The EBA’s Regulatory Technical Standards Provide the “How” to PSD2’s “What”
February 2017 saw the release of the long-awaited draft regulatory technical standards (RTS) for strong customer authentication (SCA) from the European Banking Authority (EBA). The RTS defines the technical framework for the implementation of PSD2 with primary focus on SCA, and common and secure connection (CSC). In short, we could say that PSD2 covers the “what” aspect of the regulation whereas the RTS defines the “how” this is to be done.
Function over form? European Commission amendments to RTS for SCA
In June, the commission suggested several amendments to the RTS that addressed concerns around the auditing of transaction risk analysis and the addition of a new exemption from SCA for certain corporate payment processes. The amendments also proposed direct access for the EBA to fraud reports from PSPs in addition to aggregated data provided by competent authorities (national financial regulators). Finally, as an additional safeguard for third-party payment service providers (TPPs), the revisions clarified that should the unavailability or inadequate performance of the dedicated communication interface occur, banks would be expected to offer secure communication through user-facing interfaces as a contingency measure.
The final text of the RTS was confirmed on November 27 and submitted to the European Parliament for deliberation before being published in the official journal of the European Union. Scrutiny will begin in earnest in February 2018 and could last between three to six months. With PSD2 on its way in January, the European Commission has confirmed the deadline for compliance to the RTS will actually start in September 2019.
The ratification process up to this point has consisted of a fine balancing act between functional and non-functional requirements, with all parties trying to find a compromise position on the RTS. Depending on which side of the aisle you sit, be it incumbent (banks), TPPs or merchants, there are inevitably good and not-so-good things in the RTS. However, this notion of non-functional requirements (NFRs) is well established in software development and forms the backbone of common standards around which the final RTS rests.
Finding common ground on non-functional requirements
Non-functional requirements of a payments system typically include system performance, availability and security. For a banking application, a major non-functional requirement is availability of the application 24/7 with zero down time. Hardening systems, adding in redundancy, resilience and, above all, added security are all NFRs on which the commission and EBA have been striving to seek common ground.
The security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition.” The RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services. In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The commission says it made some “limited substantive amendments” to the draft RTS submitted by the EBA. This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.”
PSD2: A quick recap
Looking back at the original brief of PSD2 which set out the framework for the RTS, it is important to remember the main tenets of the directive.
The implementation of PSD2 is intended to make it easier, faster and less expensive for consumers to pay for goods and services by promoting innovation (especially by third-party providers), enhancing payments security and standardizing payment systems across Europe. PSD2 uses three mechanisms to achieve this:
- First, it expands the regulatory purview of the European Union to include new kinds of providers, such as payments initiation and account information services.
- Second, it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers.
- Third, and the most disruptive, it requires European banks to open their payments infrastructure and customer data to third-party providers of financial services.
This last mechanism has arguably been the most contentious and the amendments from the commission go some way to easing the burden on corporate players at the very least with regard to direct access. TPPs will be granted consented access to customer information through the banks’ infrastructure to deliver new value-added services.
Ensuring European payment mechanisms are fit for purpose
To enable bank account access (often referred to as payments initiation and account information services, or XS2A for short), banks are required to offer a communication interface for TPP requests. This TPP interface should have the same functionality and deliver the same level of support as for customers transacting directly with their bank. The EBA has suggested the use of ISO 20022 as a potential candidate for the interface format, but the RTS does not provide any prescriptive guidance on how exactly XS2A is to be implemented.
Thankfully, individual country regulators have been issuing implementation and compliant handling guidelines for a few weeks now, so the need to “interpret” the new regulations has been lessened somewhat. Regardless of the adoption challenges ahead, PSD2 and the RTS in particular, are sorely needed to ensure the European payment mechanisms are fit for purpose for the coming decade.
Related Blog Posts
Securely Growing Online Sales in 2018: An Australian Perspective
Back in November 2017, I participated in a panel discussion for NORA (National Online Retail Association), where I looked at fraud trends in Australia over the previous holiday shopping season and made predictions to help retailers prepare. Now looking back, I am sorry to say that my predictions were painfully accurate.
