Access to payment account (part 2/2) – Authentication by customers

A major difference between PSD1 and PSD2 is that parts of the directive are, as it were, outsourced to a European regulator, in this case the EBA, for further elaboration. This adjusted development has its origins in the financial crisis, which later turned into the debt crisis and is applied exclusively to the financial sector. The legal basis for this is laid in the Treaty on the Functioning of the European Union.

The PSD2 has issued 11 mandates to the EBA. It will have to provide so-called Technical regulatory standards (6 Regulatory Technical Standards, RTS) and guidelines (5 Guidelines) under different timelines. An important difference between a Guideline and an RTS is that an RTS is set by the European Commission and, after being checked by the European Parliament, it is published as a directive or regulation. A Guideline, on the other hand, is set by a European regulator. Most of these mandates are intended for national supervisors, but there is one that has an impact on all market parties. This RTS relates to the application, and the exceptions, of strong customer authentication (SCA) and secure communication when a payer (art.97):

  • Gains online access to his checking account, whether or not through a third party
  • Initiates an electronic payment transaction, whether or not through a third party
  • Performs an action via a means of distance communication that may entail a risk of payment fraud or other forms of abuse

What does the RTS say?

The current EBA guidelines for Security of Internet Payments allow the bank to use its own risk-based assessment of whether or not to apply strong customer authentication. In its RTS, the EBA does not provide this possibility and, in short, stipulates that SCA is always required for access to the payment account and authorization of a transaction, except in the following cases:

  • Access to the payment account without disclosing confidential payment transaction information (except for the first time)
  • Payments below EUR 10 (if cumulatively no more than EUR 100)
  • Payments from / to the same natural or legal person at the same bank
  • An automatic periodic transfer (except for the initial order)
  • Payments to persons on a trusted list (read: address book); the latter must then have been placed on that list by the payer using SCA
  • Contactless card payments up to 50 EUR (if cumulatively no more than 150 EUR)