Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
RBS provides a variety of financial services for personal, business and commercial customers. RBS, NatWest, Ulster Bank and a number of smaller brands serve some 15 million customers through their network of branches and ATMs throughout the United Kingdom as well as through telephone, internet and mobile banking. In addition Ulster Bank has a significant operation offering similar services in the Republic of Ireland. RBS is therefore well placed to respond to the Consultation Paper.
RBS has worked closely with Payments UK in response to the Consultation issued by the EBA on 8 December 2015. Our thinking has been channelled into their response, which we support and recommend to the EBA.
We have also had sight of and commented on responses from other industry bodies such as the European Banking Federation (EBF) and also support their response.
We support the industry position and would refer the EBA to these responses for more detailed comments. We would nonetheless like to take this opportunity to provide you with an outline of our position and emphasise a number of points.
General Points
Principles Based
RBS believes that the EBA should adopt a principles based approach to Strong Authentication and Secure Communication. This will enable the market participants the flexibility to embed these principles in a practical way at the working level. There is a risk in producing very prescriptive technical requirements that these will be overtaken by technological developments in this fast moving environment, possibly stifling innovation which users (consumers and businesses, large and small) would find useful.
Industry Standards
There is, however, a need for standards within the framework of EBA principles. This is necessary to enable market participants to communicate with each other and produce workable services for users. In the absence of agreed standards the market could stall as participants are unable to communicate or are faced with a plethora of different connectivity requirements. In this case standards can make the market more competitive by providing a level playing field for participants to compete on.
The standards will need to be reviewed from time to time and we believe this can be done more readily / frequently in the market rather than by the EBA.
Governance
In order to achieve the desirable level of interoperability/standardisation, we believe that a form of governance authority for the market will be necessary. This will need to have the confidence of all market participants and be empowered to set standards for all.
Confidentiality of Credentials
It is essential that security and privacy are maintained. For this reason RBS does not believe that customer credentials should be accessible to any party but the customer and, to a limited extent (e.g. in encrypted form), the ASPSP.
This is essential to maintain the integrity of the payments systems and the accountability of all parties. Conventional customer log-on credentials for on line banking and similar devices should therefore remain secret. Some business models have required third parties to access previously secret credentials. We believe that this is potentially risky and suggest instead other approaches such as use of APIs which would achieve the same ends for less risk.
Similarly it is essential that PISPs and AISPs do not hold more customer data than absolutely necessary. They should maintain it securely and not use it for other than the authorised purpose.
UK Open Banking Working Group and APIs
In the UK a good deal of work has been done by the Open Banking Working Group (OBWG) on related matters which would allow third parties to access customer banking data safely. APIs appear to offer a practical way to achieve such access. RBS therefore suggests that the EBA should review this work as a useful background in developing its own proposals.
APIs are in increasingly widespread use and provide a practical means for data sharing in a secure way. There will need to be a degree of standardisation to enable mutual access which may additionally enable many potentially different uses by market participants. Standards should be open ones developed in a transparent way.
Risk Based Approach to Strong Authentication
Strong Authentication provides a high level of protection to customers and Payment Service Providers alike. However, in some circumstances it may not be appropriate to use strong authentication, most likely because other safeguards can simultaneously provide a high level of comfort and make the customer experience easier. We therefore welcome the EBA’s examination of exceptions to Strong Authentication and urge it to adopt an approach that allows PSPs to adopt a risk based approach to its use providing the risk framework is a rigorous one. The EBA might for example reference a minimum standard that reflects that PSPs use “step up” authentication for high risk transactions i.e. strengthened authentication where risks are greater.
Due Diligence and Checking Registrations
Finally, in the context of PISP and AISP services it is essential that ASPSPs can have confidence that their customers are dealing with firms that meet all relevant requirements. This is likely to require an initial due diligence and on-boarding process prior to any transactions by the TPP to the relevant ASPSP. Subsequently there must be a means for ASPSPs to be able to check the authorisation of such organisations in real time when processing a transaction. This will be necessary to ensure that customers deal only with bona fide firms. We believe it will be necessary for national regulators' registers and EBA registers to be readily accessible and updated in real time.
Question 1
Our main concern would be to ensure that the payments environment is secure, while acknowledging that all activities in this sphere have a risk of fraud. Other examples of relevant transactions might include e.g. change of address and similar. However, we would want EBA to leave scope for banks to manage their own risk, while developing and enhancing security.
