The Royal Bank of Scotland (RBS) welcomes the opportunity to respond to the EBA’s discussion paper on the RTS for Strong Authentication and Secure Communication which it is required to draft by the new Payment Services Directive 2016 (PSD2).
RBS provides a variety of financial services for personal, business and commercial customers. RBS, NatWest, Ulster Bank and a number of smaller brands serve some 15 million customers through their network of branches and ATMs throughout the United Kingdom as well as through telephone, internet and mobile banking. In addition Ulster Bank has a significant operation offering similar services in the Republic of Ireland. RBS is therefore well placed to respond to the Consultation Paper.
RBS has worked closely with Payments UK in response to the Consultation issued by the EBA on 8 December 2015. Our thinking has been channelled into their response, which we support and recommend to the EBA.
We have also had sight of and commented on responses from other industry bodies such as the European Banking Federation (EBF) and also support their response.
We support the industry position and would refer the EBA to these responses for more detailed comments. We would nonetheless like to take this opportunity to provide you with an outline of our position and emphasise a number of points.
RBS believes that the EBA should adopt a principles based approach to Strong Authentication and Secure Communication. This will enable the market participants the flexibility to embed these principles in a practical way at the working level. There is a risk in producing very prescriptive technical requirements that these will be overtaken by technological developments in this fast moving environment, possibly stifling innovation which users (consumers and businesses, large and small) would find useful.
There is, however, a need for standards within the framework of EBA principles. This is necessary to enable market participants to communicate with each other and produce workable services for users. In the absence of agreed standards the market could stall as participants are unable to communicate or are faced with a plethora of different connectivity requirements. In this case standards can make the market more competitive by providing a level playing field for participants to compete on.
The standards will need to be reviewed from time to time and we believe this can be done more readily / frequently in the market rather than by the EBA.
In order to achieve the desirable level of interoperability/standardisation, we believe that a form of governance authority for the market will be necessary. This will need to have the confidence of all market participants and be empowered to set standards for all.
Confidentiality of Credentials
It is essential that security and privacy are maintained. For this reason RBS does not believe that customer credentials should be accessible to any party but the customer and, to a limited extent (e.g. in encrypted form), the ASPSP.
This is essential to maintain the integrity of the payments systems and the accountability of all parties. Conventional customer log-on credentials for on line banking and similar devices should therefore remain secret. Some business models have required third parties to access previously secret credentials. We believe that this is potentially risky and suggest instead other approaches such as use of APIs which would achieve the same ends for less risk.
Similarly it is essential that PISPs and AISPs do not hold more customer data than absolutely necessary. They should maintain it securely and not use it for other than the authorised purpose.
UK Open Banking Working Group and APIs
In the UK a good deal of work has been done by the Open Banking Working Group (OBWG) on related matters which would allow third parties to access customer banking data safely. APIs appear to offer a practical way to achieve such access. RBS therefore suggests that the EBA should review this work as a useful background in developing its own proposals.
APIs are in increasingly widespread use and provide a practical means for data sharing in a secure way. There will need to be a degree of standardisation to enable mutual access which may additionally enable many potentially different uses by market participants. Standards should be open ones developed in a transparent way.
Risk Based Approach to Strong Authentication
Strong Authentication provides a high level of protection to customers and Payment Service Providers alike. However, in some circumstances it may not be appropriate to use strong authentication, most likely because other safeguards can simultaneously provide a high level of comfort and make the customer experience easier. We therefore welcome the EBA’s examination of exceptions to Strong Authentication and urge it to adopt an approach that allows PSPs to adopt a risk based approach to its use providing the risk framework is a rigorous one. The EBA might for example reference a minimum standard that reflects that PSPs use “step up” authentication for high risk transactions i.e. strengthened authentication where risks are greater.
Due Diligence and Checking Registrations
Finally, in the context of PISP and AISP services it is essential that ASPSPs can have confidence that their customers are dealing with firms that meet all relevant requirements. This is likely to require an initial due diligence and on-boarding process prior to any transactions by the TPP to the relevant ASPSP. Subsequently there must be a means for ASPSPs to be able to check the authorisation of such organisations in real time when processing a transaction. This will be necessary to ensure that customers deal only with bona fide firms. We believe it will be necessary for national regulators' registers and EBA registers to be readily accessible and updated in real time.
Our main concern would be to ensure that the payments environment is secure, while acknowledging that all activities in this sphere have a risk of fraud. Other examples of relevant transactions might include e.g. change of address and similar. However, we would want EBA to leave scope for banks to manage their own risk, while developing and enhancing security.
A “one size fits all approach” may not be appropriate e.g. card transactions do not offer the same opportunity for full Strong Authentication as online credit transfers, other than 3D secure.
Physical means of security and authentication are generally more secure than data forms. However, use of data forms to aid security and authentication would have a positive impact on the overall customer experience/ journey versus the use of physical security and authentication, e.g. bulky card readers. While data is a weaker form of security and authentication, the use of Software to create, for example, OTP, “tokenisation” or challenge responses could be used providing that related secret data is adequately protected and initialised via a suitably robust enrolment process
It is essential that standards are developed such that PSPs are able to assess the most effective approach in the risk environment in which they operate and allow for technological development in the coming years.
