Strong customer authentication after EBAs Opinion on the Implementation of the RTS on SCA and CSC

In June 2018, the European Banking Authority (EBA) published its Opinion on the Implementation of the Regulatory Technical Standards (RTS) on Secure Customer Authentication (SCA) and Common Secure Communication (CSC) under the revised Payment Services Directive (PSD2).

Entering into force fully from September 2019 onwards on the points relating to the strong customer authentication (SCA), the RTS provides guidance on how to implement the SCA that PSD2 demands from payment service providers (PSPs).

In a nutshell, the SCA requirement, applicable to all electronic payment transactions that do not benefit from an exemption, is based on an authentication using two or more elements. The elements are categorised as knowledge (something that only the user knows, e.g., a password), possession (e.g., something that only the user possesses, e.g. a debit card or mobile device), and inherence (something that user is, e.g., fingerprints), to generate an authentication code. The elements used must be independent from each other, and the two elements used for an authentication must belong to different categories. Furthermore, when initiating a remote electronic payment transaction, PSD2 imposes an additional dynamic linking requirement. In layman’s terms, this means that, in addition to the above-mentioned elements, the authentication code generated will be linked to the amount of the transaction and the identity of the payee, aiming to prevent that this is altered fraudulently during the authentication process.

The RTS also introduces exemptions to the SCA requirement for certain transactions. As regards the most significant exemptions, in brief, the RTS exempts contactless payments at point of sale under EUR 50, low value transactions under EUR 30, transactions with trusted, pre-defined beneficiaries, subsequent recurring transactions, and low risk remote transactions subject to certain conditions. Other exemptions with more limited application scope include those relating to transactions initiated by a legal entity (not consumer) through the use of dedicated payment processes or protocols and subject to regulator’s approval, as well as those relating to access to certain information (balance and/or payment transactions executed).

In its June Opinion, the EBA addressed a number of points regarding the SCA requirements. Below, we discuss and comment on a few.

Firstly, in explaining the authentication elements, the EBA specified that any information printed on a card (such as a CVV) cannot be considered a knowledge element because it is not something that only the user knows, as the information is readily visible. Regarding the clarifications on the knowledge element, the EBA pointed out the obvious (that information which is readily visible cannot be a knowledge element), but stayed silent on another related point raised by certain market players which provide card acceptance services. Given the necessity, stated in Recital 6 of the RTS, for a knowledge element to comply with a “length or complexity” requirement, it stands to question whether most card personal identification numbers (PINs), under their current requirements, can be considered a knowledge element. Their status should be defined explicitly by the EBA in order to quell any doubts and/or debates.

Furthermore, they also clarified that, subject to exemptions, SCA is required with every access to payment account information and with every payment initiation. Thus, even within an already initiated session where SCA was applied to access payment account information, the PSP would need to apply SCA again if the payment service user desired to initiate a payment. This is in line with Article 4 of the RTS which stipulates that the authentication code shall be only accepted once by the PSP and that it is not possible to generate a new authentication code based on the knowledge of any other authentication code previously generated.

Finally, the EBA also focused its Opinion on whether the payer’s PSP or the payee’s PSP had the discretion to decide on whether to apply an exemption to the SCA requirement. As it explained, while the payee’s PSP can initially decide to apply certain exemptions, it is the payer’s PSP that will always have the final say on whether to apply an exemption; the payer’s PSP can revert to applying SCA to execute a transaction or decline its initiation. While the RTS and the EBA’s opinion certainly contribute to PSPs’ understanding of their SCA compliance requirements under PSD2, certain interpretation challenges still remain for the PSPs who are preparing for the implementation of the RTS.

An area where the EBA’s further clarity would be welcomed is in guiding the market, taking into account any restrictions under privacy laws, on the information that is expected to be captured under basic transaction monitoring mechanisms such as, for example, under a ‘log of the use of the access device or the software’ (i.e. a time stamp only or also other information). This would assist the PSPs in establishing their internal transaction risk analysis requirements and differentiating basic requirements from those which are used where the PSP intends to rely on the low level of risk exemption.

Furthermore, the PSPs may seek further legal guidance from the EBA on the status of ‘dashboards’ offered by merchant acquirers to merchants, and more specifically access to these dashboards, which have in the past been seen by certain market players as payment accounts for the purposes of complying with the PSD time obligation of value dating. The EBA’s Opinion suggests that, in the case of cards transactions, an access to payment account information is relevant/applicable only at payer’s PSP level (and not payee’s PSP level, i.e. merchant acquirer’s level), which is an interpretation that is likely to be welcomed by merchant acquirers but maybe not so much by the AISPs who intended to offer account information services to merchants that incorporate comparative information of these dashboards.

Other PSPs, for example, those that more clearly do not offer payment accounts for their PSUs, such as a PSP providing remittance services only, will also need to orient themselves on the extent of their regulatory responsibilities as regards the application of SCA.

We hope that the EBA will offer further clarification in coming months on the practical solutions that PSPs can apply in order to implement SCA that comply with their technical standards. PSPs should make full use of the EBA’s question and answer tool to dissipate any doubts about the Regulation’s application to their activities before it enters into full force in September 2019 on the points relating to the SCA.

About Irena Dajkovic

Dr Irena Dajkovic, a Partner of DALIR Law Firm, is a lawyer with a combination of about twenty years of private practice and in-house experience in commercial, corporate and regulatory laws. Over the years, her clients ranged from financial institutions, private equity firms, retail companies to private individuals. She focuses on clients’ goals and has often been praised by them for her excellent technical skills, strategic advice and high ethical standards. She has helped numerous clients to expand globally and optimise their intra-group operation.

About DALIR

DALIR is a boutique law firm whose lawyers have a combination of more than 20 years of experience in commercial, regulatory or corporate laws gained in UK ‘magic circle’ law firms and/or leading UK banks and fintech companies. The firm has a special interest in the fintech industry, and particularly payments, developed over many years of client advisory, research and active participation in the legal developments in this area.