Strong Customer Authentication (SCA) has proven to be a hugely controversial issue in the implementation of the Second Payment Services Directive (PSD2). We have all become accustomed to the ease of making on-line purchases. However, there are obvious tensions between the ease of on-line payments and security concerns.
PSD2 introduces strict new mandatory requirements around electronic banking and payments. When making on-line purchases or accessing on-line accounts, consumers will, according to current proposals, need to complete a two stage authentication process. Whilst these new requirements address security concerns, they will mean that on-line transactions will be less straightforward.
Requirements around SCA are set out in Article 97 of the Directive and the European Banking Authority (EBA) has been consulting on Regulatory Technical Standards (RTS) which give effect to the Directive's requirement that payment service providers apply SCA. The question that has arisen is whether the EBA's draft RTS strike the right balance. In particular, many providers currently take a risk based approach in determining whether to apply authentication to particular transactions and do not apply SCA for all transactions. The RTS approach of mandating SCA would have the effect of removing payment services providers' ability to take a risk based approach and require SCA to be applied in all cases other than those within the scope of limited exemptions.
These additional obligations are being introduced in the context of a liability environment in which payment services providers will continue to be liable for unauthorised transactions so that the consumer detriment being addressed is not clear. Accordingly, the present proposals whilst welcome from the perspective of addressing growing fraud and cyber-crime risks, appear to strike the wrong balance in this innovative industry.
On 29 November 2016, the EU Parliament's Economic and Monetary Affairs Committee (ECON) held scrutiny hearings at which the EBA reported on its mandates to develop technical standards under PSD2, where progress generally is likely to be delayed due to resourcing constraints.
At centre stage were the technical standards on SCA and secure communications. Reflecting the controversy over this measure the EBA Chairman, referring to receipt of over 260 distinct concerns or requests for clarification, explained to the Committee that difficult trade-offs between competing demands had been necessary. The EBA, however, affirmed that it is prepared to listen and make changes if appropriate.
Strong Customer Authentication - Key Points
- Responds to the growth in online payments accompanied by a rising risk of fraud and loss.
- Builds on Strong Customer Authentication in the EBA's December 2014 Guidelines on the Security of Internet Payments.
- Sees conflicting requirements of security and customer ease of use.
- Innovation suggests setting security standards at a high level to allow for the development of industry solutions, which may conflict with the detailed requirements necessary for the creation of a Single Market for payments.
- Reduces the use of Risk Based Authentication to reduce fraud.
- Timing gap between entry into force of PSD2 and technical standards for Strong Customer Authentication.
- Extends authentication requirements to transactions outside the EU, given the extension in scope of PSD2 to one-leg transactions.
This briefing provides an update on SCA and considers the issues in play and their likely impact.
The EBA's current draft RTS could be regarded as a backwards step in customers' payment experience acting as a disincentive to customers carrying out purchases. Exemptions from SCA are limited and retailers unable to choose to take on payment risk to facilitate ease of payment. In this respect, technologies such as Risk Based Authentication (RBA) will not be available.
The EBA believes that RBA complements SCA and should not replace it. In contrast, an industry grouping advocates a specific exemption based on the "risk of the service provided" and also allowing retailers and their PSPs to adopt alternative methods of authentication for low-risk transactions given that under PSD2 the customer will always be protected unless there has been fraud on their part.
One of the challenges of SCA is the requirement in the draft standards that electronic remote payment transactions need to have a separate authentication window or card reader. For example, authentication within the same app used to initiate the payment will not be permitted. Technologies such as 3-D Secure (used by major card issuers), which requires entry by the customer of a password on their issuer's page may, however, be adaptable and help alleviate these obstacles.
As for the regulation under PSD2 of payment initiation and account information services, there are concerns about the communication standards between them and with account providers and other PSPs. The use of a so-called "dedicated interface" may put too much power in the hands of the account providers, and additionally, there are currently no designated e-IDAS trust service providers to authenticate PSPs, although this may change in the two years before the RTS are expected to take effect. As to whether access for third parties should be through the interface used by customers with their account provider or a "dedicated" interface, the EBA has said it would like to hear further views.
Incumbent banks and those other PSPs that provide customers with credit transfers (as opposed to card issuers), may benefit from the fact that making payment by means of the latter may become less straight forward because of SCA. Many UK account providers already require separate authentication. The EBA has, nonetheless, committed itself to consider the concerns expressed over exemptions to the monetary thresholds and whether the standards achieve the right balance between security and customer convenience.
