PSD2: Strong customer authentication
Proposed standards for strong authentication stir numerous controversies.
Consultations are nearing the end on the proposed Regulatory Technical Standards (RTS) for strong customer authentication announced by the European Banking Authority pursuant to the revised Payment Services Directive (2015/2366, known as PSD2). This proposal was much awaited by the entire financial technology industry. The standards could have a huge impact on business models and tech solutions applied on the FinTech market.
One of the biggest controversies involves the use of strong customer authentication. Under the relevant provision of PSD2, which is the legal basis for the use of strong authentication, it is to be applied, among other situations, when the payer initiates an “electronic payment transaction.” The EBA itself admitted the controversy surrounding the scope of this concept when it took certain efforts to clarify its meaning.
The term “electronic payment transaction” is not defined in PSD2. It should at least be accepted that it is not identical to the notion of a “remote electronic payment transaction,” as PSD2 Art. 97(2) apparently assumes that a remote electronic payment transaction is only one type of electronic payment transaction.
The requirement for strong customer authentication has traditionally been associated only with online transactions. But under the concept of electronic payment transactions, such a narrow interpretation is no longer so obvious. The clarifications by the EBA and the wording of the proposed standards also indicate that it is incorrect to limit the notion of electronic transactions to online transactions.
Thus it must be considered what types of transactions should actually be covered by the requirement for strong customer authentication. The wording of PSD2 and the RTS suggests that this requirement will generally apply, among other things, to transactions made using cards in the traditional manner (not in an online environment). This is indicated indirectly in the exclusion in the proposed RTS for low-value contactless payments made at the point of sale. Such an exclusion would be gratuitous if it were assumed that point-of-sale card transactions were beyond the scope of electronic payment transactions.
There are even greater controversies surrounding transactions initiated at a bank branch. In the reality of the financial systems of today, nearly every transaction is electronic in nature—only the manner in which the transaction is initiated differs. Adopting an extremely broad interpretation of the notion of an electronic payment transaction, it could be concluded that even
a handwritten instruction to transfer funds submitted in person at the bank in some sense constitutes initiation of an electronic payment transaction.
Bearing this in mind, it seems that future RTS should more clearly demarcate the conceptual bounds of electronic payment transactions, at the very least through additional exclusions (e.g. exemption from the requirement of strong customer authentication in the case of initiation of a transaction in person, at the service provider’s premises, when the customer’s identity is authenticated by an employee of the service provider).
It should also be pointed out that both PSD2 and the RTS draw distinctions in the requirement for strong authentication depending on whether or not the transaction is conducted remotely. Remote transactions must be authenticated using dynamic elements linking the transaction with a specific amount and recipient.
Krzysztof Wojdyło, New Technologies Practice, Wardyński & Partners
The article is a part of the New Technologies Newsletter, October 2016