A cross-industry letter signed by 39 European and national organisations in the payments value chain has hit out at European Banking Authority (EBA) plans to toughen up authentication rules for online transactions under the revised Payments Service Directive (PSD2). The EBA’s proposals to mandate tighter authentication for transactions over EUR10 has rung alarm bells with industry practitioners who claim that the new rules will lead to more declined transactions and abandoned purchases as customers are forced to conduct additional security checks at the checkout.
The letter to European Commission vice president Vladis Dombrovskis has been signed by a broad swathe of industry practitioners representing the payments, cards, e-commerce, small merchants, ICT and digital technology, telecoms, foreign trade, and leisure and travel industries.
It highlights a potentially „chilling effect on the digital single market” of the prescriptive rules, and instead calls for a more flexible risk-based approach to securing individual transactions.
„We believe that the EBA diverges from its mandate under the PSD2 by not allowing for the risk-based approach to authenticate customers and authorize transactions to avoid fraud.”, the letter say.
„We are fully aligned with regulatory objectives to reduce fraud to the lowest possible level which is in the interest of all parties in the payments chain,” the letter states. „Our concern is that by choosing a very blunt approach and disregarding some of the highly innovative approaches to authentication and risk management – which are already demonstrably working in the market – this goal will not be achieved and the consequences will be highly disruptive.”
Currently, the EBA is taking a more prescriptive approach by mandating strong authentication for all remote payment transactions over 10 euros, regardless of their risk. Strong authentication is a process which typically requires the customer to authenticate a payment by using two elements, for instance by utilizing additional codes generated through their card reader or received on their mobile device. Strong authentication may make sense for some payments which have a higher transactional risk.
„However, for low-risk transactions (which are not necessarily low value), strong authentication introduces disproportionate and unnecessary friction to the customer shopping experience. This will make online shopping much more onerous than it is today and have a wider and chilling effect on the DSM. It will have a negative impact upon a wide variety of industries, in particular SMEs, FinTech and other start-ups. At the same time, it will not improve overall security.”
„Institutionalizing a single method of authentication over many different and innovative ways of authenticating the customer will potentially make transactions more prone to fraud as fraudsters are more likely to effectively target rigid rules that do not evolve quickly. Moreover, European PSPs may be forced to decline payments by European customers on foreign websites which do not offer strong authentication. This will result in an increase in consumer harm by reducing customer trust in their payment methods, the choices open to them and restricting competition.”, according to the document.
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”