The EBA’s Regulatory Technical Standards Provide the “How” to PSD2’s “What”
February 2017 saw the release of the long-awaited draft regulatory technical standards (RTS) for strong customer authentication (SCA) from the European Banking Authority (EBA). The RTS defines the technical framework for the implementation of PSD2 with primary focus on SCA, and common and secure connection (CSC). In short, we could say that PSD2 covers the “what” aspect of the regulation whereas the RTS defines the “how” this is to be done.
Function over form? European Commission amendments to RTS for SCA
In June, the commission suggested several amendments to the RTS that addressed concerns around the auditing of transaction risk analysis and the addition of a new exemption from SCA for certain corporate payment processes. The amendments also proposed direct access for the EBA to fraud reports from PSPs in addition to aggregated data provided by competent authorities (national financial regulators). Finally, as an additional safeguard for third-party payment service providers (TPPs), the revisions clarified that should the unavailability or inadequate performance of the dedicated communication interface occur, banks would be expected to offer secure communication through user-facing interfaces as a contingency measure.
The final text of the RTS was confirmed on November 27 and submitted to the European Parliament for deliberation before being published in the official journal of the European Union. Scrutiny will begin in earnest in February 2018 and could last between three to six months. With PSD2 on its way in January, the European Commission has confirmed the deadline for compliance to the RTS will actually start in September 2019.
The ratification process up to this point has consisted of a fine balancing act between functional and non-functional requirements, with all parties trying to find a compromise position on the RTS. Depending on which side of the aisle you sit, be it incumbent (banks), TPPs or merchants, there are inevitably good and not-so-good things in the RTS. However, this notion of non-functional requirements (NFRs) is well established in software development and forms the backbone of common standards around which the final RTS rests.
Finding common ground on non-functional requirements
Non-functional requirements of a payments system typically include system performance, availability and security. For a banking application, a major non-functional requirement is availability of the application 24/7 with zero down time. Hardening systems, adding in redundancy, resilience and, above all, added security are all NFRs on which the commission and EBA have been striving to seek common ground.
The security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition.” The RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services. In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The commission says it made some “limited substantive amendments” to the draft RTS submitted by the EBA. This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties.”
PSD2: A quick recap
Looking back at the original brief of PSD2 which set out the framework for the RTS, it is important to remember the main tenets of the directive.
The implementation of PSD2 is intended to make it easier, faster and less expensive for consumers to pay for goods and services by promoting innovation (especially by third-party providers), enhancing payments security and standardizing payment systems across Europe. PSD2 uses three mechanisms to achieve this:
- First, it expands the regulatory purview of the European Union to include new kinds of providers, such as payments initiation and account information services.
- Second, it imposes limitations on transaction fees and stricter rules on refunds to lower transaction costs for consumers.
- Third, and the most disruptive, it requires European banks to open their payments infrastructure and customer data to third-party providers of financial services.
This last mechanism has arguably been the most contentious and the amendments from the commission go some way to easing the burden on corporate players at the very least with regard to direct access. TPPs will be granted consented access to customer information through the banks’ infrastructure to deliver new value-added services.
Ensuring European payment mechanisms are fit for purpose
To enable bank account access (often referred to as payments initiation and account information services, or XS2A for short), banks are required to offer a communication interface for TPP requests. This TPP interface should have the same functionality and deliver the same level of support as for customers transacting directly with their bank. The EBA has suggested the use of ISO 20022 as a potential candidate for the interface format, but the RTS does not provide any prescriptive guidance on how exactly XS2A is to be implemented.
Thankfully, individual country regulators have been issuing implementation and compliant handling guidelines for a few weeks now, so the need to “interpret” the new regulations has been lessened somewhat. Regardless of the adoption challenges ahead, PSD2 and the RTS in particular, are sorely needed to ensure the European payment mechanisms are fit for purpose for the coming decade.
Related Blog Posts
Consumer Payments: Will ‘Request for Payment’ Be the Next 'Big Thing'?
This week, NatWest announced that it has teamed up with British mobile phone retailer Carphone Warehouse to trial a new online shopping system that lets customers pay directly through their bank account, without using a debit or credit card.
