Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
First of all we would like to thank the EBA to give us the opportunity to provide our comments on the draft Regulatory Technical Standard.
We do agree with major parts of EBA´s reasoning on the Strong Customer Authentication (hereinafter called “SCA”) requirements, but we would like to point out that the requirements do not reflect specialized characteristics of payment instruments and implemented best practice processes in the corporate sector.
B. Exemption from the scope of application - systematic and legal derivation
Generally speaking, that a corporate customer is less worthy of protection than a consumer is illustrated by the possibility of waiving certain provisions of the Directive (EU) 2015/2366 (hereinafter called “PSD 2”) given that the payment service user is not a consumer. In the cases effected by Article 61 para. 1 PSD 2 (i.e. Article 72, 74, 76, 77, 80, 89) the payment service provider and the payment service user can agree upon different regulations.
This general approach should be consequently transferred to the draft Regulatory Technical Standards (hereinafter called “RTS”).
If a payment service provider, moreover, provides on its payment instrument only services to acquire a very limited range of goods and services or within a limited network of service providers, the need to apply strong customer authentication in this context would lack any factual and legal basis.
A typical example for corporate payment instruments are lodge and virtual cards in the business travel sector, where only services with a very limited range of goods and services within a limited network of service providers can be acquired. They provide various process facilitations for corporate travel managers and corporate travel agencies due to a smooth workflow of the payment process and data aggregation.
Such cards are issued to organizations and not to an individual (corporate traveler) and cleared and settled with the bank account of this organization. With such cards, travel and travel related services are settled and paid centrally while these cards are lodged at the organizations travel department or corporate travel agency or lodged with the booking engine used by the organization.
Individual corporate travelers of such an organization book their travel and travel related services via these channels without knowing the card details. They are only known to the travel manager or the corporate travel agency. Therefore, various corporate travelers use one single lodge account to initiate payment transactions in regard to their business travels. The payment itself happens in the background.
For the typical user in the Business Travel procurement process, the payment stage is completely invisible and the settlement process happens to a large extend automatically. Yet AirPlus still believes that there is further room for automatization, that could lead to considerable process savings for corporate clients (see details under https://www.airplus.com/CMS/file_view.aspx?id=181073). Enforcing SCA would severely impact highly automated payment processes that currently do not involve a lot of manual interaction.
In conclusion, such lodge and virtual cards in the business travel sector are connected with a low fraud risk. This is shown in the following:
a) Only a limited range of travel and travel related services can be purchased only in limited merchant categories.
b) The initiator of the payment does not know the card details.
c) The organization´s travel manger has various possibilities to limit and tailor user rights (budget limitation, limit per transaction, number of transactions, currency etc.).
The low risk of such payments can be underlined with historic fraud rates (statistical analyses could be submitted on request). Furthermore, analyzed fraud cases are mainly conducted by insiders (e.g. employees of a travel agency) and would therefore not be prevented by SCA.
Furthermore, it must be concluded that it is technically very difficult to apply SCA where one payment product will in the end be facilitated by an undefined number of users.
We believe that forced application of SCA in well established seamless and automatic payment processes completely happening in back-end systems would interfere in well established and efficient processes and have severe effects on process costs, speed and general user experience, while offering no increased security level for such payment transactions.
C. Final proposal
Hence, we propose to exempt services based on specific payment instruments which can be used only to acquire a limited range of goods and services or within a limited network of service providers (as already mentioned in Article 3 (k) (i) and (ii) of PSD 2).
No, AirPlus does not agree with the EBA‘s reasoning on the exemptions from the application of Article 97 PSD 2 on strong customer authentication and on security measures and the resultant provisions proposed in Chapter 2 of the RTS.
In particular, AirPlus does not share the view with regard to the statements of low-risk transactions as a potential further exemption for the following reasons.
B. The reason of the EBA for the non-exemption of low-risk transactions in the RTS
In no. 42 of the “Discussion Paper on future RTS on strong customer and secure communication under PSD2” (hereinafter called “Discussion Paper”) EBA mentioned low-risk transactions based on a transaction risk analysis (taking into account detailed criteria to be defined in the RTS) as an example for exemptions of strong customer authorization.
In the Consultation Paper this exemption is no longer included.
