Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
1. We are in agreement with the objective that the security of electronic payments is fundamental in order to ensure the protection of users and the development of a sound and uniform environment for e-commerce in the European Union. In this context it shall be ensured that there is a level playing field in terms of corresponding responsibilities, obligations and liabilities for all stakeholders in the payment area. It is pointed out in recital 4 of PSD2 that many payment products or services do not fall, entirely or in large part, within the scope of Directive 2007/64/EC. In addition, the existing regulatory framework of Directive 2007/64/EC has resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas.
2. The new rules of PSD2 shall close the regulatory gaps in a way of a full harmonisation. Nonetheless, Article 107 PSD2 gives room for different national regulations in connection with
Title I – Subject Matter, Scope and Definitions
(a) Article 2 – Scope
Title II – Payment Service Providers
Chapter 1 Payment institutions
Section 1 General rules
(b) Article 8(3) – Own funds
Section 4 Exemption
(c) Article 32 – Conditions
Title III – Transparency of Conditions and Information Requirements for Payment Services
Chapter 1 General rules
(d) Article 38(2) – Scope
(e) Article 42(2) – Derogation from information requirements for low-value payment instruments and electronic money
Chapter 3 Framework contracts
(f) Article 55(6) – Termination
(g) Article 57(3) – Information for the payer in individual payment transactions
(h) Article 58(3) – Information for the payee on individual payment transactions
Title IV – Rights and Obligations in Relation to the Provision and Use of Payment Services
Chapter 1 Common provisions
(i) Article 61(2) and (3) – Scope
(j) Article 62(5) – Charges applicable
(k) Article 63(2) and (3) – Derogation for low value payment instrument and electronic money
Chapter 2 Authorisation of payment transactions
(l) the second subparagraph of Article 74(1) – Payer's liability for unauthorised transactions
Chapter 3 Execution of payment transactions
Section 1 Payment orders and amounts transferred
(m) Article 86 – National payment transactions
3. In addition to this, six Regulatory Technical Standards (RTS) and five Guidelines (GL) are necessary to ensure a common supervisory culture, ensuring consistent, efficient and effective application of the particular acts, preventing regulatory arbitrage and ensuring effective and consistent supervision.
4. The transposition of a Directive, even fully harmonised, leaves room for interpretation on the national level. With the contemplated RTSs Implementing Regulatory Standards (ITS) and GLs a level playing field is targeted but cannot be guaranteed entirely. Especially the Final Guidelines on the security of internet payments (EBA/GL/2014/12) (Final Guidelines) can be seen as a typical example:
(a) As a result of the Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (EBA-Regulation), the EBA has been established. Pursuant to Article 2 EBA-Regulation it is the main objective to ensure that the rules applicable to the financial sector are adequately implemented to preserve financial stability and to ensure confidence in the financial system as a whole and sufficient protection for the customers of financial services.
(b) The compliance table (EBA/GL/2014/12 Appendix 1) shows the different levels of transposition of the Final Guidelines in the Member States of the European Union. Taking into account the status of EBA, it is worth mentioning that the competent authority of the United Kingdom, the Financial Conduct Authority (FCA), still does not hold the legal grounds to require the compliance with such an important framework. This shortcoming is especially important as the vast majority of relevant institutions is established in the United Kingdom and therefore regulated and supervised by the FCA. These institutions do not need comply with the Final Guidelines.
(c) Gibraltar has even changed its initially announced position from compliance with the Final Guidelines to non-compliance after consultation with the local electronic money and banking industries and the FCA. In effect, the FCA has negatively influenced the Financial Services Commission of Gibraltar.
(d) Overall, this is a serious obstacle for regulated entities within other European Member States who are in compliance with the EBA Guidelines. On the other side it is an enormous advantage for UK-based Payment Service Providers (PSPs) who do not need to comply with the Final Guidelines. Additionally, those PSPs still have the opportunity to offer their less secure payment products within all European Member States on a cross-border and on a freedom of establishment basis.
