Chile has taken a page from the EU’s playbook, with its new rules on payment security and authentication clearing taking inspiration from the revised Payment Services Directive (PSD2).
Chile’s financial regulator has moved to bolster the country’s standards for digital payment security, with a consultation on the matter open until May 5.
The Comisión para el Mercado Financiero (CMF) is seeking feedback on new rules that would introduce mandatory strong customer authentication (SCA) for a wide range of electronic payments.
The proposal closely mirrors the EU’s PSD2, which an English translation of the consultation says “was mainly considered”, including its requirement for two-factor authentication in high-risk transactions.
As well as PSD2, the CMF has also cited international standards from the US National Institute of Standards and Technology (NIST) and technical guidelines from the European Banking Authority (EBA) to justify its approach.
Clear consumer protection standards
The new regulation sets minimum security, registration and authentication standards that will affect banks, payment card issuers, savings and credit cooperatives, and other financial institutions that are supervised by the CMF.
Like PSD2, it aims to unify and strengthen the protection of customers against fraud, and it also brings the regulator’s standards into alignment with reforms introduced under Law No. 20,009, which sets liability rules for card and online payments fraud.
Under the proposed rules, SCA will be mandatory in scenarios such as:
- Logging into online or mobile banking.
- Changing personal data or authentication credentials.
- Adding new payees or scheduling recurring payments.
- Executing transactions involving the movement of funds.
- Activities deemed atypical based on the user’s past behaviour.
There are some exemptions — for example, low-value payments under CLP20,000 ($20), pre-authorised recurring transactions and fund transfers between a user’s own accounts.
The CMF also emphasised that institutions will be held accountable if users suffer losses due to non-compliance with the new rules.
“Issuers shall be liable for damages caused to users due to non-compliance with the security, registration and authentication standards established in this regulation.”
The proposed framework has a one-year implementation window once finalised, and institutions will be required to submit a compliance roadmap to the CMF within 90 days of the regulation taking effect.
Change ahead for the payments ecosystem
The new regulation will mean changes across the board for those in the payments space, especially issuers and merchants.
Issuers will need to prepare for rising regulatory risk with liability changes and merchants will need to anticipate possibly more friction in their checkouts.
For example, issuers would do well to audit their current customer authentication processes, which should allow them to identify gaps against Chile’s new SCA requirements.
Implementing two-factor authentication will be essential, especially for higher-risk use cases such as account access, setting up recurring payments and unusual transaction patterns.
At the same time, optimising for user experience, particularly via mobile, will be key to reducing friction.
Issuers operating in Chile should also develop systems that are able to support risk-based exemptions for low-value transactions or trusted beneficiaries, so that compliance is guaranteed without unnecessarily burdening users.
Merchants, meanwhile, especially those with a heavy online presence, will need to familiarise themselves with where SCA applies, such as during customer login, subscription setup and high-risk payments.
To account for this, checkout flows will need to be updated to trigger authentication when required, ideally using modern 3DS solutions that balance security with speed.
Merchants should also work closely with payment processors to monitor for any spikes in decline rates or basket abandonment following the implementation — something merchants in Europe warned about in the run-up to the implementation of PSD2.
A dated set of requirements
One thing to keep in mind for Chile is that the country will be implementing rules that are soon going to be out of date in both the EU and the UK, given that both jurisdictions are expected to overhaul their SCA requirements.
Nevertheless, PSD2’s SCA regime is still the global benchmark, and updates in the UK and EU are unlikely to drop the core principles of the regulation.
As has been seen with the reduction in unauthorised fraud since implementation, it is abundantly clear that this mechanism has in many ways provided a timeless security measure.