Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

It should be noted that strong authentication without verified identity will only serve to ensure that the same entity is returning to services over time NOT that the entity in question is the right person or indeed a valid identity. It should be identity assurance i.e. the combination of identity verification and proofing and a credential issued in accordance with recognised standards linked to that identity that is used for authentication if the prevention of fraud is to be successful.

There is much evidence that standards for identity assurance, including strong authentication, should be outcome based rather than specific technical or technology requirements. The UK government national eID scheme GOV,UK Verify, the EU eIDAS Regulation, and the recent NIST 800.63 draft all place importance on outcome based requirements rather than detailed technical specifications where identity proofing or strong authentication means are concerned.

The key here is interoperability. The UK and the US governments are currently working together to ensure interoperability on an international basis alongside EU colleagues for the purpose of cross-border eID. There are also efforts within standards organisations such as Open ID Foundation to build profiles such as iGov for the purpose of interoperability and the federation of identity in the public and private sectors. The eIDAS Regulation and its standards may be one answer but it is interoperability standards that will enable identity, and with it strong authentication, to become truly ubiquitous.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Yes.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

No, not at this time.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

Service design and the application of multiple levels of assurance may actually be more appropriate in many circumstances. What is really being suggested here in Chapter 2 is that authentication is actually part of a risk based assessment for a selected user action / transaction.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

No concerns other than answer to Q4.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Yes, provided these are outcome based requirements and do not specify solutions or technologies.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

Common and secure open standards are essential. Ensuring that they are outcome based is equally important and not necessarily apparent here.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

Why ISO 2022 and not simply UTF-8 and where/if necessary base64 encoding?

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

No. QTSPs are one possible solution. We should not tie specifications to a single solution.

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

No comment other than to say that limitations of this kind may be restrictive in some applications. It should be for the user to consent to such configurations / use patterns if that suits a particular need.

Please select which category best describes you and/or your organisation

[Public administration"]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Government based identity assurance and international standards

Name of organisation

Government Digital Service, UK Cabinet Office