5. In parallel, the background of the Final Guidelines is broadly influenced by credit institutions in the sense of Article 4 (1) No. 1 of Regulation (EU) No. 575/2013. The business models of Payment Institutions (PIs) acting as acquirers have not been recognised to the necessary extent. The kind of relationship between a credit institution and a payer is different to the one between a PI and the payee. The analysis of the Final Guidelines leaves open several undefined terms, responsibilities and obligations depending on the role of the obliged entity.
6. Considering all of the above in drafting the RTS, it is of importance to analyse not only the role of credit institutions while providing payment services but also to consider the important role of the PI acting as an acquirer of card payments. Nonetheless, the standards established by credit institutions and the card schemes will have an impact on the technical and process-related infrastructure of the PI and therefore on the cost-effectiveness and availability of payment services.
7. Irrespective of all necessary trade-offs it should be ensured that the effective enforcement of the provisions enter into force on the same date for all PSPs. Otherwise the delay for one or the other party can be supportive to weakening the new security standards.
2. Clarification 42.B. allows a PSP to define all its customers as trusted beneficiaries" on the basis of the established customer relationship without further evaluation of the associated risks. Some PSPs are specialised on the e-commerce sector and provide mainly e-money accounts to Payment Service Users (PSUs) and to Merchants. The suggested exemption would support the opening of such accounts with those PSPs. In parallel the level of misuse becomes more attractive as a wide customer base can be reached at one PSP. However, if this exemption should be offered it should be combined with a risk assessment based on the specific circumstances of the individual case. It seems insecure to allow the PSU to white-list all customers at the PSP on an all-in basis. It should be transparent to the PSU who the individual person added to his white-list is. It should be avoided that certain PSPs (in particular in three party schemes) may include a broad share of the merchant base on the white-list of its PSUs. We would, thus, welcome a clarification that exemptions from SCA based on the measure set in 42B shall only apply to particular beneficiaries which the PSU has put individually on the white-list, e.g. due to a regular customer relationship. Our concern is that otherwise such business models would attract misuse and fraud. In addition we suggest considering to clarify - particularly in the case of four party card payment schemes - that a PSP of a payee could put its customers (the merchant) on white-lists with trusted beneficiaries of PSUs, e.g. when the PSU has explicitly agreed to securely store its payment data at that payee's PSP."
2. The factors could for example be amended by a criteria on the scope of the payment product. The risks for fraud could be reduced if the particular payment product can only be used within a limited network of merchants.
2. If any criteria are to be defined they should still be broad and include the various risk categories, such as:
(a) Payment amount
(b) Country in which the customer is established / resident
(c) PSU device being used
(d) Transaction history
3. However, such a list of different criteria and circumstances should be exemplary and not exhaustive. It should be up to the PSP to individually define different criteria or circumstances considering the individual business model, scope of provided products as well as reliability of customer relationships.
4. Furthermore, it should not be the obligation of a PI to mitigate or overcome potential risks caused by the legal requirement to allow the involvement of Payment Initiation Service Providers or Account Information Service Providers in the future.
2. The on-going and increased investment in protection and security systems has various impacts. Firstly, innovative PSPs cannot afford the huge investment in those systems. The result is the breach of high regulatory requirements and the sale or liquidation of this PSP. Secondly, market entry standards become an (insurmountable) barrier for new market participants. It would be against the aim of PSD2 to support innovative means of payment.
2. It is unclear what the future development will be regarding e-IDAS. Given this lack of clarity it is recommended not to make direct connections to e-IDAS.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
General comments1. We are in agreement with the objective that the security of electronic payments is fundamental in order to ensure the protection of users and the development of a sound and uniform environment for e-commerce in the European Union. In this context it shall be ensured that there is a level playing field in terms of corresponding responsibilities, obligations and liabilities for all stakeholders in the payment area. It is pointed out in recital 4 of PSD2 that many payment products or services do not fall, entirely or in large part, within the scope of Directive 2007/64/EC. In addition, the existing regulatory framework of Directive 2007/64/EC has resulted in legal uncertainty, potential security risks in the payment chain and a lack of consumer protection in certain areas.