A “one size fits all approach” may not be appropriate e.g. card transactions do not offer the same opportunity for full Strong Authentication as online credit transfers, other than 3D secure.
It is essential that standards are developed such that PSPs are able to assess the most effective approach in the risk environment in which they operate and allow for technological development in the coming years.
As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication. This is, however, likely to be an area requiring frequent upgrading.
In respect of the increasing trend to move to mobile, as long as there is independence of communication channels and high levels of security within the device then strong customer authentication requirements can be met.
As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication.
The various communication channels each have their own vulnerabilities (whether SMS, e-mail etc).
This section discusses “sensitive information”; this is a term which needs better definition and might, for example, include customer log-on credentials.
It is unclear to us whether direct debits are to be included as requiring Strong Authentication. We would argue against this as the current flexibility of set-up is key to the direct debit’s success and other measures provide a high degree of customer protection.
• an overarching authority to manage the rights / responsibilities of all participants;
• a body to define open standards; and
• an authority to manage certificates to show the authorisation of market participants.
We believe such a body/bodies would bring order to what might otherwise be a disorderly market assisting both established ASPSPs and new TPPs. Such an arrangement is likely to make connectivity between participants easier to establish, more efficient and more certain.
The EBA should ensure that whatever approach is adopted allows for ease of interoperability between all participants. While Europe-wide standards would be preferable, if for any reason this is not possible allowance should be made for a member state approach with interoperability between national “systems”.
In particular if such Qualified Trust services involved presenting a certificate to the ASPSP by the PISP/AISP for each transaction this could be helpful. Such certificates would need to give assurance that the PISP/AISP had a current registration with the relevant national regulator/EBA. If cancelled the qualified trust signature must be updated/withdrawn immediately. Such a service, subject to feasibility, could be beneficial.
A principles approach to identification and verification may allow for use of Qualified Trust services.
Should you require any further information, RBS would be extremely happy to engage further. Please address any questions on these comments in the first instance to David Malley, Payments, The Royal Bank of Scotland plc,
Level 2, Premier Place, 2½ Devonshire Square, London EC2M 4AA.
Telephone: +44 (0)20 7672 8864 E-mail: David.Malley@NatWest.com
Yours faithfully,
Marion King
Director of Payments
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
The Royal Bank of Scotland (RBS) welcomes the opportunity to respond to the EBA’s discussion paper on the RTS for Strong Authentication and Secure Communication which it is required to draft by the new Payment Services Directive 2016 (PSD2).RBS provides a variety of financial services for personal, business and commercial customers. RBS, NatWest, Ulster Bank and a number of smaller brands serve some 15 million customers through their network of branches and ATMs throughout the United Kingdom as well as through telephone, internet and mobile banking. In addition Ulster Bank has a significant operation offering similar services in the Republic of Ireland. RBS is therefore well placed to respond to the Consultation Paper.
RBS has worked closely with Payments UK in response to the Consultation issued by the EBA on 8 December 2015. Our thinking has been channelled into their response, which we support and recommend to the EBA.
We have also had sight of and commented on responses from other industry bodies such as the European Banking Federation (EBF) and also support their response.
We support the industry position and would refer the EBA to these responses for more detailed comments. We would nonetheless like to take this opportunity to provide you with an outline of our position and emphasise a number of points.
General Points
Principles Based
RBS believes that the EBA should adopt a principles based approach to Strong Authentication and Secure Communication. This will enable the market participants the flexibility to embed these principles in a practical way at the working level. There is a risk in producing very prescriptive technical requirements that these will be overtaken by technological developments in this fast moving environment, possibly stifling innovation which users (consumers and businesses, large and small) would find useful.
Industry Standards
There is, however, a need for standards within the framework of EBA principles. This is necessary to enable market participants to communicate with each other and produce workable services for users. In the absence of agreed standards the market could stall as participants are unable to communicate or are faced with a plethora of different connectivity requirements. In this case standards can make the market more competitive by providing a level playing field for participants to compete on.
The standards will need to be reviewed from time to time and we believe this can be done more readily / frequently in the market rather than by the EBA.
Governance
In order to achieve the desirable level of interoperability/standardisation, we believe that a form of governance authority for the market will be necessary. This will need to have the confidence of all market participants and be empowered to set standards for all.
Confidentiality of Credentials
It is essential that security and privacy are maintained. For this reason RBS does not believe that customer credentials should be accessible to any party but the customer and, to a limited extent (e.g. in encrypted form), the ASPSP.
