The EBA’s Regulatory Technical Standards Provide the “How” to PSD2’s “What”
February 2017 saw the release of the long-awaited draft regulatory technical standards (RTS) for strong customer authentication (SCA) from the European Banking Authority (EBA). The RTS defines the technical framework for the implementation of PSD2 with primary focus on SCA, and common and secure connection (CSC). In short, we could say that PSD2 covers the “what” aspect of the regulation whereas the RTS defines the “how” this is to be done.
Function over form? European Commission amendments to RTS for SCA
In June, the commission suggested several amendments to the RTS that addressed concerns around the auditing of transaction risk analysis and the addition of a new exemption from SCA for certain corporate payment processes. The amendments also proposed direct access for the EBA to fraud reports from PSPs in addition to aggregated data provided by competent authorities (national financial regulators). Finally, as an additional safeguard for third-party payment service providers (TPPs), the revisions clarified that should the unavailability or inadequate performance of the dedicated communication interface occur, banks would be expected to offer secure communication through user-facing interfaces as a contingency measure.
The final text of the RTS was confirmed on November 27 and submitted to the European Parliament for deliberation before being published in the official journal of the European Union. Scrutiny will begin in earnest in February 2018 and could last between three to six months. With PSD2 on its way in January, the European Commission has confirmed the deadline for compliance to the RTS will actually start in September 2019.
The ratification process up to this point has consisted of a fine balancing act between functional and non-functional requirements, with all parties trying to find a compromise position on the RTS. Depending on which side of the aisle you sit, be it incumbent (banks), TPPs or merchants, there are inevitably good and not-so-good things in the RTS. However, this notion of non-functional requirements (NFRs) is well established in software development and forms the backbone of common standards around which the final RTS rests.
Finding common ground on non-functional requirements
Non-functional requirements of a payments system typically include system performance, availability and security. For a banking application, a major non-functional requirement is availability of the application 24/7 with zero down time. Hardening systems, adding in redundancy, resilience and, above all, added security are all NFRs on which the commission and EBA have been striving to seek common ground.
The security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition.” The RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services. In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The commission says it made some “limited substantive amendments” to the draft RTS submitted by the EBA. This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.”
PSD2: A quick recap
Looking back at the original brief of PSD2 which set out the framework for the RTS, it is important to remember the main tenets of the directive.
The implementation of PSD2 is intended to make it easier, faster and less expensive for consumers to pay for goods and services by promoting innovation (especially by third-party providers), enhancing payments security and standardizing payment systems across Europe. PSD2 uses three mechanisms to achieve this:
- First, it expands the regulatory purview of the European Union to include new kinds of providers, such as payments initiation and account information services.
- Second, it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers.
- Third, and the most disruptive, it requires European banks to open their payments infrastructure and customer data to third-party providers of financial services.
This last mechanism has arguably been the most contentious and the amendments from the commission go some way to easing the burden on corporate players at the very least with regard to direct access. TPPs will be granted consented access to customer information through the banks’ infrastructure to deliver new value-added services.
Ensuring European payment mechanisms are fit for purpose
To enable bank account access (often referred to as payments initiation and account information services, or XS2A for short), banks are required to offer a communication interface for TPP requests. This TPP interface should have the same functionality and deliver the same level of support as for customers transacting directly with their bank. The EBA has suggested the use of ISO 20022 as a potential candidate for the interface format, but the RTS does not provide any prescriptive guidance on how exactly XS2A is to be implemented.
Thankfully, individual country regulators have been issuing implementation and compliant handling guidelines for a few weeks now, so the need to “interpret” the new regulations has been lessened somewhat. Regardless of the adoption challenges ahead, PSD2 and the RTS in particular, are sorely needed to ensure the European payment mechanisms are fit for purpose for the coming decade.
