PSD 2: European Commission adopts regulatory technical standards on strong customer authentication

Spotlight
15 December 2017

On 27 November 2017, the European Commission adopted, on the basis of an amended draft from the European Banking Authority ("EBA"), regulatory technical standards on strong customer authentication and common and secure communication under Article 98 of Directive 2015/2366 of 25 November 2015 on payment services in the internal market ("PSD 2"). 


Strong customer authentication 

PSD 2 requires payment services providers to apply strong customer authentication requirements under certain circumstances. These requirements aim at ensuring the security of electronic payments. The risk of fraud with electronic payments is significant and requires a high level of protection (Recital 95 of PSD 2). 

Strong customer authentication is defined as "an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data" (Article 4(30) of PSD 2). 

The payment services providers must apply strong customer authentication where the payer (i.e. the client): 

  1. accesses its payment account online; 
  2. initiates an electronic payment transaction; or 
  3. carries out any action through a remote channel which may imply a risk of payment fraud or other abuses (catch-all provision). 

Strong customer authentication requirements only apply where a payer (client) himself initiates an electronic payment transaction. Therefore, in principle, strong customer authentication requirements do not apply in the case of initiation of electronic payment transactions by a payee within the framework of direct debits. But where a client agrees to a direct debit by means of an electronic mandate, strong customer authentication requirement will nonetheless apply, since the direct debit qualifies as an action that the payer (client) carries out through a remote channel, which may imply a risk of fraud (EBA, Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2): Final report, 23 February 2017, p. 7).

Exemptions to the strong customer authentication requirements 

The regulatory technical standards provide exemptions for two out of the three cases where strong customer authentication is required.

First, in the case of access by a client to his/her payment account online, the requirement of strong customer authentication does not apply where the client's online access is limited to either one or both of the following items, without disclosure of sensitive payment data:

  • the balance of one or more designated payment accounts;
  • the payment transactions executed in the last 90 days through one or more designated payment accounts. 

"Sensitive payment data" means "data, including personalised security credentials which can be used to carry out fraud […]" (Article 4(32) of PSD 2). 

This exemption is not applicable, however, when:

  • the client is accessing such information online for the first time; 
  • more than 90 days have elapsed since the last time the client accessed online its 90- day payment transactions history with strong customer authentication. 

Secondly, in the case of initiation of electronic payment transactions, several exemptions to the strong customer authentication requirements apply, two of which we will mention here: 

The strong customer authentication requirements do not apply where a client initiates a contactless electronic payment transaction, provided that the following conditions are met:

  • the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and 
  • the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or 
  •  the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering contactless functionality since the last application of strong customer authentication does not exceed five. 

The strong customer authentication requirements also do not apply where a client initiates a remote electronic payment transaction, provided that the following conditions are met: 

  • the amount of the remote electronic payment transaction does not exceed EUR 30; and 
  • the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or 
  • the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed five consecutive individual remote electronic payment transactions. 

Implementation of provisions regarding strong customer authentication requirements

Most of the PSD 2 provisions must be implemented by 13 January 2018 at the latest. However, the provisions regarding strong customer authentication requirements must be implemented at the latest 18 months after the entry into force of the regulatory technical standards. It is estimated that the PSD 2 provisions regarding strong customer authentication requirements will be required to be implemented around 1 September 2019.