Payments security: do the EBA RTS on strong customer authentication create an open and secure market for retail payments in Europe?

Speakers: Kersemakers Silvia, Brien Pascale-Marie, Hönisch Matthias, Mohan-Satta Emma, König Pascal

On the 31st of May, PubAffairs Bruxelles hosted a debate on the recently published EBA Regulatory Technical Standards on Strong Customer Authentication and their ability to provide an open and secure market for retail payments. Ms Silvia Kersemakers, Policy Officer, Retail Financial Services and Payments, European Commission, Ms Pascal-Marie Brien, Senior Policy Advisor, European Banking Federation, Mr Matthias Hönisch, Head of card Business, National Federation of Cooperative Banks and Ms Emma Mohan-Satta, Fraud Prevention Consultant, Kaspersky Fraud Prevention, spoke at the event. Mr Pascal König, Policy Advisor, E-Commerce Europe provided a closing statement. The debate was moderated by John Rega, Chief Correspondent at Mlex.

Ms Emma Mohan-Satta provided an introductory speech in which she discussed the evolution from the first Payment Services Directive, which provided common rules on payments in EU, to the adoption of the second Payment Services Directive (PSD2) in 2015 and the aims of the legislation. Mrs Mohan-Satta went on to discuss the mandates that the PSD2 bestowed upon the European Banking Authority (EBA) and more specifically discussing the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) which were requested from the EBA by the European Commission. She added that the concept of strong customer authentication in the RTS is centred on the factors of knowledge, possession, and inherence. Furthermore, she stated that business stakeholders are trying to understand how to incorporate these factors in a secure environment, whilst also trying to determine when the RTS’ exemptions are applicable. Ms Mohan-Satta touched upon the existence of fraud in relation to payments and stressed that all stakeholders should be aware of the range of fraud attacks. She revealed that Kaspersky Lab’s approach to secure payments and fraud is based on protecting user devices as well as analysing the environment in which the devices are operating, and on taking a forward-looking approach to cyber intelligence. She concluded by stating that the approach to secure payments should keep a perspective on the current digital transformation in the payments environment, and that businesses should find a balanced approach to internal processes and what is expected of them from their customers.

Following the introductory speech, John Rega introduced the speakers and, as a first point of discussion, asked them whether the RTS will achieve their aim in providing an open and secure payments market.

Ms Kersemakers began her intervention by reminding the audience that the PSD2 introduces the principle of Strong Customer Authentication in order to secure payments in all possible payment services covered by the PSD2. She further clarified that the PSD2 introduces a second element of security concerning the electronic remote payment transactions to ensure that these are operated in a safe environment, and stressed that it is important to look at the entire system in order to maintain secure payments. On the RTS, she stated  that they are aimed at defining the Strong Customer Authentication that is needed from payment service providers, as well as raising the overall security of the entire payment environment. The exemptions, she added, should apply to situations where a much lower risk of fraud exists, though they do not exempt payment service providers from the general obligation of carefully monitoring all transactions. The monitoring should be much more detailed and based on real-time analysis when the transaction risk analysis exemption is used. She believed that the data gathered from such monitoring mechanisms would be helpful to gather data figures and to determine whether a review and amendments to RTS are necessary in 18 months. Ms Brien agreed with Ms Kersemakers and added that the latest EBA proposal on the RTS would be the best compromise achievable between business continuity, customer convenience and security. She further reminded the audience of the importance of tackling non-chip card fraud taking place outside the EU, but felt that the current EBA proposal would maintain a high level of security in Europe. Mr Hönisch also agreed that the latest draft was a good compromise as he thought it was important to maintain ease-of-use and security, which the draft RTS achieved. He further added that banks should see the benefits of the PSD2 as well as the involvement of Third-Party-Payment Service Providers (TPPPs) as it could alleviate the burdens and responsibilities that banks have towards customers. He concluded by stating that, from a bank’s point of view, he was optimistic about the possibilities provided by the PSD2, but added that they will require an assurance that the oversight of TPPPs in the EU is correctly implemented and functions properly.

A second point of discussion concerned whether the RTS on SCA would achieve an adequate level of customer convenience.

