.svg)
As preparations continue for a potential revision to the Payment Services Directive, payments chiefs in Brussels and Paris have warned that evolving fraud and technology standards must be front and centre.
Since May, speculation about the future of EU payments has ramped up, in part due to consultations being opened on the revised Payment Services Directive (PSD2) and a legal framework for open finance.
Now, Eric Ducoulombier, the European Commission’s payments chief, has shared where he thinks changes need to be made, telling a conference in Brussels that although strong customer authentication (SCA) has been a success, fraud needs to be looked at again.
“With SCA, and perhaps because of SCA, fraud is moving,” he commented, during QED's annual Future of EU Payments event. “Fraud is morphing and moving to other territories.”
Although SCA is a strong protection, it has meant that criminals are looking for other places to exploit, he acknowledged.
“It is moving to places where payments have been authenticated and authorised and that is something that SCA cannot do much about, unfortunately,” he said.
“People will have heard of authorised push payments, phishing and spoofing,” he said. “We will have to, in the context of the PSD2 review, see whether SCA was sufficient and whether we need to step up.”
Fraud is a constant fight between the sword and the shield, he said. “This is, for us, a very important priority to see whether or not the impact of PSD2 is still fit for purpose and future proof. Or even present proof.”
Discussing the PSD2 consultation, which closes on July 5, Ducoulombier quipped that “while I work on the second floor of a glass building, you are on the ground”, stressing that it is of the utmost importance for stakeholders to respond.
During his speech, the Brussels-based civil servant also said that it was “fine” that some countries took longer than others to implement SCA.
This was not the position taken at the time, considering both the European Commission and the European Banking Authority (EBA) remained firm on the January 1, 2021 deadline that many industry associations had expressed concern about.
Ducoulombier’s remarks come at the same time as the EBA announced it has adopted a decision on fraud data reporting.
On Friday (July 1), the EBA explained that competent authorities will be able to report fraud data to the authority via the European Central Bank.
While Ducoulombier focused on fraud and security, Dirk Haubrich of the EBA suggested that it may be beneficial for the EU to develop an application programme interface (API) standard.
“We didn’t have the time,” he acknowledged, discussing the reason why this was not developed during the implementation of PSD2. “We didn’t think we were best placed to develop such a technological set of standards, and also, we would have to make quite a significant trade-off on the objective of facilitating innovation.”
The EBA knew this would have downsides, he said, adding that this was one of the reasons for establishing the API working group.
There is still work to be done here, he said, even if standards have been developed by the market like the Berlin Group. “The lack of a single standard for APIs is an issue.”
In the EBA’s feedback to the European Commission, the banking watchdog advised that the new directive should explore the possibility of having a common API standard across the EU to be developed by the industry.
“The EBA, whilst acknowledging that introducing a single API standard at this stage would bring additional compliance costs, is of the view that it would also have significant benefits, including reducing the burden for TPPs to connect and maintain connections to ASPSPs’ interfaces, support innovation, reduce barriers for new market entrants, contribute to a level playing field across the EEA, and others,” it said.
The EBA also recommended that all banks should be required to provide a dedicated interface for third-party access and remove the requirement for banks that offer a dedicated interface/API to also provide a fall-back mechanism.
