Warning over 'unintended consequences' of payment security standards

Out-Law News | 20 Jun 2019 | 10:49 am | 2 min. read

Consumers and businesses face "widespread disruption" when new EU payment security standards take effect, bodies representing the fintech sector have warned.

The regulatory technical standards (RTS) on ‘strong customer authentication and common and secure open standards of communication’, which have been drawn up under the EU's second Payment Services Directive (PSD2), are scheduled to apply as of 14 September this year. They are designed to support third party providers (TPPs) to obtain secure and permissioned access to payments account data held by banks and other 'account servicing payment service providers' (ASPSPs).

The standards require ASPSPs to provide third party account information service providers (AISPs) and payment initiation service providers (PISPs) with access to the data through the customer's normal online banking platforms, or alternatively develop a new 'dedicated interface' (API) for that purpose.

However, the Financial Data and Technology Association (FDATA Europe) and European Third Party Providers Association (ETTPA) said that the standards will have "unintended consequences".

"Strong customer authentication, designed to improve the security between a bank and its customer, will unintentionally block access to non payments data, such as savings accounts and loan accounts, which are in very wide use," the trade bodies said in a statement.

"The RTS provides no period of transition during which a TPP could seek to ask its customers to rejoin on the new technology. There needs to be a twelve month transition period after the banks have delivered a high quality API or Adjusted Interface to allow customers to migrate," they said.

"It is already crystal clear that the development of the technologies is not nearly mature enough at this stage, both in functionality and resilience. It is highly likely that on the current time table, the vast majority of banks will fail to deliver a suitable API and run out of time to then deliver the Adjusted Interface. If they simultaneously then introduce the new security measures, all access to account channels used by fintech firms will be blocked," they said.

The concerns expressed by FDATA Europe and ETTPA are detailed in a new paper the bodies have published and presented to regulatory authorities. They called for the 14 September deadline for implementation of the new standards to be pushed back.

"As it stands the banks, fintech firms and national regulators need to orchestrate a hierarchy of needs which puts customers first," FDATA chairman Gavin Littlejohn said. "A practical first step would be to delay any new implementation of strong customer authentication which could block the traditional technology from functioning as it currently does, until such a time as the key issues are properly managed. Creating a ‘big bang’ approach to implementation, regardless of the connected circumstances, is simply creating an unnecessary cliff edge, which is easily avoided by this simple measure."

Insight into the progress being made towards a fully functioning open banking system in Europe was provided to delegates at the Money20/20 Europe 2019 conference in Amsterdam earlier this month.

Research discussed at Money20/20 that was commissioned by Stripe suggests that up to €57 billion of sales are at risk in the first year that the strong customer authentication rules apply. The study found that many businesses are unprepared for the forthcoming changes. Other industry figures are predicting as many as 25 or 30% of e-commerce transactions could be declined in the immediate aftermath of the switch to the new standards.