The greatest impact of the RTS will be on Strong Customer Authentication (SCA) and common and secure communication.
The European Banking Authority released the final draft of the Regulatory Technical Standards (RTS) on strong authentication, and common and secure communication on February 23, 2017. These standards, mandated under article 98 of EU Directive 2015/2366 or the revised payment services directive (“PSD2”), are still draft as they can be amended by the European Commission and the Parliament but will be incorporated into law by November 2018 at the earliest.
Since the publication of the consultation document in August 2016, many aspects were strongly criticized by the market, especially those pertaining to the specifications around mandating strong authentication for most digital transactions. This was in complete contrast to the investments that many established and emerging players had made in technologies to deliver exceptional customer experience, including one-click checkout and payments by relying on risk-based authentication (RBA).
Revised RTS at a Glance
As such, the response to the draft specs was overwhelming with the EBA stating that it received a record total of 224 responses, which translated to about 300 issues or requests for clarification. These mainly centered around the technology requirements of the draft RTS, exemptions including scope, threshold and other guiding principles involving transactions eligible for transactions risk analysis (TRA), and requirements around the account access request by third party providers (TPPs). On close review, it is clear that the revised guidelines represent a major improvement over the draft RTS and address much of the market concern.
Specifically, the EBA has introduced a few exceptions, which although still far from the recommendations, incorporate some of the feedback. The big changes include:
- Increasing the SCA limit to €30. The biggest concern was the mandate for strong customer authentication, defined as an authentication based on the use of two or more independent elements categorized as knowledge, possession, and inherence. This was conceived to apply to over €10, but the limit has since been changed to €30. Cumulative limit of €100 or 5 consecutive payments.
- New exemption for transaction risk analysis up to €500 if the merchant payment service providers (PSP) meet stringent fraud rates.
- Unattended payment terminals like parking meters and toll booths are also exempt to ensure faster commerce.
- Exemption for recurring payments.
- Flexibility to invoke SCA based on risk parameters.
- Explicit callout for the cessation of screen scraping (which will be left in place for the next 18 months).
- AISP calls to access account information to be increased from two to four per day (no limit if the account holder actively requests it). Banks and AISPs can partner to further increase this limit (a big move towards FinTech partnerships).
- Interval for SCA for balance and transaction information increased to 90 days.
- No special exemption for corporate payments.
- PSPs to have the same level of availability as the underlying bank accounts.
- Authentication procedures remain within the realm of account providers.
Most importantly, a mobile device may be used as a ‘multi-purpose device’ for SCA and other applications even if the PSP only controls their application/software on the device. The independence of the elements constituting SCA does not require different devices and can be hosted on the same device provided the following conditions are met:
- A separate secure execution environment is used through the software installed on the multi-purpose device.
- The existence of methods to ensure that the application/software or device has not been altered (integrity is preserved) with mechanisms to mitigate the impact of any alteration.
- Mechanisms to ensure that the software or device has not been altered by the payer or by a third party or by mechanisms to mitigate the consequences of such alteration where this has taken place.
Impact of the RTS on Payments/Commerce
PSD2 is set to accelerate the speed of disruption by mandating that banks open their payment account data to third parties through APIs, and that they authenticate each request for account access and payment authorization. This will enable new forms of payment providers as well as create new transaction opportunities. The changes incorporated in the final RTS address many concerns raised by the various stakeholders and set the right tone for future innovation and cooperation in the region.
One big concern addressed by the final RTS relates to how SCA will need to be implemented, along with associated exceptions on the basis of the level of risk involved in the service provided, the transaction amount, the recurrence, and the channel. SCA is defined as using a combination of something you know, something you have, and/or something you are to authenticate a transaction. The document clarified the scope of the RTS as it pertains to the payment types.
In the biggest directive, mobile devices may be used as a ‘multi-purpose device’ for SCA and other applications even if the PSP only controls their app/soft ware on the device.
