The European Commission´s revision of the Payment Services Directive (PSD2) is coming along with a significant set of new requirements for financial institutions with and without a banking licence – and therefore doesn´t only have friends
It all started with the 1st release of PSD back in 2007, which aimed at simplifying payments and their processing throughout the whole EU, i.e. in providing the legal platform for the Single Euro Payments Area (SEPA). In 2013, The European Commission proposed a revised version of PSD, which is aiming at opening the financial services market for innovation and new players, making it more transparent, standards based, more efficient as well as raising the level of security for customers using these services.
These are the PSD2 requirements:
- Banks have to open their infrastructure to 3rd parties through APIs and give them access to data and payments following the XS2A rule (access to account)
- Secure Customer Authentication (SCA) through the use of Multifactor Authentication (MFA)
- Secure communication through encryption
The European Banking Association (EBA) currently is working on a set of Regulatory Technical Standards (RTS), which will be binding after the final version is published. The current RTS draft is taking a principles based approach, not a risk based one. It is requiring a minimum of 2-Factor Authentication (2FA) out of 3 possible factors (password, Card or something else you own, Biometrics) for any transaction exceeding the value of 10€. In making it very clear during a hearing last September that every single user has to be protected from fraudulent activity by all means, EBA is explicitly refusing risk based approaches, where authentication is kept as simple for the user as the value of a transaction in relation to an artificially calculated risk of fraud allows. As a consequence, this could mean the end of credit card and 1-click-payments we have been using and enjoying for years now.
An impressive number of industry interest groups are now trying to convince the European Commission, that the EBA is going beyond common sense and should be guided into a more reasonable position. Risk based approaches have been in place since years and work well. According to a recent meeting between EBA and ECB with the Commission´s Economic and Monetary Affairs Committee (ECON), a record number of 200+ comments with concerns and requests for clarification have been received, with 147 of them having been published in the meantime.
The 3 main items of cristicism expressed in these comments are:
- Giving direct access to bank accounts for 3rd parties
- The 10 € limit for transactions without Strong Customer Authentication
- Exceptions from MFA are too tight
The Commission has made clear in the meantime that the unconditioned strong authentication requirement without any loopholes is a requirement to open the payment calue chain to 3rd parties. We therefore do not expect profound changes for the final RTS compared to the current draft.
What does this mean to current practices and how do authentication methods need to change so that they at the same time comply with PSD2 and still remain as frictionless as possible for users and open for innovation? This will probably be one of the most urgent questions to be discussed (and solved) in 2017.
Join the discussion at Digital Finance World, March 1-2, 2017 in Frankfurt, Germany!