Money20/20 Europe: A Payments Extravaganza and a (figurative) Carnival of Sorts (to borrow from R.E.M.)
According to the Googles, “payments” translates as “betalingen” in Dutch. And if I’m using the word correctly, betalingen is on full display! Last week, Amsterdam brought many highs (and not of the stereotypical Amsterdam variety), very few lows (Antonio Banderas as a no-show, unexplained flight delays both departing and returning), a couple of surprises (Stu co-winning the Payments Race, celebrating Mark’s fake birthday) and some great memories. In addition to our presence at the ever-lively Money20/20 Europe, we hosted a corporate event commemorating our 20th anniversary in the Netherlands—welcoming regional ACIers and customers alike (and enjoying a most densely delicious and decorative cake).
A Rocky Mountain High on Payments Innovation
We were so high last week; in fact, we were a figurative mile high… in sunny Denver for our annual ACI Exchange user conference. And among the myriad highs during the week was our own ‘Un-conference,’ which generated major buzz that sparked an enormous appetite for some tasty innovation. Some of the ideas generated included the following:
Telcos Must Walk Before They Run When It Comes to Mobile Payments Innovation
The mobile payments market is growing fast, fueled by technological innovation and consumer demand. With each consumer predicted to own, on average, nine connected devices by 2021, there is no doubt that we can expect to see an exponential rise in the number of devices and applications used to make mobile payments over the coming years.
The Merchant Balancing: Act Operational Costs vs Customer Experience
There is no excuse any more for a poor payments experience, but retailers are tasked with a delicate balancing act – not only balancing payments fraud and friction, as we explored in a recent blog post – but also cost and customer experience. With many areas of the business competing for resources, should retailers be cutting costs when it comes to payment acceptance, or focusing on delighting the customer through innovative payment experiences?
What Rihanna Can Teach Us About a Decade of UK Faster Payments
The end of this month marks 10 years since Rihanna’s single, Take a Bow, reached number 1 in the UK singles charts.
Although I know a little about Barbados, I am only an amateur student of the popular Bajan singer’s lyrics. But I cannot help feeling her song reads like a commentary of the cataclysmic world of banking in 2008; “That was quite a show, but now it’s time to go,” and “You look so dumb trying to apologize… I know you’re only sorry you got caught,” or “it’s over now, go on take a bow.”
Setting the Table for Success in the New World of Merchant Payments
Once upon a time, not so very long ago, creating a payments journey for your customers was as simple as calling your bank, choosing from one of two (maybe three) terminal types that would enable your business to accept mag stripe cards. And then perhaps deciding whether to offer your customers American Express acceptance.
How things have changed!
The Age of Consent – Who Owns “Big Data”?
The EU General Data Protection Regulation will enter in force at the end of this week, and there can be very few businesses today that are not scrabbling to meet compliance objectives.
GDPR sets out rights of citizens and consumers as owners of their own personal data, meaning that data can only be processed by a company if the data subject has given consent to the processing of his or her personal data for specific purposes, or if that data is essential to fulfil the service contracted by the data subject. So far, so good. Arguably many companies will alter existing customer agreements in search of compliance.
Slam the Brakes on Gas Pump Fraud and Rental Car Scams This Memorial Day Weekend
The process of secretly reading data off credit and debit cards (aka skimming) could be netting criminals as much as $3 billion a year in the US, according to Bankinfosecurity.com.
As we look forward to Memorial Day weekend here in the U.S., travelers are getting ready for road trips to their favorite destinations. Whether it’s a beach party in Miami, snorkeling in Catalina Island, or even a staycation, payments – and more specifically, payment fraud – is a huge consideration for travelers, especially during the holiday weekend. I sat down with one of our payments fraud experts, Seth Ruden, to talk about what travelers must look out for regarding payment fraud and how they can keep their money safe. Here’s what he told me.
Gen Z: A Day In The (Payments) Life
There has been an immense focus placed on the ‘Millennial’ generation, and for good reason, as they have become a driving force in the future of payments. This generation looks to technology to solve their payments needs—and it’s all about the factors of convenience, speed and flexibility. And as a college student, my typical daily ‘payments routines’ reflect these factors. With that, I wanted to share a snapshot, which I think demonstrates how my own demographic is influencing the payments industry.