Assurance for Delivery

On February 23rd 2017, the European Banking Authority (EBA) announced the final Regulatory Technical Standards (RTS) on secure customer verification and communication. The European Central Bank (ECB) and EBA have been working closely together in order to finalise the RTS under the PSD2 regulation.

The final RTS offers a strong foundation for an open and secure market in retail payments in the European Union zone. The completion of these standards took an intensive 18 months of policy development, collaboration between stakeholders and integration of their differing views.

Drafting the PSD2 Regulatory Technical Standards was not all plain sailing. It has resulted from different trade-offs between various and, at times competing, PSD2 objectives, i.e. facilitating customer convenience, enhancing security, protecting security, as well as contributing to the integration of the European payments market.

The EBA received over 200 reverts on its published Consultation Paper, in which concerns were raised in regards to certain RTS items. The EBA addresses these concerns in a table which supports the RTS, including issues such as the exemptions from the application of strong customer authentication on the basis of risk level, and the amount and recurrence of transactions, as well as the payment channel used for the execution of the transaction.

In line with these concerns, the EBA has also introduced an exemption on transaction risk analyses based on defined fraud levels and on payments at so called ‘unattended terminals’ for transport or parking fares. Moreover, the EBA has also removed previous ISO 27001 references and other specific characteristics on strong customer authentication.

The final RTS draft also addresses the communication channels between different payment service providers. This decision is connected to a part of PSD2 that does not allow the current practice of third party access without identification.

The PSD2 regulation is set to be applied 18 months after adoption of the RTS by the EU Commission.

The original article can be found here.