Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
(a) the payer initiates electronic payment transaction where the payee is included in a list of trusted beneficiaries previously created by the payer with its account servicing payment services provider.
The application of strong customer authentication shall not be exempted where the payer creates for the first time or subsequently amends the list of trusted beneficiaries with its account servicing payment services provider.
(b) the payer initiates a series of electronic payment transactions within the limits set by the payer with its account servicing payment services provider and the same payee.
The application of strong customer authentication shall not be exempted where the payer initiates the series of electronic payment transactions for the first time or amends the series of electronic payment transactions.
We understand the reasoning why the exemption from SCA requirement refers to credit transfer assuming that EBA intends to preserve the existing “white list” at ASPSPs (existing trusted beneficiaries functionalities in online banking). In Poland, there are online electronic payment schemes based on a credit transfers however there are other online electronic payment schemes where the main element is not a credit transfer. The exemption based on the credit transfer element as the requirement will not be neutral from the technology point of view and would exclude the majority of online payment transaction executed in Poland. We recommend to extend the scope of the exemptions with to goal to avoid derogation of other payment mechanisms in favor of trusted beneficiaries.
We understand that the used wording “the payer initiates online” corresponds to “the payer initiates remote payments transactions” as they are explained in 4 (6) of PSD2. In art. 97 (1) (b) of PSD2 the Directive uses the term “initiates an electronic payment transaction” which is not defined in art. 4 therein.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
In our view, the principle-based approach is correct. Polski Standard Płatności provides a retail mobile payment system under the brand name “BLIK” dedicated for its participants (incl. 7 major Polish issuing banks whose market share combines 70% of the payment accounts held at those banks as ASPSPs in Poland). The requirement of authentication procedure should not impose on PSPs the detailed procedure especially in respect to when i.e. at which moment of that procedure the code is to be generated – in our opinion this is crucial for ensuring technology and business-model neutrality of RTS. The offered technical solutions adopted by BLIK payment system will be compliant with SCA requirement with dynamic linking. Each payment transaction is being confirmed by payer using its PSC at ASPSP’s mobile application on a smartphone, with amount and payee data being displayed during SCA procedure (at the moment of authorization by PSU). The payment system thereafter generates the authentication code, compliant with requirements described in the draft of RTS, which is then transferred to acquiring PSP. In our technical implementation the authentication code is not transferred to ASPSP. The authentication code generated as a result of the authentication procedure and the authentication procedure itself will be compliant with the draft RTS requirements, however the direction of flow of the authentication code is towards PSP.Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
The requirements should remain neutral as to when the “dynamic linking” takes place. This should be fundamental when interpreting RTS in relation to the moment or place when such a “dynamic linking” occurs in a way that this should not be determined at all. We insist on adding such explanatory note either to the recitals of the draft RTS or in art. 2 therein.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
See Reply to Q5Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
The used term “credit transfer” corresponds to one of the elements of the “remote payment transaction” or “electronic payment transaction” or “transaction online”. We strongly recommend to use such a wider definition for exemptions as stipulated in in art. 8 2 (a) and (b). We propose revision of the draft proposal text of art. 8.2 (a) and (b) as follows:(a) the payer initiates electronic payment transaction where the payee is included in a list of trusted beneficiaries previously created by the payer with its account servicing payment services provider.
The application of strong customer authentication shall not be exempted where the payer creates for the first time or subsequently amends the list of trusted beneficiaries with its account servicing payment services provider.
(b) the payer initiates a series of electronic payment transactions within the limits set by the payer with its account servicing payment services provider and the same payee.
The application of strong customer authentication shall not be exempted where the payer initiates the series of electronic payment transactions for the first time or amends the series of electronic payment transactions.
We understand the reasoning why the exemption from SCA requirement refers to credit transfer assuming that EBA intends to preserve the existing “white list” at ASPSPs (existing trusted beneficiaries functionalities in online banking). In Poland, there are online electronic payment schemes based on a credit transfers however there are other online electronic payment schemes where the main element is not a credit transfer. The exemption based on the credit transfer element as the requirement will not be neutral from the technology point of view and would exclude the majority of online payment transaction executed in Poland. We recommend to extend the scope of the exemptions with to goal to avoid derogation of other payment mechanisms in favor of trusted beneficiaries.
We understand that the used wording “the payer initiates online” corresponds to “the payer initiates remote payments transactions” as they are explained in 4 (6) of PSD2. In art. 97 (1) (b) of PSD2 the Directive uses the term “initiates an electronic payment transaction” which is not defined in art. 4 therein.