Is The End Nigh For 90-Day SCA?

October 29, 2021
Back
The European Banking Authority has launched a public consultation on the amendment of its regulatory technical standards on strong customer authentication and secure communication regarding the 90-day exemption — a notorious bugbear in the revised Payment Services Directive (PSD2).

The European Banking Authority (EBA) has launched a public consultation on the amendment of its regulatory technical standards (RTS) on strong customer authentication and secure communication (SCA&CSC) regarding the 90-day exemption — a notorious bugbear in the revised Payment Services Directive (PSD2).

The proposed amendment aims at addressing a number of issues that the EBA has identified in the application of the exemption by some account servicing payment service providers (ASPSPs) across the EU member states.

The consultation runs until November 25, and a public hearing will also be held on November 11.

This has been a quick turnaround from the EBA’s stated commitment last week that it would put out a consultative document on the subject. This follows consistent complaints from the industry about the impact that the measure has had.

Last week, the EBA accepted the complaints that the 90-day re-authentication rule prompted a more frequent application of SCA for customers using account information services, including every time the end-user accesses their account online, and this had led to a detrimental impact on AISPs’ services.

The pressure was further notched up this year when, in January, the UK’s Financial Conduct Authority (FCA) published proposed amendments to its technical standards on SCA, including a measure that would exempt customers of AISPs from having to re-authenticate every 90 days. These amendments were then confirmed in May 2021.

Previously, both the EBA’s payments chief, Dirk Haubrich, as well as his counterpart at the European Commission, Eric DuCoulombier, have said that the issue should be re-opened.

The new consultation paper aims at addressing issues that the EBA has identified in the application of this exemption, including where an ASPSP (i.e., typically a bank) has not made use of the exemption and requests SCA for each account access, or where they request SCA more frequently than every 90 days, as allowed by the RTS.

In an effort to address the impact of these issues on AISPs’ services, the banking watchdog wants to introduce a new mandatory exemption from SCA for the specific use case when the access is done through an AISP that is subject to certain safeguards and conditions aimed at ensuring the safety of the customers’ data.

Meanwhile, for when customers access the data directly, the EBA is proposing to retain the exemption in Article 10 to be voluntary as is currently the case, as no specific issues have been identified here, the regulator said.

However, to ensure a level playing field among all payment service providers (PSPs), the EBA wants to extend the 90-days timeline in Article 10 of the RTS on SCA&CSC for the renewal of SCA to the same 180-day period for the renewal of SCA when the account data is accessed through an AISP.

The consultation has triggered a sense of relief among the EU’s PSP community, including Ralf Ohlhausen, chair of the European Third Party Providers Association,

“Having lobbied for an amendment of this exemption for over four years, since the very first draft version of the RTS, it is a great relief to see this proposal and consultation now happening,” he told VIXIO, stating that the most important part is that this exemption becomes mandatory when involving an AISP.

Extending the period from 90 to 180 days makes it slightly better, but not good enough, he added. “Requiring an initial SCA to opt-in is fair enough, but not any ‘re-opt-in’ thereafter. The best practice across all industries is to facilitate a 1-click opt-out, and there is no reason for anything different here,” he said, arguing that even if a re-opt-in was stipulated that should not require an SCA with the bank, but just a re-consent to the AISP.

“Currently, AISPs are basically losing all their customers every 90 days and it should be understood that we don’t want to lose them every 180 days either,” he commented, stating that fraud can happen when money is moved, but not just by looking at it.

According to Ohlhausen, the account access SCA should actually be abandoned altogether. “I am not aware of any evidence that it is actually mitigating any fraud risk at all. So, I have a lot of respect for the EBA now really tackling the problem, but I think their proposal can be improved in the interest of consumer convenience without changing PSD2 itself.”

Yet according to the EBA, the amendments that have been proposed are ones that it is legally in a position to make to address the issues identified. “Other mitigations to address other issues are conceivable but would require changes to the Directive itself, which is beyond the EBA’s powers,” the banking regulator has said.

The EBA, and Europe’s payments players, could be in luck here, however, as the European Commission is due to begin its PSD2 review before the end of the year, and officials in Brussels have also been concerned about the impact that the exemptions are having.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.