Do not follow this hidden link or you will be blocked from this website !

PSD2: EBA publishes final draft RTS on strong customer authentication and common and secure open standards of communication

01/03/2017 Clifford Chance

The EBA has published its final draft regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure open standards of communication (CSC) under Article 98 of the recast Payment Services Directive (PSD2).

 

The RTS are intended to foster an open and secure market in retail payments in the EU and specify requirements for:

 

  • SCA and exemptions;
     
  • security measures to protect the confidentiality and the integrity of the payment service users' personalised security credentials; and
     
  • requirements for CSC between account servicing payment service providers (ASPSPs), payment initiation service providers (PISPs), account information service providers (AISPs), payers, payees and other payment service providers (PSPs).

 

Alongside the final draft RTS, the final report includes a feedback table setting out details of the responses received to the EBA's consultation on the draft RTS, which was published in August 2016. The EBA, in close collaboration with the European Central Bank (ECB), identified more than 300 distinct concerns or requests for clarifications, a small subset of which appeared to be the key issues for respondents, relating to:

 

  • the scope and technologically-neutral requirements of the draft RTS;
     
  • the exemptions, including scope, thresholds and the request of many respondents to add an exemption for transactions identified as low risk as a result of what some respondents referred to as 'transaction-risk analysis' (TRA); and
     
  • the access to payment accounts by third party providers and the requirements around the information communicated.

 

Among other things, the final draft RTS reflect the EBA's decisions to:

 

  • introduce two new exemptions;
     
  • increase the threshold for remote payment transactions;
     
  • remove references to ISO 27001, to ensure technological neutrality;
     
  • maintain the obligation for ASPSPs to offer at least one interface for AISPs and PISPs; and
     
  • require ASPSPs that use a dedicated interface to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned availability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.

 

The RTS will be submitted to the EU Commission and will apply 18 months after publication in the Official Journal.