Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
PSD2 envisions a principles-based regulatory environment which enables competitive innovation, but an approach such as is occasionally visible in this draft, with prescriptive technology or process regulation, will delay innovation and will degrade the market’s capability to support the European Commission’s Digital Agenda and we expect this would lead to noticeable degradation of the consumer payments experience with all the political and economic consequences that would be expected. Recent innovations in e-commerce and m-commerce would almost certainly be rolled back on the basis of the contents of this draft.
We draw attention to the damage that a prescriptive technology regulation, such as South Korea's “Digital Signature Act” of 1999, has led to even in a small market: a legacy of outdated technology, difficulty in cross-border commerce and strategic technology security issues for an entire national economy.
We consider that the EBA should always stay exclusively at the level of defining prescriptive principles around which PSP can build (or outsource) strong customer authentication solutions. We believe in innovation and competition driven innovation. Failing to achieve this purpose will lead to an absolutely uneven market where certain parties already possessing the technology mandated (specifically mentioning Article 6.2 and 6.3) will leverage it to exclude other parties. As referred in objectives (3), (4), (5) and (6) of Directive (EU) 2015/2366 this is exactly the opposite aim of PSD2.
Furthermore, the definition as prescriptive of certain technical solutions that have to be in possession of the accountholder (i.e. mentioning Article 6.2 a device providing a trusted executing environment and mechanisms to detect alterations) may exclude the less affluent accountholders from using their mobile devices (due to the non-compliance fostered by the current piece of regulation). Thus, excluding them de facto from the digital and mobile-based economy; we understand that the legislator and DG COMP aim as promoter of this directive as expressed in principle (6) of Directive (EU) 2015/2366 is to increase reach and inclusion in the European common market.
However, we do not adhere to the principle of independent channels specially when this topic covers Mobile commerce. European society is moving from eCommerce to mCommerce and the usage of mobile devices is larger every day. At the same time, PSPs and ASPSPs are developing to optimize their processes to provide a mobile centric secure and safe purchasing experience making use of the latest technologies to achieve this purpose. The way EBA interprets and provides examples of what is and not possible (Article 2.2.b, Article 6.2 and 6.3) in terms of providing dynamic linking, limits innovation, endangers business model neutrality and is a backward step in user-friendliness. Effectively it clearly goes against the mandate the EBA received as provided in Article 98.2 of Directive (EU) 2015/2366.
Once again, the how “dynamic linking” is implemented is something under the responsibility of PSPs and ASPSPs, the regulator should only provide the principles in which the innovation can be developed not how innovation has to be performed.
Article 3 should also address the risks of “well known questions” to be considered elements categorised as knowledge - we note the enormous scale of breaches of consumer answers to questions such as “what is your favourite colour?” or “what was the name of your first pet?”. This knowledge cannot be made “unknown” after a breach by another provider, and is fundamentally unsuitable for use in such a scheme.
Within Article 6, we strongly object to terms such as “separated trusted execution environments” as a prescriptive regulation. The principle of mechanisms to mitigate the risk of compromise of the multipurpose device is well stated in paragraph 2 of this Article.
A. The mandate received by the EBA as described in Article 98.3 of Directive (EU) 2015/2366 clearly provides guidelines to identify exemptions based on risk, amount, recurrence and payment channel. Article 8 of the present draft does not provide principles or guidelines that can be adapted based on the risk of the PSP or ASPSP but rather defines the risk appetite that the PSP or ASPSP have to have.
B. At the same time, Article 8 of the current draft completely abandons the principle of consumer choice. The current approach is heavily driven by the regulator not allowing consumers to make considered choices about what risks they choose to take. We do not think this approach consistent with principle (5) of Directive (EU) 2015/2366.
C. As mentioned in Article 73 and Article 74.2 of Directive (EU) 2015/2366, the ASPSP is liable for any unauthorized transactions in case SCA is not used, additionally the Payee or PSP will refund those if SCA were not used. The risk appetite should be defined by the party suffering the financial loss and not by an additional piece or regulation, namely the current draft. This is relevant when the current draft in Article 8 sets hard limits for Contactless and remote electronic payments.
D. Article 8 does not take into consideration any risk mitigation measures taken by the PSP of the Merchant, the Merchant itself or even the ASPSP. The Merchant is in the position to calibrate their risk appetite and mitigations based on the nature of their product or service, any existing relationship they have with their customer and the information provided by their customer as part of the transaction. This calibration is not the role or responsibility of the ASPSP, and they have significantly less insight and capability to do so than the Merchant.
