Response to discussion on RTS on strong customer authentication and secure communication under PSD2

Go back

1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.

All data which are used as part of a security control, if abused could be potentially used to initiate a fraud. Examples of such data are: Mobile phone (it is used to send an SMS OTP to the PSU or the Soft Tokens App which generates the OTP), address (it is used to disseminate the PSCs), email (it is used to either send an OTP or transaction details) and fax instructions for payments transfers.

2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?

We consider the following possession elements as appropriate:
• hardware token: PSU has physical access on the device itself, in certain cases PSU is using a PIN to unlock the device
• software token (mobile app): PSU has physical access on the device itself and is using a PIN (or the TouchID) to unlock the device
• Email OTP: PSU has access on his email
• SMS OTP: PSU has access on his device to get his SMS OTP
• Digital signature (stored on an appliance hosted by the PSP): PSU has a PIN to unlock his digital signature.
• Biometric Signature obtained through an ePad: PSU can only generate this biometric signature

3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?

We considered that in the context of “inherence” elements, the fingerprint (as implemented in TouchID technology) could be used - technology weaknesses should be noted though. In addition, step up authentication (through profiling of customer behavioural analysis) could be used as an added inherence element.

4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?

Mobile devices are an excellent medium to provide the credentials, which cannot be ignored by the regulator and the community. However, the challenge of independence, is always there due to device loss or possible vulnerabilities on mobile phones, or the authentication app which can weakness the authentication process.

5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?

The challenges for dynamic linking authentication would be the non-ease of use from the user side. For example, it would be very difficult for the customer to re-enter data on the authentication device in order to generate linked authentication.

6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?

The generation of challenge response (where the PSP generate a challenge which is linked with all the transaction data and the PSU provides a response) would be a good solution for fulfilling the objective of dynamic linking.

7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?

We consider the clarifications suggested regarding the potential exemptions to strong customer authentication very useful.

8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?

We cannot think of any other factors EBA should consider when deciding on the applicable exemptions.

9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?

Another criterion which could be considered with respect with transaction risk analysis could be whether the transfer is within own PSU accounts.

10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?

We consider the clarification suggested regarding the protection of users personalised security credentials to be useful. However practical requirements are expected to ensure better security and more accurate compliance.

11. What other risks with regard to the protection of users’ personalised security credentials do you identify?

We identify an important risk with regards to the protection of users’ personalised security credentials the Internal Fraud and misuse of credentials by PSP’s employees.

12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?

NA

13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?

NA

14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?

The segment of the payment chain in which risks of PSCs are most likely to occur is the distribution of PSCs and the payment initiation.

15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?

We consider that PIS and AIS should establish a contractual agreement with PSP which among other things could be to ensure proper liability on behalf of AIS/PIS. In addition the bank should be in the position to refuse any kind of such agreement with any AIS/PIS.

16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?

NA

17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?

NA

18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?

NA

19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.

We agree that e-IDAS regulation could be considered a possible solution to facilitate strong customer authentication and standardisation for communication. Once a digital signature is established and provided, the customer can receive their credentials encrypted and digitally signed on their email. This will surely facilitate the enrolment phase of credentials. It will also enable us to identify customers (unknown if this is appropriate for AML KYC processes). During the execution of the transaction, the data could be digitally signed to ensure less fraud.

20. Do you think in particular that the use of “qualified trust services” under e-IDAS regulation could address the risks related to the confidentiality, integrity and availability of PSCs between AIS, PIS providers and ASPSPs? If yes, please identify which services and explain how. If no, please explain why.

We think that the use of “qualified trusted services” does address the risks associated with confidentiality, integrity. It also appears to provide the legal framework necessary for the exchange of data. As discussed the different “services” offer varying degree of confidentiality and integrity. Service (a) is dimmed too rudimentary for data integrity as opposed to (b) and (c).

Name of organisation

Bank of Cyprus

Please select which category best describes you and/or your organisation.

[Credit institution"]"

Please select which category best describes you and/or your organisation.

[Execution of payment transactions"]"