Over the last couple of weeks the media agenda has been dominated by Payment Services Directive Two (PSD2), and unfortunately not for the right reasons. PSD2 has always been a controversial regulation, but the debate has now heated up and the European Banking Association’s (EBA) Regulatory Technical Standards (RTS) draft and the EBA Chairman’s statement has come under scrutiny.
Several organisations, including industry heavyweights such as Visa, have spoken out. They argue that the RTS imposes strong customer authentication (SCA) that would severely damage businesses. Regarding SCA, Visa has said that “if confirmed, [the SCA] will cause 'inconvenience ... with no benefits for consumers', and is 'a significant threat to future innovation and Europe's future growth'". Many payment service providers operate a risk-based approach to authentication, designed to prevent fraud but not put off valuable customers. Under the new rule, they will be forced to deploy two-factor authentication which can often be onerous, resulting, they argue, in devastating effects on their businesses and the merchants they serve. One-click checkouts would become a thing of the past: You can understand their concern.
The point of the debate is firstly whether the EBA interpreted PSD2 incorrectly, and then whether their exemptions are complete and fair. This is specifically in regards to strong customer authentication.
The crux of the argument centres on whether the PSD2 text allows SCA to be avoided if compensated for by a risk-based approach under the list of exemptions.
The interpretation and exemptions require further unpacking to understand where the industry stands.
When is two-factor authentication not two-factor authentication?
The directive itself rules out the ability to do single factor authentication or to implement risk-based authentication. Two-factor authentication (or more) is always required as per the definition of SCA in Article 4:
A4. (30) ‘Strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
Article 97 is clear that member states will enforce SCA and it will apply in all the three cases they list. We suspect this is to make this the default rule for the protection of customers, and for the rights of refund elsewhere in the directive to be universally enforceable:
A97 1. Member States shall ensure that a payment service provider applies strong customer authentication where the payer:
(a) Accesses its payment account online
(b) Initiates an electronic payment transaction
(c) Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses
Given this basis, we think that the EBA is correct in saying they cannot change the basis, defaults and use cases set by the original directive for the mandate of SCA as a minimum.
However, EBA was granted permission to create exemptions to this is in Article 98, so it can alter which current use cases do not have to change. Therefore it cannot use the original PSD2 draft as a defence to not making the exemptions complete or more properly considered.
Hence the fear from market participants – especially ecommerce players – that they will not be exempt and the likely result will be new costs to implement SCA, a bad user experience, a drop-off in customer conversions and a corresponding loss of revenue.
Is the ECB being negligent on exemptions?
Clearly the directive mandates the use of SCA but we think some petitions are correct in saying that the EBA has not completely fulfilled its mandate in Article 98, specifically in its duties to provide guidance around exemptions, and risk handling:
A98 1(b) The exemptions from the application of Article 97(1), (2) and (3), based on the criteria established in paragraph 3 of this Article;
A98 2. The draft regulatory technical standards referred to in paragraph 1 shall be developed by EBA in order to:
(a) Ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements
A98 3. The exemptions referred to in point (b) of paragraph 1 shall be based on the following criteria:
(a) The level of risk involved in the service provided
(b) The amount, the recurrence of the transaction, or both
(c) The payment channel used for the execution of the transaction
As the exemptions were in the domain of EBA to allow the relaxation of the 'universal default' of PSD2 SCA requirement, we think this is rightly being arguing by the industry as being too simple or even negligent, in regards to the following:
- Any standards or mention of risk tools, techniques or procedures (TTPs) To ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements
- A differentiation for the level of risk of service provided Even eIDAS mentioned confidence ratings of low, substantial and high, but we have no mention in the RTS
- The payment channel used for the execution of the transaction – there is individual and confusing differentiation throughout the text within different use cases, however there is no clear and specific calls outs for how SCA should differ in the case of each channel for payment transactions
- The amount, or the recurrence of the transaction, or both Whilst the amount has been subjectively capped for NFC and online payments respectively, this can rightly be contested by market operators as subjective and petition for change at member state derogation level. Additionally, the recurrence has also been mistaken for cumulative payment value and creates a different implementation than the one originally intended.
To SCA or not to SCA: finding a middle ground
The issue of single factor authentication not being allowed is a mistake within the original Directive which the EBA can't undo. The exemptions that the EBA has set out are in some cases subjective, and still miss key requirements to address as mandated - notably any TTPs for "risk-based" and "channel" as the basis of exemptions, are missing.
The EBA had the task of creating RTS to exempt from the original blanket two factor authentication for all cases, as per the original Directive. It has failed to do this. Even if some sort of step-up via risk-based scoring is allowed, it will only be a “no SCA” or “full SCA” result for anyone in the transaction.
Therefore, the EBA can only say "have SCA" or "exempt from SCA", but get to choose which use cases to bring forth for the "exempt from SCA".
Our view is that member state derogation and changes to the SCA exemption values should be considered per country – the EBA should have stated the minimum exemption for transaction values and each member state can choose to raise those limits with their own sphere of competence.
With the final RTS now due in Q1 2017, the jury is out on what it will look like in the face of market backlash and no doubt intense lobbying behind the scenes. One thing is for certain – there is a groundswell of support to clarify exemptions that have the potential to destroy businesses, especially during a time of extreme economic turbulence. Ignore at your peril, EBA.
Chris Kong, Senior Consultant, Icon Solutions