2. The new rules of PSD2 shall close the regulatory gaps in a way of a full harmonisation. Nonetheless, Article 107 PSD2 gives room for different national regulations in connection with
Title I – Subject Matter, Scope and Definitions
(a) Article 2 – Scope
Title II – Payment Service Providers
Chapter 1 Payment institutions
Section 1 General rules
(b) Article 8(3) – Own funds
Section 4 Exemption
(c) Article 32 – Conditions
Title III – Transparency of Conditions and Information Requirements for Payment Services
Chapter 1 General rules
(d) Article 38(2) – Scope
(e) Article 42(2) – Derogation from information requirements for low-value payment instruments and electronic money
Chapter 3 Framework contracts
(f) Article 55(6) – Termination
(g) Article 57(3) – Information for the payer in individual payment transactions
(h) Article 58(3) – Information for the payee on individual payment transactions
Title IV – Rights and Obligations in Relation to the Provision and Use of Payment Services
Chapter 1 Common provisions
(i) Article 61(2) and (3) – Scope
(j) Article 62(5) – Charges applicable
(k) Article 63(2) and (3) – Derogation for low value payment instrument and electronic money
Chapter 2 Authorisation of payment transactions
(l) the second subparagraph of Article 74(1) – Payer's liability for unauthorised transactions
Chapter 3 Execution of payment transactions
Section 1 Payment orders and amounts transferred
(m) Article 86 – National payment transactions
3. In addition to this, six Regulatory Technical Standards (RTS) and five Guidelines (GL) are necessary to ensure a common supervisory culture, ensuring consistent, efficient and effective application of the particular acts, preventing regulatory arbitrage and ensuring effective and consistent supervision.
4. The transposition of a Directive, even fully harmonised, leaves room for interpretation on the national level. With the contemplated RTSs Implementing Regulatory Standards (ITS) and GLs a level playing field is targeted but cannot be guaranteed entirely. Especially the Final Guidelines on the security of internet payments (EBA/GL/2014/12) (Final Guidelines) can be seen as a typical example:
(a) As a result of the Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (EBA-Regulation), the EBA has been established. Pursuant to Article 2 EBA-Regulation it is the main objective to ensure that the rules applicable to the financial sector are adequately implemented to preserve financial stability and to ensure confidence in the financial system as a whole and sufficient protection for the customers of financial services.
(b) The compliance table (EBA/GL/2014/12 Appendix 1) shows the different levels of transposition of the Final Guidelines in the Member States of the European Union. Taking into account the status of EBA, it is worth mentioning that the competent authority of the United Kingdom, the Financial Conduct Authority (FCA), still does not hold the legal grounds to require the compliance with such an important framework. This shortcoming is especially important as the vast majority of relevant institutions is established in the United Kingdom and therefore regulated and supervised by the FCA. These institutions do not need comply with the Final Guidelines.
(c) Gibraltar has even changed its initially announced position from compliance with the Final Guidelines to non-compliance after consultation with the local electronic money and banking industries and the FCA. In effect, the FCA has negatively influenced the Financial Services Commission of Gibraltar.
(d) Overall, this is a serious obstacle for regulated entities within other European Member States who are in compliance with the EBA Guidelines. On the other side it is an enormous advantage for UK-based Payment Service Providers (PSPs) who do not need to comply with the Final Guidelines. Additionally, those PSPs still have the opportunity to offer their less secure payment products within all European Member States on a cross-border and on a freedom of establishment basis.
5. In parallel, the background of the Final Guidelines is broadly influenced by credit institutions in the sense of Article 4 (1) No. 1 of Regulation (EU) No. 575/2013. The business models of Payment Institutions (PIs) acting as acquirers have not been recognised to the necessary extent. The kind of relationship between a credit institution and a payer is different to the one between a PI and the payee. The analysis of the Final Guidelines leaves open several undefined terms, responsibilities and obligations depending on the role of the obliged entity.
6. Considering all of the above in drafting the RTS, it is of importance to analyse not only the role of credit institutions while providing payment services but also to consider the important role of the PI acting as an acquirer of card payments. Nonetheless, the standards established by credit institutions and the card schemes will have an impact on the technical and process-related infrastructure of the PI and therefore on the cost-effectiveness and availability of payment services.
