In our recently published report on Top Trends in Retail Payments we quoted a European payments professional:
“If the publication of PSD2 gave the industry a headache, then the publication of draft RTS gave it a heart attack.”
Of course, he was talking about the draft regulatory technical standards (RTS) that the European Banking Authority (EBA) has been tasked to develop for how the industry should implement Payment Serivces Directive's (PSD2) requirements for strong customer authentication and secure communication. The draft RTS published in a consultation paper last August was indeed rather draconian. One of the key proposals was "not to propose exemptions based on a transaction risk analysis performed by the PSP” and to keep “the authentication procedure […] fully in the sphere of competence of the ASPSP [Account Servicing Payment Service Providers, i.e. banks].” The draft RTS has united the industry to an extent rarely seen before – representatives from payments, cards, e-commerce, small merchants, digital technology, telecoms, travel and industries have expressed concerns that the EBA’s standards implemented in their current form would “make online shopping much more onerous than it is today and have a wider and chilling effect on the Digital Single Market.”
Thankfully, it appears that the EBA has been listening. The final standards have not yet been published, but yesterday, Andrea Enria, Chairperson of the EBA gave a speech at the Westminster Forum, and has given the clearest indication yet that the EBA is open to changing the RTS. Specifically, according to the speech, the RTS when published will:
- Introduce two new exemptions, one based on "transaction risk analysis" and the other for payments at so-called "unattended terminals" for transport or parking fares. Transaction risk analysis exemption will be linked to maintaining predefined fraud levels and will be reviewed after 18 months.
- Contain some changes to the existing exemptions, such as increasing from EUR 10 to EUR 30 the threshold for remote payment transactions. However, there will be no further exemptions for e.g. corporate payments.
- Outlaw the current practice of third party access without identification (e.g. ‘screen scraping’) once the transition period under the PSD2 has elapsed and the RTS applies.
- Maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. A requirement has been added requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability.
- Remove references to ISO 27001 and other specific, technological characteristics, to ensure technology-neutrality and allow for future innovations.
It will be important to review the details when the final RTS is published, and of course, much work will still have to be done by the industry to ensure compliance. Yet, it seems that the payments professionals in Europe may breathe a sign of relief – the heart attack may have just been averted, at least for now.