According to the explanation in no. 54 of the RTS “the EBA was not able to identify which minimum set of information the RTS should require for such transaction risk analysis to be sufficiently reliable to allow a specific exemption from the application of SCA, while also ensuring a fair competition among all payment service providers.”
C. The reason of AirPlus for the insertion of low–risk transaction as an exemption
AirPlus believes that it is possible to establish objective and fair criteria to classify a low-risk transaction for all market players alike.
I. Certain types of services/goods and a low prescribed fraud quote as exemptions
First, from AirPlus’ point of view there are types of services and goods which are by nature less risky per se compared to an ordinary credit card. AirPlus is convinced that in this regard there is no need to subject these types to a strong customer authentication (see 1. below). Moreover, AirPlus believes that a prescribed fraud quote by the EBA would be an objective, transparent and sufficient criterion to assess a low-risk transaction (see 2. below).
1. Certain services and goods/ limited network of service providers
The reasons for the exemption for certain services and goods are as follows:
a) According to Article 3 (k) (i) and (ii) of PSD 2, services based on specific payment instruments that are used to acquire very limited range of goods or within a limited network of service providers have been excluded from the scope of application (PSD 2). These payment instruments are not under supervision. Hence, they are not within the scope of the RTS.
b) Furthermore, it would create a competitive disadvantage if a company that provides specific payment instruments used to acquire only a limited range of goods and services is not subject to the PSD 2 and the RTS at all, while companies providing additional services and goods, which are in the scope of the PSD 2 and subsequently in the scope of the RTS, are completely subject to PSD2 and RTS, even though the other part of their business would otherwise be exempt.
c) A vivid and practical example for a limited range of goods and services are companies that offer business travel payment solutions and services for corporate customers.
AirPlus, for example, provides a central account for all business travel expenses of multiple travelers to be paid with one invoice. Complementary, as a “virtual solution” there is the so-called A.I.D.A (AirPlus Integrated Data and Acceptance) in place. With A.I.D.A one generates 16-digit MasterCard numbers which are perfect to pay for travel and business events. These virtual MasterCard numbers and their transactions are linked to one central account and will be paid with one invoice.
Hence, these products show clear criteria that qualify for low-risk transactions. On the one hand, there is a limited “playing field”. On the “user side” there are only corporate customers and no consumers involved. The company can technically administer who may use the payment instrument and the services within the company. This can be a department for travel expense accounting and/or selected employees. In the case that the payment instrument is lodged with a travel agency, a travel agency could also be involved. In most cases, details of payment products are administrated by a limited number of employees and linked to individual travelers profiles in travel procurement systems. That explains a high number of individual users initiating a procurement transaction, yet not knowing any details about the seamless payment process and details following in the back ends.
On the other hand, the empirical risk of fraud is low, justified in particular with the limited network of merchants, the limited purpose (hotel and rental car bookings, flights, travel agency fees etc.) and the low resale option of the “goods”. Due to the fact that the area of application of these payment instruments is limited they are less risky per se. Additionally, on the base of the fact that tickets for flights are personalized it is not that easily possible to sell them. Fraud in that case is not very attractive with regard to the limited possibility of profit generated profit thereby.
2. Prescribed fraud rates
Products that do not reach defined, prescribed fraud quotes may qualify for an exemption as well. The reasons for the exemption of certain prescribed fraud quotes are as follows:
As long as an individual transaction risk analysis has shown a low fraud-risk, there is no good reason to insist on a strong customer authentication. Internal analyses have shown that our number of cases of fraud is far lower than the figures of the last fraud report of the ECB (statistical analyses could be submitted on request). If the need of protection is demonstrably low, then the costs for implementation of the precautionary measures to comply with the RTS involve a disproportionate effort.
Hence, we propose a fixed fraud quote determined by the ECB. The figures of the last fraud report of the ECB could serve as a reference point.
II. Objectives of the RTS as stipulated in Article 98 para. 2 PSD 2 in line with the proposed exemptions
1. Objectives of the RTS
The objectives as stipulated in Article 98 para. 2 PSD 2 are not in contradiction with the proposed exemptions above. Actually the reverse is true. Without the above described exemptions, it is not possible to achieve the objectives as stipulated in Article 98 para. 2 PSD 2. The objectives are as follows:
(a) ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;
(b) ensure the safety of payment service users’ funds and personal data;
(c) secure and maintain fair competition among all payment service providers;
(d) ensure technology and business-model neutrality;
(e) allow for the development of user-friendly, accessible and innovative means of payment.
