Skip to main content
Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go backQuestion 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
No - the RTS doesn’t strike the right balance between security and convenience. Merchants should be allowed to have a role in assessing risk and risk based authentication has been successful at removing the friction in customer experience. This is a backward step. Low risk and low value are not the same thing yet it seems that the technical standards are set up with this assumption.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
No - the contactless limit needs to address currency volatility and should be increased periodically. It is likely to increase consumer friction and discourage efficient payment methods.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
Yes - the approach applies a 'one size fits all' mentality and prevents the use of merchant or PSP knowledge and expertise to determine the level of risk and the required level of authentication to manage that risk. This forces everyone to behave in the same way and may hinder innovative fraud solutionsQuestion 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.
Assuming a user clicking 'refresh' would constitute a request and allow information to flow then we think twice a day is sufficient for an AISP.Please select which category best describes you and/or your organisation
[Other "]"If you selected "Other", please provide details
ConsultancyPlease select which category best describes the services provided by you/your organisation
[Other"]"If you selected "Other", please provide details
Scheme fee services, financial modelling, management information and dashboards, regulatory complianceName of organisation
Optima Consultancy
