EBA agrees to relax PSD2 authentication rules

The European Banking Authority (EBA) has agreed to relax part of the European Union’s (EU) revised Payments Services Directive, aka PSD2, which is due to take effect from January 2018.

In a speech given in London, EBA chairman Andrea Enria said that the proposed standards for stronger customer authentication would be modified to relax the requirement for all payments under €10. The proposal had triggered protests from industry participants who claimed that the mandate would result in more declined transactions and abandoned purchases at the checkout.

Enria said that the threshold would be raised from €10 to €30 for remote consumer transactions, although there would be no exemption for corporate payments. Firms using ‘transaction risk analysis’ to counter attempted fraud will also be offered a get-out clause, as will payments at unattended terminals, such as parking meters or transport tickets. The use of transaction risk techniques will be monitored over an 18-month period to ensure that safeguards are working to reduce fraud rates.

The EBA faces a challenge in meeting the timetable for delivering the regulatory technical standards (RTS) for PSD2, after receiving a record 224 responses to its first four consultation papers on the issue.

“The EBA identified 300 distinct concerns and clarification requests by respondents,” said Enria. “Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft.”

Enria also confirmed that under PSD2 so-called “screen-scraping,” which automates the copying of data from a website, will be banned despite calls for open communication between banks and financial services providers for the purpose of customer data sharing. Responding to the decision, Conor Ogle, vice president – business consulting at consulting group Sapient’s division Sapient Global Markets, said: “A bank’s homepage is under ongoing assault from many sources. They can only survive this by offering services their customers truly value.

“Whether or not screen scraping was going to be permitted, banks must take swift action and consider which propositions they should be providing themselves. Rather than treating alternate providers as threats to their existing business models, they would better serve their customers and shareholders by evaluating which of the propositions could provide real value to their customers.

“An application program interface (API)-based economy transfers power to the end user. In this model, banks could find themselves reduced to “dumb pipes” at best, with consumers naturally favouring customer-centric propositions with friction-free onboarding and enhanced data-driven services.

“Despite all these obvious signs, some banks will fail to see PSD2 as anything more than a regulatory response project. They may squander the chance to fundamentally reset their value propositions, ignoring this opportunity to reconsider the very purpose and nature of their brands through the lens of their customer.”

John Harvie, director at consulting firm Protiviti, commented: “The introduction of PSD2 opens up opportunities and creates new challenges. These opportunities and challenges are in tension with one another with the competing demands of ease of use, security and reliability being traded off against each other.

“It will take some time for this to stabilise and the announcements today are just one step in this process. For the UK the issue of Brexit adds to the complexity; however the prize of a low cost, low friction payments landscape that encourages competition and innovation is in our opinion a goal well worth fighting for.”

Earlier this month, a Financial Times report claimed that financial technology (fintech) companies were accusing the major banks of lobbying for EU legislation, including PSD2, to be diluted.

Comments are closed.