdles for a number of different industries, especially e-commerce".. Among the EBA's proposals that industry has criticised are plans to apply its strong customer authentication protocols to all remote payment transactions valued at over €10.

The publication of the letter followed the release of a position paper by Visa which described the EBA's draft standards as "a significant threat to future innovation and Europe's future growth". Visa, and the signatories of the subsequent cross-industry letter, called for the EBA to adopt a risk-based approach to the application of the new authentication standards.

Expert in the regulation of payment services Thomas Howard of Pinsent Masons said the cross-industry letter to the Commission is "an example of the challenges that the EBA faces in developing regulatory technical standards under PSD2 and the importance of getting them right, given the potential knock-on effects".

"In relation to strong customer authentication, at its heart there is an inherent tension between the desire, on the part of payment service users, merchants and payment service providers, for processes to be as frictionless and user-friendly as possible, and the need, from a regulatory and crime prevention perspective, to ensure that transactions are secure," Howard said.

In his statement to MEPs, Enria said the EBA would consider amending its proposals on when the strong customer authentication (SCA) proposals should apply, but appeared to rule out adopting risk-based analysis (RBA) as a basis for the new standards.

"It is currently difficult for us to envisage an RTS that would allow risk-based analysis to replace strong authentication, as some [industry] concerns seem to suggest," Enria said. "Rather, RBA is a security requirement complementary to SCA, with SCA having been introduced by PSD2 for the very specific purpose of authentication prior to the transaction being initiated. The legislators deemed this requirement to be necessary given the new future environment that will be created by PSD2, whereby payments are initiated no longer by the payment user only but also by [account information service] and [payment initiation service] providers." 

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.