E. Article 8 does not consider either the already existing chargeback and protection mechanisms put in place by Card Schemes allowing the cardholder to exercise all its rights (specifically on recurring transaction or on transactions not protected with SCA). Those are applied today without any limit on maximum or cumulative amount, those are conceptually very close to what schemes such like SEPA Direct Debit are able to provide today.
F. Defining a fixed monetary amount in a regulatory text will cause an unneeded burden and loss of purchases for Merchants where the average transaction value is higher, in the coming years when inflation will make this amount negligible and in general for any subscription based model (given that the need of billing a service without creating an additional authentication burden is required).
G. Lastly, Article 8.d is effectively positioning the European Commission against sustainable business models that foster sharing economy, usage economy and pay-per-use models rather than one of purchase.
Summarizing, we observe that the choices provided by the EBA in this draft answer directly serve the needs of legacy players to protect their market and keep control over the payment service user, while at the same time serving to hamper innovation in this field.
This proposal undermines the existing competitive payment ecosystem and at the same time limits consumer choice. Both positions prevent the development of the European digital economy and are in opposition with the European Digital Agenda promoted by the European Commission.
A. We assert that the principle should be that time synchronization must be made with “generally trusted and authoritative” time signals, not limited to official or institutional time signals.
B. We assert that communication interfaces must be designed and implemented to not require the use of proprietary technologies or involve vendor lock-in.
C. Defining that the content of published technical specifications must contain specification of routines, protocols and tools is not sufficient, unless suitable sample messages and responses are also provided to allow validation of interpretation and implementation of the specifications.
D. Defining that the content of, and changes to, published technical specifications are made public and at no charge is not sufficient, unless the website resource identifiers for these specifications and notifications of future and emergency changes are predictable and stable.
E. ASPSPs must not only ensure that their communication interface is not only operating on at least the same level of service as the online platform available to the payment service provider user, but also non-discriminatory in level and quality of service between other service providers.
F. ASPSPs must not only make available a testing facility available before starting to be used for offering payment services to users, but on a continuous basis, including offering a testing facility for planned changes to the communication interfaces at the time that the specification is published. Access to the testing environment must be made available on a reasonable and non-discriminatory basis to other service providers.
In that light, the work performed by the EPC during the SEPA migration showed several blind spots that should be addressed in the event a similar standardization approach is proposed. Specifically, we would like to mention the lack of interoperability between ISO20022 implementations. This lead to implementation islands and differences per countries on the services offered, with SEPA. We assert that this should not be allowed to reoccur in the case an existing or new standard is developed.
We note also that closed or proprietary extensions or worse, single-vendor solutions, will severely impact the interoperability of solutions.
We are concerned that Article 20 regarding payment service provider identification is the first step in which commonly-accepted Internet certificates for identification of service providers will transition to a compulsory balkanization of services with separate service provider identification requirements across the globe. We are strong proponents of a global payments environment benefiting Europe and European citizens and are concerned that this approach will be an enabler for the slow closure of the global payments space.
e-IDAS is potentially a suitable framework for implementing payments security, including authentication and authenticity controls. We do have concerns dealing with the immaturity of the framework in practice and doubts about the suitability of this approach for service provision outside the European Union where other regulatory regimes can be envisioned to come into force after a European mandate for specific certificates for service providers.
As general note, consider that prescriptive limits become outdated as technology evolves, while principles are updated over time and foster innovation and competition in the market.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
The reasoning provided and the line of argumentation followed by the EBA is incomprehensible. At the current stage Chapter 1 describes and provides requirements for strong customer authentication either at the principle level (Article 3, 4 and 5) or at the technological solution level (Article 6.3.a) or even at the specific implementation solutions level (Article 6.2).PSD2 envisions a principles-based regulatory environment which enables competitive innovation, but an approach such as is occasionally visible in this draft, with prescriptive technology or process regulation, will delay innovation and will degrade the market’s capability to support the European Commission’s Digital Agenda and we expect this would lead to noticeable degradation of the consumer payments experience with all the political and economic consequences that would be expected. Recent innovations in e-commerce and m-commerce would almost certainly be rolled back on the basis of the contents of this draft.
We draw attention to the damage that a prescriptive technology regulation, such as South Korea's “Digital Signature Act” of 1999, has led to even in a small market: a legacy of outdated technology, difficulty in cross-border commerce and strategic technology security issues for an entire national economy.
