MEPs apply pressure on EBA to put back provisions for risk-based customer authentication


In August 2016, the European Banking Authority (EBA) published a public consultation on the draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and common and secure communication under the revised Payments Services Directive 2. In response to the draft proposals presented, Members of the European Parliament’s Committee on Economic and Financial Affairs on 29 November invited the Chairman of the EBA, Andrea Enria, for a scrutiny of the draft proposals.

The revised PSD2 intends to update the European payments landscape and making it fit for the future by enhancing competition, facilitating innovative solutions and increasing security for both consumers and merchants. In his statement, Mr. Enria stressed that while the PSD2’s ambitiousness is important in light of the developments and innovations in the electronic payments landscape, the number of demands, some contradicting each other, presented the EBA with a number of areas of concern, which led to the draft RTS presented for public consultation in August.

In their analysis of the public consultation, the EBA identified that a large number of responses, in fact, related to the EBA’s interpretation of the PSD2 rather than the specific guidelines proposed by the RTS. The EBA has identified three major stakeholder concerns, which it is working to address: the proposed €10 threshold, provisions on standardized communication interfaces, and exemptions to Strong Customer Authentication.

In its response to the public consultation, Ecommerce Europe stressed its strong concerns that the EBA’s draft RTS provisions contradicted the spirit of the Payment Services Directive 2 by, in particular, not accounting for risk-based approaches to customer authentication as stipulated under the level-1 legislation.

The draft RTS propose a one-size-fits-all approach to fighting fraud risk in electronic payments by mandating the application of Strong Customer Authentication for all transactions above a €10 threshold. Ecommerce Europe believes that this approach is both too rigid and burdensome for consumers and online merchants, risking important innovations in payment fraud prevention and the strong growth that the e-commerce sector has enjoyed.

Please see Ecommerce Europe’s explanation of why a risk-based ‘Targeted Authentication’ is an alternative that would offer a more balanced approach to safety and convenience than a one-size-fits-all application of Strong Customer Authentication here.

In their scrutiny of the EBA’s draft proposal, a large number of MEPs expressed the same concerns that have been highlighted by a broad range of industries trading online, by calling on the Authority to return to the original spirit of the PSD2. MEPs called on both the EBA and the European Commission to reintroduce the agreed upon provisions for technologically neutral and risk-based approaches to customer authentication, while ensuring increased and fair competition between market newcomers and incumbents.

Next steps

The European Banking Authority is expected to publish its final draft RTS in early 2017. Following their publication, the European Commission will have a three-month evaluation period within which it can make further additions to the EBA’s draft. Following on, both the European Parliament and the Council will have a further three-months scrutiny period before accepting or rejecting the RTS proposals.