Related Blog Posts
SCA: How PSPs Can Help Merchants Stay One Step Ahead
The main objective of PSD2’s Strong Customer Authentication (SCA) is to protect customers and reduce fraud by introducing new measures that ensure that customer-initiated transactions are being made by the genuine cardholder.
The EMV Deadline Has Been Extended for U.S. Fuel Merchants – Now What?
U.S. fuel stations were originally supposed to be EMV-compliant by October 2017, but due to complications and costs at the time, the deadline for EMV at the pump was extended for three years – and it has now been pushed out further to April 2021 due to the COVID-19 pandemic.
Merchant Fraud in the Age of COVID-19: We Need to Prepare Ourselves for a “Tidal Wave” of Attacks
With millions of consumers around the world self-quarantining at home, online shopping for goods, services and entertainment has become the new normal for many. A recent analysis of our own data has shown that average transaction volumes in the retail sector in March rose 74 percent compared to the same period last year.
Global Fraud Landscape Evolving Quicker Than Ever – What Banks Need to Know
In the fraud prevention and cybercrime world, we often talk about fraudsters as the ultimate opportunists – looking for any weakness in a system that can be exploited. In recent years, as technological systems have advanced, fraudsters have increasingly turned to ”social engineering” to achieve their goals. Basically, hacking the person rather than hacking the system, as humans become the weakest link in the chain.
Predicciones de fraude para el 2020: Qué esperar con la rápida evolución del panorama de pagos en América Latina
La industria de pagos en América Latina está experimentando diversos cambios en varios segmentos a medida que la población de la región está cada vez más bancarizada y comienza a usar pagos electrónicos. Aunque el efectivo sigue siendo la forma de pago dominante, los gobiernos han impulsado los pagos electrónicos a través de la regulación. Esto ha asegurado que la aceptación y el crecimiento del pago con tarjeta hayan aumentado constantemente, han aparecido bancos digitales en diferentes países y el comercio electrónico ha aumentado significativamente.
Previsões para fraudes em 2020: O que esperar com o cenário de pagamentos em rápida evolução na América Latina
As violações de dados que envolvem dados de pagamento dobraram no ano passado por várias razões - falta de inovação em segurança, prioridades corporativas equivocadas e fraquezas nos portais de desenvolvedores, para citar alguns.
9 Holiday Preparedness Tips to Stay Protected from Fraud in 2019
The hustle and bustle of the holiday season often makes it difficult to prioritize consumer safety, especially when it comes to eCommerce and mobile devices. But with the growing threat of identity theft and other security concerns, it’s more important than ever to stay on top of consumer protection. After all, brand reputation and trust can take years to build, but all can be lost in a matter of minutes.
How to Survive Black Friday and Cyber Monday… and Provide a Great Consumer Experience
As Black Friday and Cyber Monday approach, shoppers and merchants alike await amazing deals and a welcome boost in sales, respectively. I took a moment to speak with two of ACI’s merchant payments and fraud experts, Andrew Marshman (merchant payments lead, Europe) and Erika Dietrich (VP, Global Fraud Prevention Risk Services) about what merchants need to know as they head forth into one of the biggest shopping seasons of the year.
Strong Customer Authentication in Australia: Reducing CNP Fraud and Streamlining eCommerce Payments
Minimizing fraud without harming the customer experience can be done – using the right tools
In 2017-18, card-not-present (CNP) fraud cost Australian eCommerce AUD $478 million and accounted for some 85 percent of all fraud on Australian-issued cards1. In 2016, CNP fraud in Europe represented 70% of all card fraud2. Seriously uncomfortable numbers.
2020 Fraud Predictions: What to Expect Across the Globe as Cybercrime Evolves
Our payment experts take stock of the trends that shaped 2019 and make their predictions for where they see the industry heading in 2020.
I sat down with our own fraud experts, Marc Trepanier, principal fraud consultant for North America, and Giselle Lindley, principal fraud consultant for APAC, to get their thoughts on what we can expect in the year ahead around payments fraud.