Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
GLEIF particularly sees a potential role for the LEI in this implementation of PSD2 and open banking as a reliable and verifiable identification of a legal entity. The LEI, as the identity management key, could provide a reliable means for two parties to identify each other through trusted means, especially in the case of verification by Payment Service Providers (PSPs) that Third Party Payment Provider (TPPs) are authorized to provide services.
As defined in Article 14 of Directive (EU) 2015/2366, the account information service providers and payment initiation service providers should be available in the public register of the home Member State. These registers could rely on the information in the Global Legal Entity Identifier System (GLEIS) first to verify the identity of the PSPs and TPPs and then include the LEI in the list of authorised service providers in the public registers EBA Register and the registers of the National Competent Authorities.
Use of the LEI is especially relevant in the case of verification across borders and will avoid fragmentation among the EU Member States in the implementation of PSD2 and is consistent with the EBA’s endorsement earlier this year for the use of LEI by EU Authorities. Inclusion of the LEI on the registers for PSD2 authentication and verifications also would allow consumers to look up the identity of all payment providers free of charge in the public LEI repository.
Registration facilities for the assignment of LEIs for financial institutions in the payments industry and TPPs already are in place. GLEIF currently provides search and look up as well as download capabilities for LEI codes and their corresponding data records.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
No response from GLEIF on this question.Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
No response from GLEIF on this question.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
No response from GLEIF on this question.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
No response from GLEIF on this question.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
No response from GLEIF on this question.Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
No response from GLEIF on this question.Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
Yes, GLEIF agrees with the EBA’s reasoning on the requirements for common and secure standards of communication for the purpose of identification and to support authentication of parties through trusted means.GLEIF particularly sees a potential role for the LEI in this implementation of PSD2 and open banking as a reliable and verifiable identification of a legal entity. The LEI, as the identity management key, could provide a reliable means for two parties to identify each other through trusted means, especially in the case of verification by Payment Service Providers (PSPs) that Third Party Payment Provider (TPPs) are authorized to provide services.
As defined in Article 14 of Directive (EU) 2015/2366, the account information service providers and payment initiation service providers should be available in the public register of the home Member State. These registers could rely on the information in the Global Legal Entity Identifier System (GLEIS) first to verify the identity of the PSPs and TPPs and then include the LEI in the list of authorised service providers in the public registers EBA Register and the registers of the National Competent Authorities.
Use of the LEI is especially relevant in the case of verification across borders and will avoid fragmentation among the EU Member States in the implementation of PSD2 and is consistent with the EBA’s endorsement earlier this year for the use of LEI by EU Authorities. Inclusion of the LEI on the registers for PSD2 authentication and verifications also would allow consumers to look up the identity of all payment providers free of charge in the public LEI repository.
Registration facilities for the assignment of LEIs for financial institutions in the payments industry and TPPs already are in place. GLEIF currently provides search and look up as well as download capabilities for LEI codes and their corresponding data records.