We consider that the EBA should always stay exclusively at the level of defining prescriptive principles around which PSP can build (or outsource) strong customer authentication solutions. We believe in innovation and competition driven innovation. Failing to achieve this purpose will lead to an absolutely uneven market where certain parties already possessing the technology mandated (specifically mentioning Article 6.2 and 6.3) will leverage it to exclude other parties. As referred in objectives (3), (4), (5) and (6) of Directive (EU) 2015/2366 this is exactly the opposite aim of PSD2.
Furthermore, the definition as prescriptive of certain technical solutions that have to be in possession of the accountholder (i.e. mentioning Article 6.2 a device providing a trusted executing environment and mechanisms to detect alterations) may exclude the less affluent accountholders from using their mobile devices (due to the non-compliance fostered by the current piece of regulation). Thus, excluding them de facto from the digital and mobile-based economy; we understand that the legislator and DG COMP aim as promoter of this directive as expressed in principle (6) of Directive (EU) 2015/2366 is to increase reach and inclusion in the European common market.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
We fully align and share the vision of the EBA when referring to when “dynamic linking ”should take place. Indeed, this is something that the PSP should decide about when it occurs.However, we do not adhere to the principle of independent channels specially when this topic covers Mobile commerce. European society is moving from eCommerce to mCommerce and the usage of mobile devices is larger every day. At the same time, PSPs and ASPSPs are developing to optimize their processes to provide a mobile centric secure and safe purchasing experience making use of the latest technologies to achieve this purpose. The way EBA interprets and provides examples of what is and not possible (Article 2.2.b, Article 6.2 and 6.3) in terms of providing dynamic linking, limits innovation, endangers business model neutrality and is a backward step in user-friendliness. Effectively it clearly goes against the mandate the EBA received as provided in Article 98.2 of Directive (EU) 2015/2366.
Once again, the how “dynamic linking” is implemented is something under the responsibility of PSPs and ASPSPs, the regulator should only provide the principles in which the innovation can be developed not how innovation has to be performed.
Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
We suggest that Article 3 should be re-assessed. In general, knowledge based authentication, coupled with expiry times or complex rules for representation of this knowledge, such as complexity or use of non-repeatable characters leads to significantly worse recall or significantly lower quality knowledge-based credentials in practice, and there is significant empirical research available on the deleterious effects of each of the suggested “security features”, especially in combination.Article 3 should also address the risks of “well known questions” to be considered elements categorised as knowledge - we note the enormous scale of breaches of consumer answers to questions such as “what is your favourite colour?” or “what was the name of your first pet?”. This knowledge cannot be made “unknown” after a breach by another provider, and is fundamentally unsuitable for use in such a scheme.
Within Article 6, we strongly object to terms such as “separated trusted execution environments” as a prescriptive regulation. The principle of mechanisms to mitigate the risk of compromise of the multipurpose device is well stated in paragraph 2 of this Article.
Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
We cannot comprehend the reasoning and principles used by the EBA to define exemptions. The following points can be provided to sustain such position:A. The mandate received by the EBA as described in Article 98.3 of Directive (EU) 2015/2366 clearly provides guidelines to identify exemptions based on risk, amount, recurrence and payment channel. Article 8 of the present draft does not provide principles or guidelines that can be adapted based on the risk of the PSP or ASPSP but rather defines the risk appetite that the PSP or ASPSP have to have.
B. At the same time, Article 8 of the current draft completely abandons the principle of consumer choice. The current approach is heavily driven by the regulator not allowing consumers to make considered choices about what risks they choose to take. We do not think this approach consistent with principle (5) of Directive (EU) 2015/2366.
C. As mentioned in Article 73 and Article 74.2 of Directive (EU) 2015/2366, the ASPSP is liable for any unauthorized transactions in case SCA is not used, additionally the Payee or PSP will refund those if SCA were not used. The risk appetite should be defined by the party suffering the financial loss and not by an additional piece or regulation, namely the current draft. This is relevant when the current draft in Article 8 sets hard limits for Contactless and remote electronic payments.
D. Article 8 does not take into consideration any risk mitigation measures taken by the PSP of the Merchant, the Merchant itself or even the ASPSP. The Merchant is in the position to calibrate their risk appetite and mitigations based on the nature of their product or service, any existing relationship they have with their customer and the information provided by their customer as part of the transaction. This calibration is not the role or responsibility of the ASPSP, and they have significantly less insight and capability to do so than the Merchant.
