The European Banking Authority is to relax proposed rules on a requirement for strong customer authentication for all payments under EUR10, after being on the receiving end of a volley of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout. In a speech in London on the EU’s revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to EUR30 for remote consumer transactions, although there would be no exemption for corporate payments.
Firms which use ‘transaction risk analysis’ to keep a lid on fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.
The European Banking Authority has been struggling to keep pace with the timetable for the delivery of Regulatory Technical Standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.
„The EBA identified 300 distinct concerns and clarification requests by respondents,” says Enria. „Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft.”
Particular bugbears concern the drafting of standards for strong customer authentication on the one hand, and common open communications between banks and third parties for account access on the other, which Enria says are fostering difficult trade-offs between competing demands.
On the issue of third party access to consumer data, Enria says that the EBA has come to the conclusion that ‘screen-scraping’ will be banned under PSD2, instead shifting the burden to banks to maintain access arrangements.
„In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.” the conference was told.
Reactions on finextra’s blog:
Lu Zurawski – ACI Worldwide – London: „Having peeked at the speech on the EBA web site, it wasn’t the rise from 10 to 30 EURO that grabs the attention – it is the new exemption from Strong Customer Authentication in the case of „Transaction Risk Analysis” usage. Presumably common sense has prevailed. But it’ll be interesting to see how many permutations of transaction flows and auth methods get spawned as a result.”
Simon Lyons – Cashfac PLC – London: „It needs a layer for the API to hit, a jam jar of funds that minimises the risk to the consumer and the bank. Having watched and mitigated mass account takeover the only way to protect the consumer and the bank is if minimal funds are alloctaed to this payment method. A sort of middleware account layer. Otherwise as Lu says above it will only be used for Coffee and rail tickets, maybe phone top ups.”
Roberto Garavaglia – Independent Management Consultant – Milan:
„I’m afraid the TRA usage will transform the exception into the rule …Anyway, another thing let me doubtful about the level-playing-field peace of mind: the current practice of third party access without identification (also called ‘screen scraping’), will no longer be allowed only once the transition period under the PSD2 has elapsed and the RTS applies. What happens meanwhile …?”
Source: finextra.com
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: