.svg)
The industry had five years to understand and develop their strong customer authentication (SCA), and they failed, a senior official at the European Banking Authority (EBA) has said.
Dirk Haubrich, the EBA’s payments and consumer chief, has long said that the role of the EU’s banking supervisor is to make sure that everybody is equally unhappy with the rules and guidance that it oversees.
“The EBA’s purpose is to distribute the burden among the various warring factions,” he told an audience at the European Payment Institutions Federation on November 16, adding that partnerships between third-party providers and the banks have meant that these warring factions are beginning to subside.
Haubrich, who previously served as a UK civil servant and has been working for the EBA for nearly a decade, has a no-nonsense approach to the payments industry that he oversees.
His latest comments did nothing to alter this reputation.
“People don’t just have a hundred pages of PSD2, as you will all be aware, to those 100 pages or rather, articles, there is a large number of additional pages that the EBA created,” he said.
The EBA was mandated to do this, but even more so, this was requested by the industry, he said, before adding: “This is the same industry that we’ve heard wants to have less text. They actually approached us, including the card schemes, to provide clarity.”
Avoidance tactics
Parts of the industry have been avoiding their compliance requirements with PSD2, Haubrich said. “They are trying to define it in a way so that they don’t have to do X and they don’t have to do Y.”
This means that they are undermining what the revised Payment Services Directive (PSD2) actually calls for them to do, he said, adding that this is why the EBA has been forced to intervene and add certain clarifications so that it is clear what is expected of the payments ecosystem.
In addition, Haubrich said that the only delays to PSD2 have been when the industry has been late in complying. “That is a huge lesson to learn for us. The inability of the industry to get together and make sure that everybody is able to comply with the requirements imposed by the PSD2 directive has been striking.”
This has been the case with SCA in particular, he complained, noting that the industry would have first become aware of two-factor authentication in 2015.
“The industry was not able to set it up in five years, and that’s despite the EBA actually prior to the PSD2 coming into force introducing guidelines that implemented a light touch version of SCA,” he said, adding that this meant the industry had even more time to get ready.
“And still, they failed.”
Going forward the EBA will look to ensure the same mistakes are not made again: “There was a delay, a major delay, and one of the things that we are interested in seeing in the PSD3 is that whatever the changes that the PSD3 may or may not bring about, that sort of delay in compliance is avoided and prevented.”
Haubrich warned that measures need to be taken to make sure that happened.
SCA was a source of anxiety throughout the payments ecosystem last year, with many calling for a delay after COVID-19 struck.
No delay was issued and both the EBA and the European Commission hinted that there would be tough action taken against non-compliance come New Years’ Day when compliance would be expected.
However, this does not mean that national regulators did not go their own way, with so-called ramp-up strategies being pursued by many.
These strategies resulted in different countries fully implementing SCA at different times. For example, some countries such as Denmark, pushed back full implementation by a matter of days. Others, including Austria and Germany, opted to wait until April, and France pushed back full authentication until the end of June.
Although the EU’s authorities did suggest that they were in their right to take legal action against the national competent authorities, it appears so far that they have not pursued this.
Account access
Those warring factions in the payments community could further die down should the PSD3 address account access, Haubrich said.
It is absolutely unacceptable that we still see banks putting obstacles in front of third-party providers (TPPs) when it comes to account access, he said.
“This could have been avoided if the EBA had decided to impose one single API standard,” he added.
Yet, this would have taken an incredibly long time, he warned. “There would have been benefits from it. We had a keen interest three or four years ago in a single API.”
“At the time, nobody had a great interest in the API, but we did as it would make sure that it is not only those TPPs that already existed in the market at the time of the PSD2 and our technical standards that would have access to the market but also new entrants,” he continued.
As can be seen from the industry, the API schemes that are in place are still not finalised, he pointed out.
Haubrich also mentioned the EBA’s regulatory technical standards (RTS) on SCA exemptions, for which an amendment has recently been put out for consultation by the banking watchdog.
“What has been interesting over the last few weeks since we published the consultation paper has been that, as a first response, there have been some arguments against it from the banks,” he pointed out.
These banks, the ones who are behind the curve, have suggested that this should not be done in an RTS but instead PSD3, he said, quipping that this basically means waiting another four or five years. “This is of course nonsense, what we are doing is absolutely the right thing to do.”
As well as this, there are concerns from consumer organisations about the data aspects, considering the change will grant easier access to accounts. “This is a valid concern, but we’ve put in place all the necessary security, guarantees and safeguards for this not to be able to be abused.”
Then there is the TPPs. “The initial reaction to the proposal was in most cases negative as well. That was a bit surprising.”
So far, TPPs have warned VIXIO that the EBA’s change will result in can-kicking for re-authentication, although they have also been welcoming of the prospect.
“Some TPPs seem to be of the view that just because their wishlist isn’t being filled, something must be very wrong. However, there isn’t anything wrong at the EBA and we do what we can within the legal constraints,” responded Haubrich.
The TPPs' response may end up meaning that the EBA chooses to put the new standards on ice, he warned.
“It has a particular aim of making life easier for TPPs. And if the TPPs complain about how this is not good enough, then we may actually come to the conclusion that we are not going to amend the RTS.”
