The European Banking Authority (EBA) has published final draft regulatory technical standards (RTS) on strong customer authentication and common and secure communication. The RTS are mandated under the revised Payment Services Directive (PSD2).
In the its final report on the RTS, the EBA summarises the comments received to its earlier consultation and provides an assessment as to whether changes have been made to the RTS as a result. In particular, one of the key concerns addressed by the RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. In this respect, the EBA has introduced two new exemptions: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so called ‘unattended terminals’ for transport or parking fares. The exemption transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS.
The EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication.
View EBA paves the way for open and secure electronic payments for consumers under the PSD2, 23 February 2017