7. Irrespective of all necessary trade-offs it should be ensured that the effective enforcement of the provisions enter into force on the same date for all PSPs. Otherwise the delay for one or the other party can be supportive to weakening the new security standards.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
n/a3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
n/a4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
n/a5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
n/a6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
n/a7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
1. Clarifications are suggested as useful. However, the list of clarifications should be exemplary and not exhaustive. The risk-based approach allows enough room for the internal implementation of the particular requirement in consideration of the business model, the available resources and the internal processes at each PI. An exhaustive list bears the risk that the detailed obligation can be analysed and misused for the development of new technologies to circumvent the security measures.2. Clarification 42.B. allows a PSP to define all its customers as trusted beneficiaries" on the basis of the established customer relationship without further evaluation of the associated risks. Some PSPs are specialised on the e-commerce sector and provide mainly e-money accounts to Payment Service Users (PSUs) and to Merchants. The suggested exemption would support the opening of such accounts with those PSPs. In parallel the level of misuse becomes more attractive as a wide customer base can be reached at one PSP. However, if this exemption should be offered it should be combined with a risk assessment based on the specific circumstances of the individual case. It seems insecure to allow the PSU to white-list all customers at the PSP on an all-in basis. It should be transparent to the PSU who the individual person added to his white-list is. It should be avoided that certain PSPs (in particular in three party schemes) may include a broad share of the merchant base on the white-list of its PSUs. We would, thus, welcome a clarification that exemptions from SCA based on the measure set in 42B shall only apply to particular beneficiaries which the PSU has put individually on the white-list, e.g. due to a regular customer relationship. Our concern is that otherwise such business models would attract misuse and fraud. In addition we suggest considering to clarify - particularly in the case of four party card payment schemes - that a PSP of a payee could put its customers (the merchant) on white-lists with trusted beneficiaries of PSUs, e.g. when the PSU has explicitly agreed to securely store its payment data at that payee's PSP."
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
1. In any case it should be avoided to publish specifications that are too detailed. Otherwise it would be possible for non-PSPs to adapt those exemptions and misuse any remaining gaps.2. The factors could for example be amended by a criteria on the scope of the payment product. The risks for fraud could be reduced if the particular payment product can only be used within a limited network of merchants.
9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
1. The general precondition should be a risk-based approach whereby the PSP is required to undertake a risk analysis of its distribution channels, the offered products and the risks associated with them. The result should be in line with the risk appetite of the PSP in compliance with its risk strategy.2. If any criteria are to be defined they should still be broad and include the various risk categories, such as:
(a) Payment amount
(b) Country in which the customer is established / resident
(c) PSU device being used
(d) Transaction history
3. However, such a list of different criteria and circumstances should be exemplary and not exhaustive. It should be up to the PSP to individually define different criteria or circumstances considering the individual business model, scope of provided products as well as reliability of customer relationships.
4. Furthermore, it should not be the obligation of a PI to mitigate or overcome potential risks caused by the legal requirement to allow the involvement of Payment Initiation Service Providers or Account Information Service Providers in the future.
10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
1. It should be noted that the requirements of PSD2 regarding strong authentication and secure communication cannot prohibit the customer and his personalised security credentials from being misused for fraud. It is generally known that the most important risk is associated with the customer. The variance of social engineering methods is very broad and distinctive and subject to on-going developments. It is not just a question of educating the customer. Taking this into account it is not possible to overcome the risk by a regular increase of security standards.2. The on-going and increased investment in protection and security systems has various impacts. Firstly, innovative PSPs cannot afford the huge investment in those systems. The result is the breach of high regulatory requirements and the sale or liquidation of this PSP. Secondly, market entry standards become an (insurmountable) barrier for new market participants. It would be against the aim of PSD2 to support innovative means of payment.
11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
n/a12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?
n/a13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?
n/a14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
n/a15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
n/a16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?
n/a17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
n/a18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?
n/a19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.
1. The Regulation (No) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (e-IDAS) should harmonise the European Market. The repealed Directive 1999/93/EC has been transferred into the German Signature Act. The requirements of this Act have actively prohibited the development of an economical and usable technology in Germany. Even if there are technologies available, the usability and the costs are a disadvantage. Therefore, digital signature has neither been accepted by the market participants nor the customers.2. It is unclear what the future development will be regarding e-IDAS. Given this lack of clarity it is recommended not to make direct connections to e-IDAS.