Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

FEDMA, the Federation of European Direct and Interactive Marketing, represents the data-driven marketing industry. FEDMA stands for 22 national Direct Marketing Associations, directly representing more than 5 000 organisations, and for more than 50 organisations, representing all parts of the value chain in the data-driven marketing industry. Through its many activities, FEDMA is dedicated to building the business of cross-border data-driven marketing, both through its vast network of contacts and businesses within and beyond Europe and by representation within the institutions of the European Union.

The data-driven marketing industry uses personal information and data to effectively match customers’ needs with relevant brand offers. The data-driven marketing industry aims to create and maintain an individual and interactive relationship between businesses, institutions and their customers (both prospective and existing). The data-driven marketing industry allows retail businesses to target people with a personalised message, to generate sales both online and in store in a cost effective way to build long-lasting relationships with customers and raise brand awareness. Therefore, ecommerce and Data-driven marketing industries are very interconnected. This is why, FEDMA encourages the EBA proposed standard to avoid negative effects on the ecommerce sector.

FEDMA calls on policy makers to avoid imposing any measures which would reduce the eCommerce volumes and to avoid channel distortions (offline vs online). FEDMA asks you to bear in mind the consumer experience and the feasibility of certain measures to impact as little as possible ecommerce.

FEDMA has identified three main issues : the blanket approach as proposed by the EBA for Strong Customer Authentication (SCA) (which we do not support), the criteria proposed for the authentication elements are too restrictive and the fact that the regulatory bodies are also auditing Payment Service Providers. Specifically, the blanket approach to SCA risks reducing competition in the market, hamper consumer convenience and restrict the development of the Digital Single Market. FEDMA calls on policy makers to ensure the needed flexibility so that traders can use their knowledge of the consumer and of the market to assess risk (e.g., behavioral data, strong customer authentication via login and data from past purchases, etc.). A clearer risk based approach is needed.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

FEDMA members are not sure the dynamic linking process would be the most practical and efficient mechanism for online transactions.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

Non-Applicable

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

FEDMA questions the EBA approach regarding SCA. FEDMA would rather support a targeted risk based approach and suggests an approach whereby industry best practices are acknowledged.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

FEDMA calls for more flexibility of the framework proposed by the EBA, taking more into account a risk based approach.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Non-Applicable

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

FEDMA calls for the EBA and policy makers to avoid reducing competition in the market and ultimately creating less favourable conditions for eCommerce. For example, FEDMA questions the limited provision of direct access technology by non-bank third-party payment initiation service providers (TPPs).

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

Non-Applicable

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

Non-Applicable

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

Non-Applicable

Please select which category best describes you and/or your organisation

[Other "]"

If you selected "Other", please provide details

TRADE ASSOCIATION

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Data-driven marketing and retail.

Name of organisation

FEDMA