Quo vadis PSD2?
- EBA publishes final position paper on Strong Customer Authentication (SCA) on 21st June, specifying implementation characteristics and granting transition periods in response to market queries
- England, Austria and Italy have announced transition periods, regulators in Ireland, France and Denmark are assessing postponements
- Prominently staffed consortium around the "European Payment Institutions Federation" (EPIF) sends further letter to EBA and urges for uniform postponement and transparency
- EBA therefore in a dilemma: consequence or indulgence?
- Opportunity for national regulators to act european
On 14th September 2019, the obligations for strong customer authentication of the PSD2 will take effect. As a reaction to the ongoing discussion since then and the continuing lack of clarity regarding the interpretation of the implementation requirements specified in the final "Regulatory Technical Standards (RTS)", the EBA published a further position paper on 21st June 2019 - less than three months before the RTS came into force - which, according to the EBA, was the final position paper. (https://eba.europa.eu/documents/10180/2622242/EBA+Opinion+on+SCA
In particular, two aspects have called for some questions in the market (see also: https://core.se/techmonitor/eba-psd2-rts-comment-clarification-of-uncertainties-raises-new-questions):
Aspect 1 - EBA grants the possibility of transition periods
Until the publication of the EBA Commentary, the prevailing interpretation in the market was that from 14th September 2019, all affected market participants must implement the RTS mandatorily. The EBA paper now recognises that in exceptional cases the national competent authorities may decide to postpone the implementation period of the SCA requirements for a limited period of time. Such a concession presupposes that PSPs concerned draw up a migration plan and coordinate this with the national authorities. Only one week after publication of the EBA commentary, the British Financial Conduct Authority (FCA) announced that it would make use of the possibility of postponing the plan by up to 18 months. Furthermore, the FCA proclaims its intention to develop a migration plan "in close coordination with the industry". The Austrian Financial Market Authority (FMA) and the Banca d'Italia reacted similarly at the beginning of August and granted companies a temporary delay in implementing the requirements. In the meantime, regulators from France, Ireland and Denmark also publicly expressed their support for a general delay of the implementation obligation.
Aspect 2 – Inherence within 3-D Secure 2.x
Until the EBA commentary, the prevailing market perception was that the 3-D Secure 2.x protocol fully meets the SCA requirements of the PSD2 for cardholder authentication for remote transactions.
Accordingly, the classification of the EBA caused uncertainty that at least the implementations for the use of biometrics in the context of 3-D Secure that had been apparent in the market so far would not meet the formulated requirements for an Inherence Factor (Figure 1; see https://core.se/techmonitor/security-in-card-based-payment), although the EBA commentary left room for interpretation.
In response to the EBA Commentary, a consortium of European Payment Institutions Federation (EPIF), Visa, Mastercard, the merchant associations EuroCommerce and E-Commerce Europe, the European Association of Payment Service Providers for Merchants (EPSM), the European Hotel Forum and the European Tourism Association sent a public letter to the EBA and the EU Commission on August 2nd. In this letter, the subscribers confirm their fundamentally positive attitude towards the spread of SCA, but vigorously criticise the interpretations on the above-mentioned points made by the EBA in its position paper:
Market consortium calls for uniform regulation on implementation deadline
The undersigned address the fact that, despite the 18-month implementation period, large parts of the market are not yet fully prepared for the requirements to be implemented on September 14th, both on the issuing and on the merchant side. Referring to a study by Stripe, it is stated that in the first year of implementation alone, a loss of EUR 57 bn in the PSD2 area due to purchase cancellations is to be expected.
The opening of the EBA to transitional periods would accordingly be welcomed, but the approach of transferring the application of these to the care of the national regulators would be counterproductive and would even increase the complexity of implementation: for example, in the scenario where FCA grants a deferral but BaFin does not, a German issuer would have to reject transactions of an acquirer from the UK who has not yet implemented the SCA requirements within the framework of its nationally applicable regulations. However, many acquirers are active across national borders and have to reflect different requirements in the respective target markets. As a consequence, the customer in particular would not be able to understand an inconsistent shopping experience, which would lead directly to increased cancellations, which is why the assumptions of the Stripe study are understandable.
The announcements from Austria, Italy, Ireland, France and Denmark suggest that the example given is not an exceptional case, but rather that Europe faces a regulatory heterogeneous overall situation with regard to the implementation deadlines for the RTS and the associated implementations.
