PSD2 and the Open Banking Revolution: Final Regulatory Technical Standards
Posted March 2, 2017
Last of a Three Part Series
It’s go time for PSD2.
The final draft of the Regulatory Technical Specifications (RTS) on strong customer authentication and common and secure communications has been approved by the European Banking Authority (EBA) and submitted to the European Commission for approval.
The standards (mandated under article 98 of EU Directive 2015/2366, popularly known as PSD2 or the revised payment services directive) may still be amended by the European parliament.
But once approved, the standards will become law as early as November 2018.
Since publication of proposed standards in August, many of PSD2’s provisions have met vociferous pushback from some within the retail and financial services industries, especially new specifications mandating strong authentication for almost all digital transactions.
That’s because many established and emerging players have already made technology investments to improve the customer experience and lower friction, including one-click checkouts and payments by relying on what they thought was robust risk-based authentication. For many, PSD2 raises the bar.
Revised RTS at a Glance
In total, the EBA received a record 224 responses to its draft standards, spanning roughly 300 different issues or requests for clarification.
Not surprisingly, vexation has centered on technology requirements, exception including scope, threshold and other guiding principles around transactions eligible for transactions risk analysis (TRA) and the requirements around the account access request by third party providers (TPP).
Upon review, it’s clear the final standards represent a major improvement over the earlier draft.
Specifically, the EBA has introduced exceptions and modifications that, while not fully adopting industry feedback, take substantive steps toward mitigating many of the biggest concerns.
Among Key Revisions:
- Transactions up to €30 are allowed before strong customer authentication (or SCA) is required. That’s up from €10 in the original standards.
- Likewise, a cumulative limit of €100 or 5 consecutive payments is allowed before requiring SCA.
- New exemption for transaction risk analysis up to €500 if the merchant payment system provider (PSP) meets stringent fraud rates.
- Exemptions to SCA have been made for unattended payment terminals like parking meters, as well as tollbooths and recurring, subscription-based payments.
- The EBA has the flexibility to invoke SCA based on risk, despite the exceptions above.
- “Screen scraping,” used to harvest customer information from other institutions, will be banned after 18 months.
- Account information service providers (or AISPs) can access account information a total of 4 times per day, up from 2—with no limit if the account holder actively requests it.
- Banks and AISPs can partner to further increase limits on account access—a big move toward encouraging Bank/FinTech partnerships.
- The threshold for requiring SCA on balance and transaction information has been increased to 90 days.
- In a major shift, mobile devices may be used as a “multi-purpose device” for SCA, so long as specific security measures are in place.
Setting New Standards for Innovation
To be fair, all the drama that has surrounded PSD2 is understandable given its significance.
Together, the standards handed by the directive are set to dramatically accelerate the speed of disruption by mandating that banks open their payment account data to third parties through APIs—and securely authenticate account access and payment authorizations made through them.
For established players and FinTechs, this represents a tectonic shift in the way they do business. Proponents, meanwhile, argue it heralds a whole new era of innovation and opportunity for all involved.
Both statements have always been true. But in our view, the changes incorporated into the final RTS address many of the most egregious concerns raised by various stakeholders, and set the right tone for future innovation and cooperation throughout the region.
Let’s take a look at our perspective on the impact from some of these revisions.
Payments & Commerce
- SCA Exemptions: We applaud the exemption for SCA allowing PSPs to implement risk-based authentication (RBA) for certain transactions, so long as they demonstrate aggressively low fraud rates. We believe PSPs will find plenty of incentive to use a combination of SCA & RBA to deliver exceptional service and fraud protection.
- Card on File Payments: Another exemption, for situations when users have registered their personal account numbers with a merchant, preserves the considerable investments retailers have made in card on file payments to drive conversion and loyalty.
- Payee-Initiated Methods and Recurring Payments: Any payee-initiated payment method, including direct debit, is exempted from SCA. This is good news for subscription-based businesses concerned about cancellations sparked by increased friction.
- Cross Border Payments: The SCA requirements on cross-border transactions for PSPs with one leg outside EU have been relaxed. This is a marked improvement from proposed standards that required European PSPs to reject transactions without SCA.
Banking and FinTech
- Shared Benefits: Despite new flexibility in the RTS, FinTech providers will need to partner with financial institutions to qualify for SCA exemptions to maintain the innovative, low-friction services their customers expect. In our view, this benefits all parties.
- Deprecation of Screen Scraping: Third party providers will no longer be able to engage in screen scraping to access user account information from HTML forms. This is wise, as screen scraping is susceptible to man-in-the-middle attacks and other forms of fraud.
- Availability and Control: To further democratize access to information, the EBA has also mandated that any interface between institutions and providers must provide the same level of availability and performance as their own channels.
ThreatMetrix Solution for PSD2 Compliance
The revised RTS align well with the current ThreatMetrix capabilities and future roadmap. The ThreatMetrix approach that has been the cornerstone of digital transformation for banks and retailers worldwide includes risk-based authentication built on many functions including dynamic digital identity intelligence, behavioral analytics, adaptive policies and rules as well as multi factor authentication when needed.
Risk-Based Authentication (RBA)
- The EBA states previous spending patterns, transaction histories and location at the time of a transaction must be used to identify anomalies in payment requests. These requirements are a small subset of the attributes used by ThreatMetrix to evaluate digital identity. We evaluate past user behaviors and, among many transaction attributes, analyze device ID, IP address, geo-velocity, user credential attributes and mobile device integrity. The entirety of elements in digital identity verification can be found on the Periodic Table of Digital Identity Assessment.
Strong Customer Authentication (SCA)
- ThreatMetrix is extending its core technology platform to provide a Strong Authentication Framework wherein the customer’s mobile device becomes the authenticator and the ThreatMetrix SDK becomes the enabler. This provides a cryptographic way to assert that the device in question is the same device that was originally registered. It further leverages cryptographically backed step-up authentication similar to a 2-way SMS challenge flow but leveraging IOS and Android secure notification services (e.g. APN). This can be extended to utilize on-device biometric user authentication (e.g., fingerprint, facial recognition, voice, PIN).
- ThreatMetrix enables financial institutions to create APIs for PISPs and AISPs while maintaining their existing authentication and customer validation processes. This enables them to not only meet PSD2 and open banking requirements, but to also securely partner with third party providers to deliver innovative solutions that deliver a great customer experience and drive lifetime value.
Putting it All in Motion
With the final RTS now available, institutions in the EU and worldwide can finally begin focusing on implementation.
As with the open banking initiative in the UK, collaboration and cooperation will be the key to making the RTS a reality and ensuring that they grow digital commerce—and not stifle it.
The race is officially on.
For an exclusive white paper on PSD2 and solutions for creating new opportunities for innovation and navigating the fraud prevention measures needed for secure Open Banking, click here.