Strong Customer Authentication: The Objective
There has been tremendous growth in online payments over recent years accompanied by a rising risk of fraud and loss. According to Payments UK, the use of online banking or mobile banking rose in 2015, with over two-thirds of adults regularly using online banking and a third using mobile banking. The provisions in the current Payment Services Directive with its focus on credit transfers, direct debits and card payments at the point of sale are no longer considered adequate in this regard.
In December 2014, the EBA issued new Guidelines on the Security of Internet Payments addressed to national supervisors and firms with a view to improving the position, pending more radical change. To date, the Financial Conduct Authority has chosen not to apply the Guidelines in the UK, preferring to wait until implementation of the security measures in PSD2.
Under PSD2 all PSPs will need to increase online transaction security. SCA must be used and this is defined in the Directive as a means of authentication based on the use of two or more elements:
- Knowledge - something only the user knows (e.g., a password or PIN)
- Possession - something only the user holds (e.g., a card or a token)
- Inherence - something only the issuer is (e.g., a finger print or voice recognition)
The rationale is that the breach of one element should not compromise the reliability of the others, and authentication will be designed to protect the confidentiality of customer's personalised security credentials (PSCs).
PSPs must use SCA where customers access a payment account online, initiate an electronic payment transaction, or carry "out any action, through a remote channel which may imply a risk of payment fraud or other abuses.” Moreover, for "remote" online payment transactions, (i.e., payments over the internet and smart phone), these will be subject to further steps and will have to “dynamically link” the transaction to a specific amount and to a specific payee. Although the draft RTS provide exemptions for low value transactions, including contactless payments at the point of sale, PSPs may find implementing the requirements of SCA (in their current form) challenging and might encounter customer resistance. Where, however, a PSP fails to use SCA, the customer (or payment service user) will not bear any financial loss unless they have acted fraudulently.
PSD2 allows for the EBA, working with the European Central Bank (ECB), to develop exemptions based on the following criteria:
- the level of risk involved in the service provided;
- the amount, the recurrence of the transaction, or both; and
- the payment channel used for the execution of the transaction.
The EBA is also charged with developing the requirements for common and secure open standards of communication between account providers, payment initiation and account information service providers, that are necessary for them to operate. An account provider will have to allow the new service providers to rely on its authentication procedures with its customer.
In August 2016, the EBA published a consultation paper on the draft RTS specifying the requirements for SCA and common and secure communication under PSD2. This was open to consultation with a public hearing on 23 September 2016 and closed on 12 October 2016. PSD2 requires the EBA to submit draft standards to the European Commission for adoption by 13 January 2017 after which the EU Parliament and Council of Europe will have three months to object. Given the amount of feedback received to the consultation and the EBA's commitment to provide a detailed response, the draft RTS is not now expected to be submitted until mid February or March 2017.
In any event, PSD2 provides that the obligation to use SCA applies 18 months after the entry into force of the RTS. This is likely to be in autumn 2018, more than six months after PSD2 takes effect. In the meantime to provide PSPs with a reference point, in addition to the EBA’s Guidelines, there are also the Recommendations for the Security of Payment Account Services and Mobile Payments published by the ECB.
Draft Technical Standards on Strong Customer Authentication
The authentication requirements in the RTS have been drafted at a high-level rather than being overly granular. This to ensure these are technology and business-model neutral to cater for new security threats and the development over time of solutions to counter them. This approach reflects the EBA's mandate under PSD2 that provides for:
- an appropriate level of security through the use of effective and risk-based requirements;
- the safety of customer’ funds and personal data;
- fair competition;
- technology and business-model neutrality; and
- the development of user-friendly, accessible and innovative means of payment.
We set out below a non-exhaustive summary of the key provisions in the current draft RTS together with comments and observations. Click here to view table.
As part of your preparation for implementation of PSD2 and SCA you should consider amongst other matters:
- carrying out a GAP analysis of current security policy, the EBA's 2014 Guidelines (if relevant), and the draft SCA RTS;
- reviewing the impact of SCA and the application of the new exemptions to the different payment channels you offer;
- more particularly, where you use RBA, the impact, and (if applicable), what changes might be required to the use of 3-D Secure technology;
- in the context of your security objectives and risk appetite, review whether there are any mitigating steps available in respect of the SCA requirements such as strategies to bring the amount of payments within exemption thresholds or the increased innovative use of direct debits;
- whether you comply with ISO 20022 in respect of account provider communication interfaces and similarly, website authentication under e-IDAS; and
- review potential amendments to framework contracts with customers and/or other terms and conditions.