2. Comparison of the objectives of PSD 2 and the exemptions
That an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements above (a)) and that the development of user-friendly, accessible and innovative means of payment (above (e)) must not be contradictory with regard to the above described exemptions is shown by the following example:
As demonstrated by various studies (GBTA 2015: Buyer and Supplier Outlook on Virtual Payment Solutions), virtual payment solutions tend to be in stronger demand. To allow further development of user-friendly, accessible and innovative means of payment (see Article 98 para. 2 (e)) with an appropriate level of security for payment service users and payment service providers, through the adaption of effective and risk-based requirements (see Article 98 para. 2 (a)) a virtual payment instrument in a limited range of goods and services is an ideal solution to combine both.
Furthermore, it would create a competitive disadvantage if a company that provides specific payment instruments used to acquire only a limited range of goods and services is not subject to the PSD 2 and the RTS at all, while companies providing additional services and goods which are in the scope of the PSD 2 and subsequently in the scope of the RTS, are completely subject to PSD2 and RTS, even though the other part of their business would otherwise be exempt. The objective, pursuant to Article 98 para. 2(c) PSD 2 (secure and maintain fair competition among all payment service providers), would be thwarted without the proposed exemption.
Taking into account all of the above factors, the proposed exemptions are in accordance with the scope of Article 98 para. 2 PSD 2.
D. Final formulation proposal
Therefore, AirPlus proposes that Article 8 should be amended to read as follows:
…
3. The application of strong customer authentication in accordance with Article 97(1) and (2) of directive (EU) 2015/2366 is exempted where:
Low-risk transactions are conducted. These exist in the following cases:
(a) Transactions based on payment instruments that are used to acquire a very limited range of goods of services, such as e.g., without limitation, in the field of business travel management;
(b) An individual fraud risk analysis has shown a gross fraud rate below […] of the used payment instrument per year.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
A. General StatementFirst of all we would like to thank the EBA to give us the opportunity to provide our comments on the draft Regulatory Technical Standard.
We do agree with major parts of EBA´s reasoning on the Strong Customer Authentication (hereinafter called “SCA”) requirements, but we would like to point out that the requirements do not reflect specialized characteristics of payment instruments and implemented best practice processes in the corporate sector.
B. Exemption from the scope of application - systematic and legal derivation
Generally speaking, that a corporate customer is less worthy of protection than a consumer is illustrated by the possibility of waiving certain provisions of the Directive (EU) 2015/2366 (hereinafter called “PSD 2”) given that the payment service user is not a consumer. In the cases effected by Article 61 para. 1 PSD 2 (i.e. Article 72, 74, 76, 77, 80, 89) the payment service provider and the payment service user can agree upon different regulations.
This general approach should be consequently transferred to the draft Regulatory Technical Standards (hereinafter called “RTS”).
If a payment service provider, moreover, provides on its payment instrument only services to acquire a very limited range of goods and services or within a limited network of service providers, the need to apply strong customer authentication in this context would lack any factual and legal basis.
A typical example for corporate payment instruments are lodge and virtual cards in the business travel sector, where only services with a very limited range of goods and services within a limited network of service providers can be acquired. They provide various process facilitations for corporate travel managers and corporate travel agencies due to a smooth workflow of the payment process and data aggregation.
Such cards are issued to organizations and not to an individual (corporate traveler) and cleared and settled with the bank account of this organization. With such cards, travel and travel related services are settled and paid centrally while these cards are lodged at the organizations travel department or corporate travel agency or lodged with the booking engine used by the organization.
Individual corporate travelers of such an organization book their travel and travel related services via these channels without knowing the card details. They are only known to the travel manager or the corporate travel agency. Therefore, various corporate travelers use one single lodge account to initiate payment transactions in regard to their business travels. The payment itself happens in the background.
For the typical user in the Business Travel procurement process, the payment stage is completely invisible and the settlement process happens to a large extend automatically. Yet AirPlus still believes that there is further room for automatization, that could lead to considerable process savings for corporate clients (see details under https://www.airplus.com/CMS/file_view.aspx?id=181073). Enforcing SCA would severely impact highly automated payment processes that currently do not involve a lot of manual interaction.