- Risk-Based Authentication: Exemption of SCA has been added to allow PSPs to implement risk-based authentication provided they are able to demonstrate low fraud rates for remote payments and credit transfers. While these fraud rates are aggressive, it is certain that PSPs will have higher incentives to use a combination of SCA and RBA to ensure lower fraud to deliver exceptional services to good customers. These PSPs are required to have real-time transaction monitoring mechanisms to assess/score the risk of transactions as low. Both payee and payer’s PSP could trigger such an exemption on their own with the payer’s PSP having the final say.
- One-Click Checkout: The documents called out the card-on-file solutions wherein the users have registered their PAN with the merchant as being exempt from SCA. This preserves the investments made by leading retailers on one-click payments to drive increased conversion and loyalty. However, it is still unclear if this would apply to all transactions or if the merchants would be required to provide additional details.
- Payee Initiated Methods and Recurring Payments: Any payee initiated payment methods, including direct debit are exempt. The extension of the exemption focusing on a series of credit transfers with the same payee and the same value, including any series of payments, now means that the recurring card payments come under the scope of this exemption as well. This is positive news for subscription based businesses that were concerned about the potential cancellations because of the increased friction of SCA.
- Cross-Border Payments: In a move that may have a positive impact on cross-border payments, the need for European PSPs to require SCA for cross-border transactions with one leg outside EU has been relaxed. This is a big improvement over the previous directive that required European PSPs to reject transactions without SCA.
Overall the revised guidelines address many of the concerns raised by the merchant community and will be well received by the industry participants.
Open Banking and FinTech:
The guidelines provide additional clarity on the future of the relationship between financial institutions and FinTech providers. Despite the increased flexibilities that the revised RTS provides, it is clear that the world of FinTech is about to undergo rapid change in the EU. FinTech providers will increasingly need to find ways to partner with financial institutions to gain exceptions and maintain the innovative and low friction service levels that their customers have come to accept. Some of the highlights are:
- Deprecation of screen scraping: With Open Banking, the banks will be required to open a communication interface to third-party providers (TPPs). At the same time, these TPPs will no longer be able to perform screen scraping, a known practice used by third-party providers to access user account information from HTML forms. These are subject to man-in-the-middle attacks and are also actively targeted by fraudsters. We predict an increase in attacks targeting those that use these methods.
- Authentication Procedures and Credentials: The EBA has specified that the payment initiation service provider (PISP) can rely on the banks’ — aka Account Servicing Payment Service Providers’ (ASPSP) — authentication methods but the guidelines remain vague on a PISP issuing its own credentials. Also, the liability for unauthorized transactions remains with the ASPSP.
- Availability and Control: To further democratize access to information, the EBA has also mandated that any interface delivered by ASPSPs to TPPs will need to have the same level of availability and performance as used by their own channels.
- TPP Certification: The guidelines also require that the TPP must identify itself to the ASPSP with a qualified certificate as defined in the Electronic Identification and Trust Services (eIDAS) Regulation (Regulation (EU) No 910/2014). This means that EU markets will need qualified trust service providers to issue qualified certificates. Given that there are no such providers at this time, there are concerns around this being enforceable ahead of October 2018. However, this is another area where we will see new players emerge.
In short, the FinTech will still find the revised RTS restrictive and will need to look at partnering with banks to invoke exceptions. Overall, the changes are favorable to the financial institutions.
ThreatMetrix Approach to PSD2 and Open Banking
The revised RTS aligns well with the current ThreatMetrix capabilities and future roadmap. The changes recognize the benefits of risk-based authentication, which has been the cornerstone of digital transformation for banks and retailers worldwide. ThreatMetrix has been working with some of the world’s leading institutions to deliver real-time insights into their user interactions across the customer touch points. The ThreatMetrix approach to risk-based authentication is built on many functions including dynamic digital identity intelligence, behavioral analytics, adaptive policies and rules, as well as multi-factor authentication when needed.
- Risk-Based Authentication: In promoting continuous authentication via risk-based authentication, EBA states that the previous spending patterns, transaction history and location at the time of transaction be used to identify anomaly in the payment request. These requirements are part of the attributes used by ThreatMetrix to evaluate the true digital identity of end customers. There are many other elements of a customers’ digital identity that are evaluated by ThreatMetrix in real time. These include device ID, IP address, geolocation, user credential attributes, and mobile device integrity.