When Is Processing Payments in The Cloud More Secure?
Back when I started my career, “Jessie’s Girl” by Australian rocker Rick Springfield topped the charts, the federal funds rate was 20 percent and most organizations were reliant upon one or more mainframe computers that were hosted in an internal “computer room.”
More than Half: the Story of Cyber-Attacks and Global Organizations in 2017
Three words. It might not seem enough to cause a rethink of your 2018 cyber-security strategy, but it should. Why? Because according to the latest Forrester report, “Top Cybersecurity Threats for Retailers in 2018,” attackers breached more than half of all global enterprises in 2017.
More. Than. Half.
The Seasons Are Changing (And So Are Fraud and Regulations)
If you smell the air, you can sense the seasons changing; a little crispy cold moving in suddenly, the leaves are reddening and the winds of Faster Payments and PSD2 are kicking up. Smooth transition, right? So, yeah, seasons change, and so do regulatory regimes. In the US, we’ve been largely left to our own discretions about how to run our fraud shops, with some regulatory oversight regarding disputes handling. Historically, financial institution processes around authentication and fraud monitoring (including analytics and strategy) could be anything or nothing, depending on an institution’s risk appetite. Like the seasons, this might be in transition.
Learning Lessons from Large Scale Breaches
At this point, there’s no ignoring it: our financial security is compromised daily. And no doubt, many reading this wouldn’t hesitate to recount all the breaches they have been a part of as consumers; merchant breaches in which replacement cards forced you to update your linked accounts, or data compromises where personal information was stolen and identity theft protection was provided, forcing you to consider freezing new credit originations.
What Australia's $639M Cnp Fraud Problem Means for Retailers
In my role at ACI Worldwide, my fellow fraud consultants and I constantly share information from all corners of the globe. One recent bit of intelligence that immediately caught my eye, and I shared with colleagues across the world, was the staggering cost of card-not-present (CNP) fraud here in Australia.
CNP fraud accounts for 78% of all payments-related fraud in Australia. And to say it is a challenge for retailers—and the industry as a whole—is a vast understatement. With the astounding growth in eCommerce sales, this is not a problem in decline; it is rising aggressively and shows no signs of abating.
PSD2 Carries over to the U.S. – Thanks to the Phone in Your Hand
Let me ask you a favor. Could you put down your phone for just a minute? Unless, of course, you’re reading this on your mobile device.
It can be an uphill battle asking someone to put down their phone these days. I have a tween, so I know the struggle! One of the reasons we’re so reticent to do so is the sheer power contained within these devices. At this point, it controls the music, the temperature, the locks and even the lighting in your home, and that’s not even touching on its entertainment value, or its capabilities as a payment device. The device, in its present form, has been around for ten years now, and in 2017, it’s safe to say there’s no going back.
Filtering the Fraudster
In our new Insight Paper, we focus on how merchants can build an effective fraud filter for their sales funnel – one that is not over-restrictive, leads to genuine sales being accepted, and prevents genuine fraud. Get the balance right and merchants stand to improve their checkout conversion rates and boost their bottom line.
Stop Fraud… or Increase Conversion Rates? with a Fine-Tuned Fraud Engine, Merchants Can Do Both
Preventing fraud and driving high conversion rates are universally important objectives for merchants – but many struggle to adequately balance these two demands. They either employ aggressive fraud prevention strategies to minimize fraud losses, or conversely, reduce checks in order to prevent false positives, improve customer experience and ensure sales targets are met. Neither exclusive approach works in the long run; focusing on only one will prove costly on multiple fronts.
Eta Transact: Time to Break Out… and Cross Borders to Reach New Customers
It’s before lunch on day one of ETA Transact17 in Las Vegas; exhibitors are still putting the finishing touches on their stands in the main hall, so it’s the perfect opportunity to sit in on some of the breakout sessions, part of the educational program put on by the Electronic Transactions Association. And ‘breakout session’ seems particularly apt in this case, as panelists from ACI Worldwide, Planet Payment, and arvato launch into a discussion on how merchants and payment providers can ‘break out’ of their domestic markets and take advantage of the huge opportunity in cross-border eCommerce.