Response to consultation on draft Guidelines on the sound management of third-party risk
Question n. 2 for Public Consultation: Is Title II appropriate and sufficiently clear?
While we believe that the reference to ‘authentication & authorisation’ should be deleted from the non-exhaustive list of functions that could be provided by a third-party service provider under Annex I, if these functions were to be maintained in the scope of the Guidelines, the EBA should recognize that authentication and authorisation are never ‘critical or important functions’ and therefore expressly exclude delegation of authentication / authorisation from the stricter requirements set out therein.
This is because authentication and authorisation do not meet the conditions to qualify as critical or important functions under Guideline 4, points 33-36 of the EBA draft Guidelines, as detailed in the attached consultation response.
Question n. 4 for Public Consultation: Is Title IV of the Guidelines appropriate and sufficiently clear?
While we believe that the reference to ‘authentication & authorisation’ should be deleted from the non-exhaustive list of functions that could be provided by a third-party service provider under Annex I, if these functions were to be maintained in the scope of the Guidelines, the EBA should recognize that multilateral or scalable agreements for SCA delegation are allowed. As explained in detail in the attached consultation response, this is crucial to facilitate innovative and secure authentication solutions.
Question n. 5 for Public Consultation: Is Annex I, provided as a list of non-exhaustive examples, appropriate and sufficiently clear?
We believe that the reference to ‘authentication & authorisation’ should be deleted from the non-exhaustive list of functions that could be provided by a third-party service provider under Annex I.
In the payments ecosystem, there already exists a broad range of authentication and authorisation solutions which do not constitute outsourcing. Treating these solutions as outsourcing would significantly restrict PSPs’ ability to make use of them. This is because card issuers would need to conclude dozens, if not hundreds, of outsourcing agreements with all possible providers of authentication and authorisation solutions. Such an interpretation would also undermine the roll-out of the EUDIW introduced by the eIDAS2 Regulation.
In addition, the issue of whether the delegation of strong customer authentication for card transactions qualifies as outsourcing is a debated issue and still under discussion in the context of the PSD2 revision. As detailed in the attached consultation response, we therefore believe it is more appropriate to defer any decision on the inclusion of authentication and authorisation within the Guidelines on Third-Party Risk until the adoption of the upcoming Payment Services Regulation (which will replace the PSD2) and the RTS the EC must adopt under this new regulatory framework. This is important to guarantee clear, stable and harmonized rules across Europe on this crucial issue, and allow the EC to have its say on these rules.
Should authentication and authorisation remain within the scope of the Guidelines on Third-Party Risk, the EBA should clarify that only models in which the payer’s PSP does not retain control over these functions should be subject to the Guidelines. Conversely, models where the PSP remains in control of these functions should not be considered delegation and should fall outside the scope.
In any event, we believe that authentication and authorisation services provided by card schemes to ensure the security and business continuity of their payment systems should be expressly excluded from the scope of the Guidelines under the exclusion for ‘global network infrastructures’ set out in point 32(b) of the draft Guidelines.