The EU’s banking watchdog has said that it wants to see account information services providers (AISPs) no longer relying on authentication procedures by banks, as it sends its payments legislation wishlist on to Brussels.
Reforms to the revised Payment Services Directive (PSD2) have continued to gather pace, with the European Banking Authority (EBA) responding to the European Commission’s call for views.
The EBA’s suggestions are varied but at the top of the list are reforms to strong customer authentication (SCA). This is perhaps unsurprising given the almost continued controversy since the first concrete proposals to apply SCA were drafted in 2016.
The EBA has said that the commission should amend the approach taken in PSD2, requiring AISPs to apply their own SCA, instead of the banks or account servicing payment service providers (ASPSPs). This would apply after an initial SCA has been performed with the ASPSP the first time the payment service user (PSU) accesses the payment account through their respective AISP.
To support this change, the EBA has also proposed that the allocation of liability between third-party providers and ASPSPs towards the customer should be amended accordingly.
The EBA has also proposed that, in order for PSUs to remain in control of their data, they should be allowed to withdraw the consent given to the AISP via the ASPSP.
Feedback from the Paris-based body has also suggested clarifying the application of SCA and the types of transactions in scope.
This includes one-leg transactions, which occur when only one of the payment service providers is located in the European Economic Area.
Moreover, the EBA has said that it wants to see rules developed around authentication via smartphones.
“The EBA acknowledges that there is not a contractual relationship between the PSP and the smartphone manufacturer when the smartphone is used for applying SCA and that the control of the SCA, although depending on the implementation, may be with the mobile phone manufacturer,” the report says.
The EBA has expressed concern that the current arrangement means PSPs do not need to check third parties. In this instance, smartphone companies are applying security measures that comply with the requirements of PSD2 and the EBA’s regulatory technical standards for SCA.
Here, the authority has called for clarification on whether such use of third-party technology would require an outsourcing agreement or not and whether some conditions need to be applied in case the European Commission concludes that an outsourcing agreement is not needed.
Other recommendations
One of the largest root causes of payments fraud over the years has been online card-not-present fraud. SCA was partly introduced to tackle this type of fraud.
But the risk of fraud never goes away as fraudsters shift targets and adapt.
The EBA has called for the European Commission to counter other forms of payments fraud when PSD2 is revised.
Echoing jurisdictions such as the UK and Singapore, which have been grappling with a rise in fraud hitting consumers and businesses, the EBA has suggested addressing new security risks for customers such as social engineering fraud where customers are tricked into initiating a payment transaction.
It also wants to tackle unauthorised and/or fraudulent transactions, relating to subscription scams, errors and fraudulent mandates.
The EBA has also acknowledged the shift to open finance and the lessons that can be drawn from the implementation of open banking.
Here, the expansion of SCA to other forms of account data and a single API standard across the EU have been touted.
The EBA has joined other regulators and lawmakers in calling for the commission to clarify the interplay between PSD2 and the General Data Protection Regulation, as well as calling for Brussels to set the right incentives for stakeholders to get involved with open finance.
Finally, the EBA is strongly supportive of merging of PSD2 with the Electronic Money Directive.
According to the banking body it represents, “an opportunity to harmonise the applications of the legal framework, streamline and simplify the applicable requiremensts for PIs (payment institutions) and EMIs (electronic money institutions).“
The EBA also says the merger will help avoid regulatory arbitrage and create a level playing field between different PSPs.