Behaviour based characteristics could be an important part of customer authentication. This is a developing technique which we expect to have a role to play as part of a layered authentication approach. As such, behaviour-based characteristics could provide one part of the picture in assessing whether a customer/transaction is genuine.
The growing desire of customers to use mobile devices is a challenge for PSPs. To achieve the highest levels of security separate devices would always be used for transactions and authentication. This is not always practical when customers are on the move. However, the risks of using one device only can be mitigated, so long as there is independence of communication channels on a device.
As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication. This is, however, likely to be an area requiring frequent upgrading.
In respect of the increasing trend to move to mobile, as long as there is independence of communication channels and high levels of security within the device then strong customer authentication requirements can be met.
Dynamic linking could be highly beneficial in principle, but the subject of dynamic linking is one which requires further definition. We recognise that some form of token is likely to be used, but would advocate flexibility for PSPs in choosing their own method. That flexibility should also extend to allowing PSPs to assess the riskiness of transactions and dis-apply dynamic linking if they feel it appropriate.
As noted above independence is a crucial factor for ensuring strong security. To achieve the highest levels of security separate devices would always be used for transactions and authentication. However, the risks of using one device only can be mitigated, so long as there is independence of communication channels on a device.
As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication.
The various communication channels each have their own vulnerabilities (whether SMS, e-mail etc).
Yes, the list is useful, but the approach of the RTS should be to adopt principles which firms can apply in their own way. Firms should be able to apply their own risked based assessments as to when to use – or not – strong authentication. This will leave scope for security measures to develop and improve in relation to developing threats.
This section discusses “sensitive information”; this is a term which needs better definition and might, for example, include customer log-on credentials.
It is unclear to us whether direct debits are to be included as requiring Strong Authentication. We would argue against this as the current flexibility of set-up is key to the direct debit’s success and other measures provide a high degree of customer protection.
Recurring transactions should be exempted in view of the relatively low risk they present.
Nothing to add, although the list should not be seen as necessarily complete nor should it be prescriptive. As ever flexibility will be key as the market evolves.
The clarifications are helpful.
We believe it is essential that customer log-on credentials remain secret in line with the message which has been given consistently to customers for some years.
We have nothing to add at this point, but the EBA’s approach should allow for technological development in the future which may strengthen PSP processes in this area.
Some degree of external inspection of the security components of the payments chain already happens today e.g. PIN security. Such external inspection is likely to be necessary in a growing market with a greater diversity of firms subject to relatively light regulatory regimes, in particular where there might be access to personalised security credentials.
The customer and customer devices are often the most vulnerable part of the payment chain and this is likely to continue. However, as market participants which might have access to data concerning many customers spread across many firms emerge; these could be a focus for fraudsters and other criminals. This risk further re-enforces our view that personalised security credentials should not be shared in any way and other sensitive data must be thoroughly safeguarded.
The clarifications are helpful, although they should also address Card based Payment Instrument Issuers.
In addition to those items listed, there is a need for an effective governance framework. This should include:
• an overarching authority to manage the rights / responsibilities of all participants;
• a body to define open standards; and
• an authority to manage certificates to show the authorisation of market participants.
We believe such a body/bodies would bring order to what might otherwise be a disorderly market assisting both established ASPSPs and new TPPs. Such an arrangement is likely to make connectivity between participants easier to establish, more efficient and more certain.
In the UK considerable work has been done under the auspices of the OBWG to draw up proposals for standardised access to bank data by authorised third parties. This will lead to open standards for APIs which we understand would be useable in the context of PISPs and AISPs working with ASPSPs. We suggest that EBA examine this work as a basis for its open standards.
We understand that the OBWG approach, using open APIs many of which are to standards that are already in use, would allow for integration of further innovative business models in the future. This approach would allow both PSPs and customers to be identified and authenticated without sharing personalised security credentials.
The EBA should ensure that whatever approach is adopted allows for ease of interoperability between all participants. While Europe-wide standards would be preferable, if for any reason this is not possible allowance should be made for a member state approach with interoperability between national “systems”.
While e-IDAS regulated identification services would be worth exploring, our preliminary view is that such services today are likely to be too slow and inflexible to use for strong authentication in the payment services environment. They would require further enhancement to operate effectively in this dynamic environment.
The confidentiality of customer credentials is in our view essential. If Qualified Trust services such as electronic signatures enabled such confidentiality to be maintained while providing dynamic identification and verification of customer and PISP/AISP to the ASPSP, they may have a role to play in meeting PSD2 requirements.
In particular if such Qualified Trust services involved presenting a certificate to the ASPSP by the PISP/AISP for each transaction this could be helpful. Such certificates would need to give assurance that the PISP/AISP had a current registration with the relevant national regulator/EBA. If cancelled the qualified trust signature must be updated/withdrawn immediately. Such a service, subject to feasibility, could be beneficial.
A principles approach to identification and verification may allow for use of Qualified Trust services.
Should you require any further information, RBS would be extremely happy to engage further. Please address any questions on these comments in the first instance to David Malley, Payments, The Royal Bank of Scotland plc,
Level 2, Premier Place, 2½ Devonshire Square, London EC2M 4AA.
Telephone: +44 (0)20 7672 8864 E-mail: David.Malley@NatWest.com