This is essential to maintain the integrity of the payments systems and the accountability of all parties. Conventional customer log-on credentials for on line banking and similar devices should therefore remain secret. Some business models have required third parties to access previously secret credentials. We believe that this is potentially risky and suggest instead other approaches such as use of APIs which would achieve the same ends for less risk.
Similarly it is essential that PISPs and AISPs do not hold more customer data than absolutely necessary. They should maintain it securely and not use it for other than the authorised purpose.
UK Open Banking Working Group and APIs
In the UK a good deal of work has been done by the Open Banking Working Group (OBWG) on related matters which would allow third parties to access customer banking data safely. APIs appear to offer a practical way to achieve such access. RBS therefore suggests that the EBA should review this work as a useful background in developing its own proposals.
APIs are in increasingly widespread use and provide a practical means for data sharing in a secure way. There will need to be a degree of standardisation to enable mutual access which may additionally enable many potentially different uses by market participants. Standards should be open ones developed in a transparent way.
Risk Based Approach to Strong Authentication
Strong Authentication provides a high level of protection to customers and Payment Service Providers alike. However, in some circumstances it may not be appropriate to use strong authentication, most likely because other safeguards can simultaneously provide a high level of comfort and make the customer experience easier. We therefore welcome the EBA’s examination of exceptions to Strong Authentication and urge it to adopt an approach that allows PSPs to adopt a risk based approach to its use providing the risk framework is a rigorous one. The EBA might for example reference a minimum standard that reflects that PSPs use “step up” authentication for high risk transactions i.e. strengthened authentication where risks are greater.
Due Diligence and Checking Registrations
Finally, in the context of PISP and AISP services it is essential that ASPSPs can have confidence that their customers are dealing with firms that meet all relevant requirements. This is likely to require an initial due diligence and on-boarding process prior to any transactions by the TPP to the relevant ASPSP. Subsequently there must be a means for ASPSPs to be able to check the authorisation of such organisations in real time when processing a transaction. This will be necessary to ensure that customers deal only with bona fide firms. We believe it will be necessary for national regulators' registers and EBA registers to be readily accessible and updated in real time.
Question 1
Our main concern would be to ensure that the payments environment is secure, while acknowledging that all activities in this sphere have a risk of fraud. Other examples of relevant transactions might include e.g. change of address and similar. However, we would want EBA to leave scope for banks to manage their own risk, while developing and enhancing security.
A “one size fits all approach” may not be appropriate e.g. card transactions do not offer the same opportunity for full Strong Authentication as online credit transfers, other than 3D secure.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
Physical means of security and authentication are generally more secure than data forms. However, use of data forms to aid security and authentication would have a positive impact on the overall customer experience/ journey versus the use of physical security and authentication, e.g. bulky card readers. While data is a weaker form of security and authentication, the use of Software to create, for example, OTP, “tokenisation” or challenge responses could be used providing that related secret data is adequately protected and initialised via a suitably robust enrolment processIt is essential that standards are developed such that PSPs are able to assess the most effective approach in the risk environment in which they operate and allow for technological development in the coming years.
3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
Behaviour based characteristics could be an important part of customer authentication. This is a developing technique which we expect to have a role to play as part of a layered authentication approach. As such, behaviour-based characteristics could provide one part of the picture in assessing whether a customer/transaction is genuine.4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
The growing desire of customers to use mobile devices is a challenge for PSPs. To achieve the highest levels of security separate devices would always be used for transactions and authentication. This is not always practical when customers are on the move. However, the risks of using one device only can be mitigated, so long as there is independence of communication channels on a device.As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication. This is, however, likely to be an area requiring frequent upgrading.
In respect of the increasing trend to move to mobile, as long as there is independence of communication channels and high levels of security within the device then strong customer authentication requirements can be met.
5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
Dynamic linking could be highly beneficial in principle, but the subject of dynamic linking is one which requires further definition. We recognise that some form of token is likely to be used, but would advocate flexibility for PSPs in choosing their own method. That flexibility should also extend to allowing PSPs to assess the riskiness of transactions and dis-apply dynamic linking if they feel it appropriate.6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
As noted above independence is a crucial factor for ensuring strong security. To achieve the highest levels of security separate devices would always be used for transactions and authentication. However, the risks of using one device only can be mitigated, so long as there is independence of communication channels on a device.As long as there is independence of communication channels and high levels of security within the device then it is possible to ensure the objectives of strong customer authentication.