- ThreatMetrix enables companies to evaluate real-time risk factors in the context of past user behaviors to make decisions on transactions, and for users to accept, reject or review (step-up) a transaction/request. The PSD2 RTS requires that banks, aka ASPSPs, need to consider the following on every transaction:
- Compromised/stolen authentication elements
- Amount of each transaction
- Known fraud scenarios
- Signs of malware infection
- ThreatMetrix Dynamic Decision Platform enables businesses across the globe to achieve a balance between security and convenience across customer touch points. Apart from operationalizing dynamic crowdsourced intelligence from the ThreatMetrix Digital Identity Network®, businesses can use the decision platform to apply risk detection to new API and consumer consent flows.
- Strong Customer Authentication (SCA): ThreatMetrix is extending its core technology platform to provide a Strong Authentication Framework wherein the customer’s mobile device becomes the authenticator and the ThreatMetrix SDK becomes the enabler. This will support:
- Strong DeviceID through a crypto-based PKI certificate: A cryptographic way to assert that the device in question is the same device that was originally registered.
- Push Notification: A cryptographically backed step-up to a mobile device that allows a yes/no answer. This is similar to a two-way SMS challenge flow but leveraging IOS and Android secure notification services (e.g. APN), with messages that are customizable based on use case and the customer’s preference.
- Extended Biometric Step-Up: A cryptographically backed step up to a mobile device that requires the use of an on-device user authenticator (fingerprint, facial recognition, voice, PIN, etc.). The key difference with this flow is that it requires user enrollment of a biometric or PIN. This has associated complexities with administration of processes like revocation/lost devices etc., as well as complexities around managing and maintaining fragmented handset/OS implementations of biometrics.
- Open Banking The ThreatMetrix solution for Open Banking enables financial institutions to create APIs for PISPs and AISPs while maintaining their existing authentication and customer validation processes. This enables them to support innovation from internal initiatives and through external partners while prioritizing customer experience and lifetime value; underpinned by dynamic global shared intelligence from the world’s largest Digital Identity Network. The ThreatMetrix solution can enable banks to:
- Meet PSD2 and open banking requirements
- Deliver innovative financial solutions
- Securely partner with new and emerging providers
In all cases, the purpose of the ThreatMetrix solution is to achieve a minimally invasive, strong authentication solution that is almost entirely turnkey for our customers.
With the near final RTS being made available, the institutions in EU and worldwide can begin focusing on implementation. While many questions have been answered, many new questions have emerged. As with the Open Banking initiative in the UK, collaboration and cooperation will be the key to making the RTS a reality and ensuring that it grows digital commerce and not stifles it.
About ThreatMetrix Digital Identity Network
The best way to tackle complex, global cybercrime is to use the power of a global shared network. The ThreatMetrix Digital Identity Network collects and processes global shared intelligence from millions of daily consumer interactions including logins, payments, and new account applications. Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations, and anonymized personal information. Behavior that deviates from this trusted digital identity can be accurately identified in real time, alerting businesses to potential fraud. Suspicious behavior can be detected and flagged for manual review or rejection before a transaction is processed.
The Network comprises two key components: Digital Identity Intelligence and a Dynamic Decision Platform.
- The Power of Digital Identity Intelligence: Harnessing dynamic, crowdsourced intelligence ThreatMetrix is unique in its ability to dynamically combine the four key pillars that define digital identity across all device platforms. These can be summarized as:
- Device: Device identification, device health and application integrity.
- Location: Detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser).
- Identity: Incorporating anonymized, non-regulated personal information such as user name, email address and more. Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics.
- Threat: Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Operationalizing Digital Identity Intelligence Using a Dynamic Decision Platform: The ThreatMetrix Dynamic Decision Platform enables businesses to leverage shared intelligence from The Network to make real-time digital decisions. This is facilitated via the following key functions:
- Integration and Orchestration: Uniting ThreatMetrix intelligence with back-end services and prepackaged/customized third-party services.
- Real-time analytics: Leveraging business rules, behavior analytics and machine learning capabilities to identify complex fraud patterns with high accuracy.
- Decision management: Enabling continuous optimization of authentication and fraud decisions with visualization, data correlation and exception handling.