In conclusion, such lodge and virtual cards in the business travel sector are connected with a low fraud risk. This is shown in the following:
a) Only a limited range of travel and travel related services can be purchased only in limited merchant categories.
b) The initiator of the payment does not know the card details.
c) The organization´s travel manger has various possibilities to limit and tailor user rights (budget limitation, limit per transaction, number of transactions, currency etc.).
The low risk of such payments can be underlined with historic fraud rates (statistical analyses could be submitted on request). Furthermore, analyzed fraud cases are mainly conducted by insiders (e.g. employees of a travel agency) and would therefore not be prevented by SCA.
Furthermore, it must be concluded that it is technically very difficult to apply SCA where one payment product will in the end be facilitated by an undefined number of users.
We believe that forced application of SCA in well established seamless and automatic payment processes completely happening in back-end systems would interfere in well established and efficient processes and have severe effects on process costs, speed and general user experience, while offering no increased security level for such payment transactions.
C. Final proposal
Hence, we propose to exempt services based on specific payment instruments which can be used only to acquire a limited range of goods and services or within a limited network of service providers (as already mentioned in Article 3 (k) (i) and (ii) of PSD 2).
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
NAQuestion 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
NAQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
A. General StatementNo, AirPlus does not agree with the EBA‘s reasoning on the exemptions from the application of Article 97 PSD 2 on strong customer authentication and on security measures and the resultant provisions proposed in Chapter 2 of the RTS.
In particular, AirPlus does not share the view with regard to the statements of low-risk transactions as a potential further exemption for the following reasons.
B. The reason of the EBA for the non-exemption of low-risk transactions in the RTS
In no. 42 of the “Discussion Paper on future RTS on strong customer and secure communication under PSD2” (hereinafter called “Discussion Paper”) EBA mentioned low-risk transactions based on a transaction risk analysis (taking into account detailed criteria to be defined in the RTS) as an example for exemptions of strong customer authorization.
In the Consultation Paper this exemption is no longer included.
According to the explanation in no. 54 of the RTS “the EBA was not able to identify which minimum set of information the RTS should require for such transaction risk analysis to be sufficiently reliable to allow a specific exemption from the application of SCA, while also ensuring a fair competition among all payment service providers.”
C. The reason of AirPlus for the insertion of low–risk transaction as an exemption
AirPlus believes that it is possible to establish objective and fair criteria to classify a low-risk transaction for all market players alike.
I. Certain types of services/goods and a low prescribed fraud quote as exemptions
First, from AirPlus’ point of view there are types of services and goods which are by nature less risky per se compared to an ordinary credit card. AirPlus is convinced that in this regard there is no need to subject these types to a strong customer authentication (see 1. below). Moreover, AirPlus believes that a prescribed fraud quote by the EBA would be an objective, transparent and sufficient criterion to assess a low-risk transaction (see 2. below).
1. Certain services and goods/ limited network of service providers
The reasons for the exemption for certain services and goods are as follows:
a) According to Article 3 (k) (i) and (ii) of PSD 2, services based on specific payment instruments that are used to acquire very limited range of goods or within a limited network of service providers have been excluded from the scope of application (PSD 2). These payment instruments are not under supervision. Hence, they are not within the scope of the RTS.
b) Furthermore, it would create a competitive disadvantage if a company that provides specific payment instruments used to acquire only a limited range of goods and services is not subject to the PSD 2 and the RTS at all, while companies providing additional services and goods, which are in the scope of the PSD 2 and subsequently in the scope of the RTS, are completely subject to PSD2 and RTS, even though the other part of their business would otherwise be exempt.
c) A vivid and practical example for a limited range of goods and services are companies that offer business travel payment solutions and services for corporate customers.
AirPlus, for example, provides a central account for all business travel expenses of multiple travelers to be paid with one invoice. Complementary, as a “virtual solution” there is the so-called A.I.D.A (AirPlus Integrated Data and Acceptance) in place. With A.I.D.A one generates 16-digit MasterCard numbers which are perfect to pay for travel and business events. These virtual MasterCard numbers and their transactions are linked to one central account and will be paid with one invoice.