E. Article 8 does not consider either the already existing chargeback and protection mechanisms put in place by Card Schemes allowing the cardholder to exercise all its rights (specifically on recurring transaction or on transactions not protected with SCA). Those are applied today without any limit on maximum or cumulative amount, those are conceptually very close to what schemes such like SEPA Direct Debit are able to provide today.
F. Defining a fixed monetary amount in a regulatory text will cause an unneeded burden and loss of purchases for Merchants where the average transaction value is higher, in the coming years when inflation will make this amount negligible and in general for any subscription based model (given that the need of billing a service without creating an additional authentication burden is required).
G. Lastly, Article 8.d is effectively positioning the European Commission against sustainable business models that foster sharing economy, usage economy and pay-per-use models rather than one of purchase.
Summarizing, we observe that the choices provided by the EBA in this draft answer directly serve the needs of legacy players to protect their market and keep control over the payment service user, while at the same time serving to hamper innovation in this field.
This proposal undermines the existing competitive payment ecosystem and at the same time limits consumer choice. Both positions prevent the development of the European digital economy and are in opposition with the European Digital Agenda promoted by the European Commission.
Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
Comments on Chapter 2 have been provided in Question 4.Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
------------Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
We consider the requirements for common and secure open standards of communication to be a good beginning, however we have both detailed comments and a number of more structural concerns:A. We assert that the principle should be that time synchronization must be made with “generally trusted and authoritative” time signals, not limited to official or institutional time signals.
B. We assert that communication interfaces must be designed and implemented to not require the use of proprietary technologies or involve vendor lock-in.
C. Defining that the content of published technical specifications must contain specification of routines, protocols and tools is not sufficient, unless suitable sample messages and responses are also provided to allow validation of interpretation and implementation of the specifications.
D. Defining that the content of, and changes to, published technical specifications are made public and at no charge is not sufficient, unless the website resource identifiers for these specifications and notifications of future and emergency changes are predictable and stable.
E. ASPSPs must not only ensure that their communication interface is not only operating on at least the same level of service as the online platform available to the payment service provider user, but also non-discriminatory in level and quality of service between other service providers.
F. ASPSPs must not only make available a testing facility available before starting to be used for offering payment services to users, but on a continuous basis, including offering a testing facility for planned changes to the communication interfaces at the time that the specification is published. Access to the testing environment must be made available on a reasonable and non-discriminatory basis to other service providers.
Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?
We consider that the usage of international standards such ISO20022 should be mandated by the EBA in a similar fashion than what occurred for the SEPA regulation. If this is the case, EBA should make sure that the needs of all the stakeholders are represented.In that light, the work performed by the EPC during the SEPA migration showed several blind spots that should be addressed in the event a similar standardization approach is proposed. Specifically, we would like to mention the lack of interoperability between ISO20022 implementations. This lead to implementation islands and differences per countries on the services offered, with SEPA. We assert that this should not be allowed to reoccur in the case an existing or new standard is developed.
We note also that closed or proprietary extensions or worse, single-vendor solutions, will severely impact the interoperability of solutions.
Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?
We do not believe that there are any benefits to consumers or merchants with the introduction of additional identification requirements between PSPs above and beyond existing Internet models of trust that are used for all trusted communication on the Internet today. Instead this is an attempt to control access to the market and is likely to inhibit innovation.We are concerned that Article 20 regarding payment service provider identification is the first step in which commonly-accepted Internet certificates for identification of service providers will transition to a compulsory balkanization of services with separate service provider identification requirements across the globe. We are strong proponents of a global payments environment benefiting Europe and European citizens and are concerned that this approach will be an enabler for the slow closure of the global payments space.
e-IDAS is potentially a suitable framework for implementing payments security, including authentication and authenticity controls. We do have concerns dealing with the immaturity of the framework in practice and doubts about the suitability of this approach for service provision outside the European Union where other regulatory regimes can be envisioned to come into force after a European mandate for specific certificates for service providers.
Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.
Please consider that defining prescriptive limits about how an implementation should occur will constrain innovation. In that respect, the current draft should simply provide principles on which AISPs can legitimately request updated information from an ASPSP or not.As general note, consider that prescriptive limits become outdated as technology evolves, while principles are updated over time and foster innovation and competition in the market.