The European Banking Authority (EBA) published Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication for the retail payments market in the European Union.
The standards were mandated by the Payment Services Directive (PSD2) and developed in conjunction with the European Central Bank after 18 months of policy development work. The standards incorporate the objectives of the PSD2 – enhancing security, facilitating customer convenience, ensuring technology and business-model neutrality, contributing to the integration of the European payment markets, protecting consumers, facilitating innovation – and enhancing competition through new payment initiation and account information services.
To address a key stakeholder, EBA introduced two new exemptions in the RTS: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so-called ‘unattended terminals’ for transport or parking fares. The former is linked to a predefined level of fraud and is subject to an 18-month review.
Also, EBA increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and other specific characteristics of strong customer authentication.
Regarding the communication between account servicing payment service providers (ASPSPs), account information service providers (AISPs) and payment initiation service providers (PISPs), the standards will continue to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information.
However, the final RTS does require that ASPSPs that use a dedicated interface will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers, provide the same level of contingency measures in case of unplanned unavailability, and provide an immediate response to PISPs on whether or not the customer has funds available to make a payment.