Ms Mohan-Satta believed the RTS have the potential to improve customer convenience, as they provide payment service providers room to innovate on how they will authenticate their customers. However, she felt that customer convenience would really depend on how payment service providers plan to implement the RTS on SCA. In this regard, she added that the attitude towards secure payments and Strong Customer Authentication would differ considerably between payment service providers, as well as markets. Mr Hönisch intervened by stating that it was important to manage customer expectations with regards to achieving a high level of customer convenience and security. He clarified by stating that in order to achieve a high level of security in convenient authentication processes, such as biometrics, substantial investments in security would be required. Ms Kersemakers was of the opinion that the EBA managed to achieve a good balance between customer convenience and security, and stated that the European Commission would not amend the RTS when it comes to customer convenience. She further added that it was up to the market to grasp the opportunity to innovate and find an adequate balance between security and consumer convenience, whilst still being compliant with the RTS. She concluded her intervention by stating that the customers experience would have an impact on the implementation of the SCA by the market. Ms Brien felt that in the PSD2 there was a trigger that allowed customers to be the focal point of payment services, specifically as customers appeared to be willing to change service providers based on the customer convenience. However, she also stressed that adequate security was necessary to attract and maintain customers. She concluded by stating that service providers and specifically banks would have to put customers at the centre of their innovation processes and ensure considerable customer convenience, as the rise of FinTech indicated.

A third point of discussion related to the RTS’ approach to secure communication between banks and payment service providers.

Ms Brien was of the opinion that the RTS and the PSD2 would be successful only if business stakeholders would cooperate and work together. As an example she mentioned the need for RTS’ secure communication standards, specifically when TPPPs access customer user interfaces should the interface between the bank and TPPP not function properly. She concluded by stating that customers should be in charge with regards to who has access to their financial data. Ms Kersemakers clarified that the RTS do regulate secure communications channels between banks and TPPPs and that banks are required to design the communication interfaces in order to maintain control. She agreed that TPPPs should not access information that they do not need but only the data that are necessary to provide the requested service, in accordance with the principle established by the General Data Protection Regulation (GDPR). However, she stated that the European Commission’s amendments to the RTS will require banks that opt for a dedicated interface to design certain contingency solutions. This is to avoid situations in which the interface does not work properly. She concluded her intervention by stating that the main challenges will be to ensure that all parties involved will respect the principles and requirements established by the GDPR, as well as the fact that banks will be sufficiently cooperative with new payment service providers. Mr Hönisch stated that certain dedicated communication interfaces could raise questions with regards to the proper identification of TPPPs. He clarified that without proper identification, banks could be held liable for payments that were not executed or executed improperly, potentially creating huge financial burdens for banks. He further mentioned the Berlin Group as a bank-led initiative that will discuss and agree on a standardised bank PSD2 interface. Ms Mohan-Satta was of the opinion that it was in both sides’ interest to establish a secure communication interface, as a flawless and user friendly payment system is what consumers would expect.

The final part of the event provided Mr König an opportunity to give a closing statement and to address some of the issues raised during the course of the debate.

Mr König began his speech by stating that online merchants were happy with the existence of the PSD2, however were concerned with the implications of Strong Customer Authentication and the current application of a risk based approach. Specifically, ECommerce Europe is of the opinion that, while both the customers’ and merchants’ payment service providers can qualify for the application of a risk based approach, only the customer’s payment service provider will have a say on its final application. Mr König clarified that this is problematic as online merchants and their Payment Service Provider, who often have more information to analyse the potential fraud risk of a customer, do not have a say on whether the customer will have to undergo Strong Customer Authentication. Based on the text of the RTS, the application of Strong Customer Authentication is solely at the mercy of the customer’s Payment Service Provider who often has no economic incentive to take on any possible risk from the application of Transactional Risk Analysis. Furthermore, he added that both the Reference Fraud Rates which a Payment Service Provider needs to attain in order to qualify for Strong Customer Authentication and the monetary thresholds laid out in the RTS are not in line with market realities and do not take into consideration the various levels of fraud existing in different Member States and e-commerce sectors. In their current form, almost any transaction above a €100 monetary threshold would have to undergo Strong Customer Authentication. In the view of the e-commerce sector this is unacceptable, it does little to address the issue of fraud and only puts European online merchants at a greater disadvantage to their brick-and-mortar and global competitors. Mr König concluded by stating that the current form of the RTS placed too much emphasis on security and protection of banks, rather than convenience of customers.

The Q&A session also covered the following issues: listing of trusted beneficiaries, enforcement, B2B relationships, corporate payments, fraud levels, next steps in the market place, compliance by web-shops, and sources of fraud statistics.

Do you want to go further into the issues discussed in our debate? Check our list of selected sources which we have provided for you!

Payment services Directive PSD2 | European Commission

EBA publishes final technical standards on valuation in resolution | European Banking Authority (EBA)

European Banking Authority (EBA) | Correspondence with EU institutions

Developing Europe’s payment landscape | European Central Bank (ECB)

Payment disruptors set to get easier access to bank-account information under EU plan | Mlex Market Insight

Countdown to PSD2: Towards a level playing field | Lexicology

Embracing open banking PSD2 | The International Banker

Banking association calls for end of ‘screen-scraping’ | The Register

Commission must act now or add major payment obstacles for EU online merchants facing global competition | E-commerce Europe

Fraud Prevention | Kaspersky Lab