The various communication channels each have their own vulnerabilities (whether SMS, e-mail etc).
7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
Yes, the list is useful, but the approach of the RTS should be to adopt principles which firms can apply in their own way. Firms should be able to apply their own risked based assessments as to when to use – or not – strong authentication. This will leave scope for security measures to develop and improve in relation to developing threats.This section discusses “sensitive information”; this is a term which needs better definition and might, for example, include customer log-on credentials.
It is unclear to us whether direct debits are to be included as requiring Strong Authentication. We would argue against this as the current flexibility of set-up is key to the direct debit’s success and other measures provide a high degree of customer protection.
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
Recurring transactions should be exempted in view of the relatively low risk they present.9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
Nothing to add, although the list should not be seen as necessarily complete nor should it be prescriptive. As ever flexibility will be key as the market evolves.10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
The clarifications are helpful.11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
We believe it is essential that customer log-on credentials remain secret in line with the message which has been given consistently to customers for some years.12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?
We have nothing to add at this point, but the EBA’s approach should allow for technological development in the future which may strengthen PSP processes in this area.13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?
Some degree of external inspection of the security components of the payments chain already happens today e.g. PIN security. Such external inspection is likely to be necessary in a growing market with a greater diversity of firms subject to relatively light regulatory regimes, in particular where there might be access to personalised security credentials.14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
The customer and customer devices are often the most vulnerable part of the payment chain and this is likely to continue. However, as market participants which might have access to data concerning many customers spread across many firms emerge; these could be a focus for fraudsters and other criminals. This risk further re-enforces our view that personalised security credentials should not be shared in any way and other sensitive data must be thoroughly safeguarded.15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
The clarifications are helpful, although they should also address Card based Payment Instrument Issuers.16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?
In addition to those items listed, there is a need for an effective governance framework. This should include:• an overarching authority to manage the rights / responsibilities of all participants;
• a body to define open standards; and
• an authority to manage certificates to show the authorisation of market participants.
We believe such a body/bodies would bring order to what might otherwise be a disorderly market assisting both established ASPSPs and new TPPs. Such an arrangement is likely to make connectivity between participants easier to establish, more efficient and more certain.
17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
In the UK considerable work has been done under the auspices of the OBWG to draw up proposals for standardised access to bank data by authorised third parties. This will lead to open standards for APIs which we understand would be useable in the context of PISPs and AISPs working with ASPSPs. We suggest that EBA examine this work as a basis for its open standards.18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?
We understand that the OBWG approach, using open APIs many of which are to standards that are already in use, would allow for integration of further innovative business models in the future. This approach would allow both PSPs and customers to be identified and authenticated without sharing personalised security credentials.The EBA should ensure that whatever approach is adopted allows for ease of interoperability between all participants. While Europe-wide standards would be preferable, if for any reason this is not possible allowance should be made for a member state approach with interoperability between national “systems”.
19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.
While e-IDAS regulated identification services would be worth exploring, our preliminary view is that such services today are likely to be too slow and inflexible to use for strong authentication in the payment services environment. They would require further enhancement to operate effectively in this dynamic environment.20. Do you think in particular that the use of “qualified trust services” under e-IDAS regulation could address the risks related to the confidentiality, integrity and availability of PSCs between AIS, PIS providers and ASPSPs? If yes, please identify which services and explain how. If no, please explain why.
The confidentiality of customer credentials is in our view essential. If Qualified Trust services such as electronic signatures enabled such confidentiality to be maintained while providing dynamic identification and verification of customer and PISP/AISP to the ASPSP, they may have a role to play in meeting PSD2 requirements.In particular if such Qualified Trust services involved presenting a certificate to the ASPSP by the PISP/AISP for each transaction this could be helpful. Such certificates would need to give assurance that the PISP/AISP had a current registration with the relevant national regulator/EBA. If cancelled the qualified trust signature must be updated/withdrawn immediately. Such a service, subject to feasibility, could be beneficial.
A principles approach to identification and verification may allow for use of Qualified Trust services.
Should you require any further information, RBS would be extremely happy to engage further. Please address any questions on these comments in the first instance to David Malley, Payments, The Royal Bank of Scotland plc,
Level 2, Premier Place, 2½ Devonshire Square, London EC2M 4AA.
Telephone: +44 (0)20 7672 8864 E-mail: David.Malley@NatWest.com
Yours faithfully,
Marion King
Director of Payments