Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
the draft Regulatory Technical Standards specifying the requirements on strong customer authentification and common and secure communication under PSD2.
As a unique representative body of all the French specialised credit institutions and financial institutions which represents 285 entities, ASF contributes to an appropriate recognition of the specialised financial activities like equipment and real estate leasing, factoring, consumer credit and auto loans and leases, mutual guarantee societies which – with an outstanding of more than €220 billion in 2015 – accounts for about 20% of total amount of credits to the real economy in France.
We do consider that it is fundamental to draw your attention to the point related the three-party card schemes.
The article 98 of the Directive introduces the exemptions from the application of article 97 “Authentication”. The exemptions shalll be based on the following criteria :
(a) the level of risk involved in the service provided ;
(b) the amount, the recurrence of the transaction, or both ;
(c) the payment channel used for the execution of the transaction.
In accordance with the article 98, we suggest that the future RTS Guidelines do not oblige three party card schemes to be “compliant” with a strong customer authentification for the following reasons.
Firstly, many three-party card schemes are not general purpose card payment schemes.
Secondly, the three-party card schemes operate on a national basis with a small market share of the cards market and with a small limited number of merchants.
Futhermore, the level of security measures taken depends on the recurrence and the amount of the transaction.
Finally, these three-party cards are subject to a low number of fraud : in 2015 the percentage of fraud raises at 0.068 % . We explain this low rate by a limited use of these three-party cards in a closed loop system. The compliance with the strong customer authentification is disproportionate to the level of risk and the volume of transactions.
Therefore, we suggest to modify the article 8 of the draft RTS specifying the requirements on strong customer authentification and common and secure communication under PSD2 to take into account these features.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
NAQuestion 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
NAQuestion 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
NAQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
NAQuestion 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
The ASF welcomes the opportunity to respond to Consultation Paper dated on 12 August onthe draft Regulatory Technical Standards specifying the requirements on strong customer authentification and common and secure communication under PSD2.
As a unique representative body of all the French specialised credit institutions and financial institutions which represents 285 entities, ASF contributes to an appropriate recognition of the specialised financial activities like equipment and real estate leasing, factoring, consumer credit and auto loans and leases, mutual guarantee societies which – with an outstanding of more than €220 billion in 2015 – accounts for about 20% of total amount of credits to the real economy in France.
We do consider that it is fundamental to draw your attention to the point related the three-party card schemes.
The article 98 of the Directive introduces the exemptions from the application of article 97 “Authentication”. The exemptions shalll be based on the following criteria :
(a) the level of risk involved in the service provided ;
(b) the amount, the recurrence of the transaction, or both ;
(c) the payment channel used for the execution of the transaction.
In accordance with the article 98, we suggest that the future RTS Guidelines do not oblige three party card schemes to be “compliant” with a strong customer authentification for the following reasons.
Firstly, many three-party card schemes are not general purpose card payment schemes.
Secondly, the three-party card schemes operate on a national basis with a small market share of the cards market and with a small limited number of merchants.
Futhermore, the level of security measures taken depends on the recurrence and the amount of the transaction.
Finally, these three-party cards are subject to a low number of fraud : in 2015 the percentage of fraud raises at 0.068 % . We explain this low rate by a limited use of these three-party cards in a closed loop system. The compliance with the strong customer authentification is disproportionate to the level of risk and the volume of transactions.
Therefore, we suggest to modify the article 8 of the draft RTS specifying the requirements on strong customer authentification and common and secure communication under PSD2 to take into account these features.