Consequently, the signatories call for a single European roadmap to implement the SCA requirements and a postponement of at least 18 months, as well as the publication of this roadmap before September 14th. Not only is the EBA itself addressed, but it is also stated that a coordinated interpretation of the transitional periods by the national regulators could achieve this objective.
Market consortium demands clear statement from EBA on 3-D Secure 2.x
Furthermore, the signatories complain that the list of authentication approaches set out in the EBA Commentary of June 21st (Figure 1) allows the interpretation that current implementations of 3-D Secure 2.x, which make use of a biometric authentication factor, are not compliant since no data points of the biometric factor are exchanged via the protocol. If the EBA were to stick to this interpretation, a further iteration of the 3-D Secure Protocol would have to be provided, which would, however, entail corresponding lead times for development, testing and deployment - and therefore could under no circumstances be ready by September 14th.
Furthermore, the signatories were of the opinion that the existing implementations of 3-D Secure 2.x with biometric factors currently realize the highest possible security requirements and are superior to the corresponding alternative (static password / security question). They therefore demand that the EBA publishes a more differentiated positioning in relation to biometric factors and even more so that the industry encourages the adaptation of such factors.
The reaction to the EBA commentary is hardly surprising, even though the clarity of the criticisms and demands as well as the large and well-known circle of signatories is remarkable and has not yet been of this magnitude: First Data, PayPal, Elavon, Amazon Payments, SIX Payments Services, Klarna and Worldpay are represented in the EPIF alone, which already covers a large part of the e-commerce acquiring market.
The dystopic chaos scenario from September 14th onwards developed by the signatories is plausibilised with the Stripe study, but can be questioned: In the media, the opposite position is emerging that the 18-months deadline for implementation was simply "overslept" by those affected, or that the current market uncertainty could be a deliberately induced state of affairs by those affected to bring about a postponement. It is noticeable that so far no announcement of the issuing side has been heard, i.e. no bank or bank association has officially joined the critics.
One reason for this could be that the potential negative effects (cancelations of transactions) do not affect the banks directly, or at least not as hard as the merchants and schemes. Due to their focus on the domestic market, the banks will not be affected by the differing interpretations in the various countries to the same extent as acquirers and dealers. Furthermore, it can be interpreted that banks have already anticipated the PSD2 requirements - of which the SCA requirements of the RTS are only a portion - in the longer term and therefore expect fewer problems as a result of the forthcoming implementation. Last but not least, banks will avoid being involved in escalating letters due to their stronger dependence on a good relationship with regulators. As a bank, however, it could be a fallacy to see oneself as not being affected, because if the developments envisaged in the letter actually occur, banks would be affected by falling transaction revenues in the short term; whereby long-term customer contact points also limit the cross-selling potential of payment transactions (e.g. for consumer loans, hire purchase etc.).
The following dilemma now arises for the EBA: Meeting the demands of the letter and initiating a uniform postponement of the due date could be interpreted as too much indulgence on the part of the market representatives in a discussion that has been going on for 18 months now. In addition, conceding this at such short notice before the due date provokes the accusation that the EBA had no sufficient control over the market-driven design and implementation of SCA. If, however, the EBA were to allow the national regulators to coordinate a uniform implementation plan among themselves, the EBA could officially adhere to its previous deadline, but this could be undermined by national regulators.
Rejecting the consortium's demands, i.e. adhering to the existing transposition deadline and interpretation of the RTS, would be considered consistent with reference to an 18-month transposition horizon. Should the problems notified by the consortium actually occur in the market, the EBA would be assigned the more substantial part of the responsibility. The EBA is in a dilemma; it remains to be seen which path it will take. The signatories of the letter have clearly formulated their position, but should not allow themselves to be held up by the discussion in implementing the RTS requirements - because even a postponement will not solve the inherent challenges. A delay would result in longer implementation times, which in turn would often entail higher implementation costs. Instead, a short-term implementation could also be seen as an opportunity for competitive differentiation.
This also applies to banks, although their restraint in the discussion suggests that they will be able to complete their implementation in good time by September 14th. If banks are also in favour of a uniform postponement of the implementation deadline, this would probably be the last opportunity to intervene in the discussion and introduce a further perspective.
- Position paper of the EBA regarding Strong Customer Authentication under PSD2
- Final Report regarding the RTS Draft
- Letter of the Retailassociation EuroCommerce to the EBA
- FCA Announcment regarding the migrationplan
- Joint IndustryStatementonSCA Implementation
- Stripe Study concerning cancellations of transactions