This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Payments & FinTech Lawyer

EC outlines intended changes to the EBA’s draft RTS on Strong Customer Authentication

The European Banking Authority (‘EBA’) published on 31 May 2017 a letter it has received from the European Commission (‘EC’) in which the EC indicates that it intends to amend the EBA’s draft Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication (‘RTS SCA’), developed by the EBA under PSD2 and submitted to the EC in February 2017. In the letter the EC outlines its proposed changes to the draft RTS SCA and its reasoning behind these proposals.

Among the EC’s proposed changes, which include amendments to Chapters 1, 2 and 5 of the draft RTS SCA, is a requirement for PSPs to report incidents of fraud directly to the EBA, enabling the EBA to have access to individual fraud data and reports from PSPs rather than only having access to aggregated data as reported by competent authorities. “Naturally, this will mean additional reporting obligations for PSPs, and they will have to implement measures to comply with these reporting requirements,” said Andreas Doser and Dr Nils Rauer of Hogan Lovells International LLP. “PSD2 generally provides for a flow of data from the PSPs to the respective national competent authorities to the EBA. This is how reporting for major security incidents pursuant to Article 96 PSD2 will work. So the proposed reporting obligation is a major policy change.”

Another proposal, in this case in regard to Chapter 5 of the draft RTS SCA, deals with contingency measures in case of ‘unavailability or inadequate performance of the dedicated communication interface’ that account servicing payment service providers (‘ASPSPs’) must offer under PSD2 to third party providers. Under the EC’s proposed amendments, there is a need to ensure that payment initiation service providers (‘PISPs’) and account information service providers (‘AISPs’) are not prevented from offering their services even if the dedicated communication interface offered by the ASPSP cannot be accessed or is inadequate. “Article 53 of the RTS SCA merely concerns contingency measures and provides for a workaround in case a dedicated interface does not work properly,” explain Doser and Dr Rauer. “This being said, PISPs and AISPs may only make use of the payment service user interface if the dedicated interface for payment initiation and account access is unavailable for more than 30 seconds during a session. They may however not use it as a default option for accessing the account.”

“Nevertheless, the change may help PISPs and AISPs to offer their services even where there is a problem with the dedicated interface offered by the ASPSP. Thereby, the continuity of these services may be increased,” add Doser and Dr Rauer.

The EBA has six weeks from the date of recipient of the EC’s proposed amendments to make changes to the final RTS SCA to reflect the EC’s proposed changes or else to submit an opinion to the EC on said proposed amendments. Following this, the EC, the European Parliament and the EU Council will have three months to review the EBA’s new draft. Doser and Dr Rauer note that “It is expected that the RTS SCA will be passed in Q3 2017 and will apply 18 months after that date, i.e. in Q1 2019.” Dr Matthias Terlau, Partner at Osborne Clarke LLP, believes the ongoing procedure is “getting tiring,” adding that “It distracts attention from other important subjects. SCA is not the best solution in the world. It is only to a limited extent open for new developments in fraud prevention. PSD2 would have been better had it formulated a broader risk management and fraud avoidance obligation for PSPs instead of such a very detailed provision.”

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2006.
Can’t find what you are looking for?
Try an Advanced Search

Log in to payments & fintech lawyer
Subscribe to payments & fintech lawyer
Register for a Free Trial to payments & fintech lawyer
E-Law Alerts
payments & fintech lawyer Pricing

Social Media

Follow payments & fintech lawyer on TwitterView our LinkedIn Profilepayments & fintech lawyer RSS Feed