Hence, these products show clear criteria that qualify for low-risk transactions. On the one hand, there is a limited “playing field”. On the “user side” there are only corporate customers and no consumers involved. The company can technically administer who may use the payment instrument and the services within the company. This can be a department for travel expense accounting and/or selected employees. In the case that the payment instrument is lodged with a travel agency, a travel agency could also be involved. In most cases, details of payment products are administrated by a limited number of employees and linked to individual travelers profiles in travel procurement systems. That explains a high number of individual users initiating a procurement transaction, yet not knowing any details about the seamless payment process and details following in the back ends.
On the other hand, the empirical risk of fraud is low, justified in particular with the limited network of merchants, the limited purpose (hotel and rental car bookings, flights, travel agency fees etc.) and the low resale option of the “goods”. Due to the fact that the area of application of these payment instruments is limited they are less risky per se. Additionally, on the base of the fact that tickets for flights are personalized it is not that easily possible to sell them. Fraud in that case is not very attractive with regard to the limited possibility of profit generated profit thereby.
2. Prescribed fraud rates
Products that do not reach defined, prescribed fraud quotes may qualify for an exemption as well. The reasons for the exemption of certain prescribed fraud quotes are as follows:
As long as an individual transaction risk analysis has shown a low fraud-risk, there is no good reason to insist on a strong customer authentication. Internal analyses have shown that our number of cases of fraud is far lower than the figures of the last fraud report of the ECB (statistical analyses could be submitted on request). If the need of protection is demonstrably low, then the costs for implementation of the precautionary measures to comply with the RTS involve a disproportionate effort.
Hence, we propose a fixed fraud quote determined by the ECB. The figures of the last fraud report of the ECB could serve as a reference point.
II. Objectives of the RTS as stipulated in Article 98 para. 2 PSD 2 in line with the proposed exemptions
1. Objectives of the RTS
The objectives as stipulated in Article 98 para. 2 PSD 2 are not in contradiction with the proposed exemptions above. Actually the reverse is true. Without the above described exemptions, it is not possible to achieve the objectives as stipulated in Article 98 para. 2 PSD 2. The objectives are as follows:
(a) ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;
(b) ensure the safety of payment service users’ funds and personal data;
(c) secure and maintain fair competition among all payment service providers;
(d) ensure technology and business-model neutrality;
(e) allow for the development of user-friendly, accessible and innovative means of payment.
2. Comparison of the objectives of PSD 2 and the exemptions
That an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements above (a)) and that the development of user-friendly, accessible and innovative means of payment (above (e)) must not be contradictory with regard to the above described exemptions is shown by the following example:
As demonstrated by various studies (GBTA 2015: Buyer and Supplier Outlook on Virtual Payment Solutions), virtual payment solutions tend to be in stronger demand. To allow further development of user-friendly, accessible and innovative means of payment (see Article 98 para. 2 (e)) with an appropriate level of security for payment service users and payment service providers, through the adaption of effective and risk-based requirements (see Article 98 para. 2 (a)) a virtual payment instrument in a limited range of goods and services is an ideal solution to combine both.
Furthermore, it would create a competitive disadvantage if a company that provides specific payment instruments used to acquire only a limited range of goods and services is not subject to the PSD 2 and the RTS at all, while companies providing additional services and goods which are in the scope of the PSD 2 and subsequently in the scope of the RTS, are completely subject to PSD2 and RTS, even though the other part of their business would otherwise be exempt. The objective, pursuant to Article 98 para. 2(c) PSD 2 (secure and maintain fair competition among all payment service providers), would be thwarted without the proposed exemption.
Taking into account all of the above factors, the proposed exemptions are in accordance with the scope of Article 98 para. 2 PSD 2.
D. Final formulation proposal
Therefore, AirPlus proposes that Article 8 should be amended to read as follows:
…
3. The application of strong customer authentication in accordance with Article 97(1) and (2) of directive (EU) 2015/2366 is exempted where:
Low-risk transactions are conducted. These exist in the following cases:
(a) Transactions based on payment instruments that are used to acquire a very limited range of goods of services, such as e.g., without limitation, in the field of business travel management;
(b) An individual fraud risk analysis has shown a gross fraud rate below […] of the used payment instrument per year.