EBA publishes Opinion on the elements of strong customer authentication under PSD2

On 21 June 2019, the European Banking Authority (EBA) published an opinion responding to concerns about market preparedness for the coming into force of strong customer authentication (SCA) requirements under PSD2 on 14 September this year, and questions on which authentication processes the EBA would consider to be compliant. The opinion also sets out its views on what constitutes a compliant SCA element under PSD2.

In the UK, the FCA responded to the EBA’s opinion on 28 June 2019.

Background

The majority of the provisions of the revised Payment Services Directive have applied since 13 January 2018. The Directive brought fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

The EBA developed regulatory technical standards (RTS) setting out the details on strong customer authentication, published on 13 March 2018.

Market preparedness and engagement with competent authorities

This is in the context of concern amongst the banking sector that there will not be enough time to prepare for the requirement to apply SCA to electronic transactions in specified instances; by the deadline of 14 September 2019. The FT reported on 12 June that EU trade bodies representing banks across the EU had warned the EBA by letter that between 25-30% of online payments will be impossible to complete, come the September deadline for SCA. According to the letter, banking and payments executives said some new systems had not been tested at scale, and many smaller businesses did not yet have access to the necessary software. Amazon and Stripe raised similar complaints the week before from the perspective of the e-commerce market.

The EBA is holding firm on the deadline. It does acknowledge the complexity of the changes required and provides that on an exceptional basis, competent authorities may decide to work with PSPs to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA. This would be under the condition that PSPs have set up a migration plan, have agreed the plan with their competent authority, and execute the plan in an expedited manner.

Regulators are asked to work with PSPs, so the FCA may in turn reach out to PSPs. It may be worth PSPs confirming and documenting the approach and established plan for migration, if not already done. Acquirers should also consider how they support merchants, given the concerns flagged by Amazon and Stripe that merchants will need to restructure their entire checkout flows. The EBA has indicated that it is in the interests of PSPs to support merchants with the changes.

The EBA’s view is that explaining and making customers aware of changes will be paramount to enable them to continue making payments. PSPs should also put in place customer communication plans, including plans to communicate with the end customers of merchants.

Clarifications on what constitutes a compliant SCA element under PSD2 and RTS

The Opinion looks at each limb of the definition of SCA (inherence, knowledge and possession) and provides examples of what each of these would constitute, building on the guidance already set out in the RTS.

Inherence

Inherence is defined by PSD2 as “something the user is”.

The EBA has confirmed that this relates to biological and behavioural metrics. It views these as including physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these. This is the most innovative and fastest moving of the elements, with approaches such as retina and iris scanning, face recognition, voice recognition, vein recognition, as well as the use of pulse rates.

The opinion states that communication protocols such as EMV 3-D Secure version 2.0 and newer (a customer authentication messaging protocol) would not constitute a compliant inherence element.

Possession

Possession is defined by PSD2 as “something only the user possesses”.

The possession of a device for example can be proven through the generation of a one-time password (for example through a text message). Reliance on mobile apps and web browsers would also be suitable evidence of possession, but there needs to be a unique connection with a device through some sort of hardware crypto-security or secure registration.

The opinion also clarifies further in response to queries from industry participants that card details and card security codes printed on cards do not constitute possession (nor do they constitute knowledge).

This is in contrast to the guidance in the FCA’s approach document (as updated in June 2019), which appears to permit accepting static card details as evidence of possession.

The EBA does state that dynamic card security codes (ie ones that are not printed on the card and change within reasonable periods of time) can constitute a possession element.

A fuller list of possible possession elements is included in the opinion.

Knowledge

Knowledge is defined by PSD2 as “something only the user knows”.

These include: passwords, pins, knowledge based responses to challenges or questions, passphrases or memorised swiping paths, but not emails or usernames. It should be noted that whilst they would constitute a knowledge element, memorised swiping paths do not meet the requirements for inherence. Similarly to the other two elements, the opinion sets out a non-exhaustive list of possible knowledge elements.

Other requirements

Finally, the opinion looks at other requirements including the requirement for any electronic transaction made remotely to include dynamic linking (ie generated authentication codes specific to the amount of the payment transaction). It also looks at the requirement for the two elements used for SCA to be independent and for the elements to belong to two different categories. This is to ensure that the breach of one does not compromise the reliability of the other elements.

Commentary

Whilst the opinion gives greater clarity around the processes that are acceptable for the implementation of secure customer authentication, the practical technological application of these requirements in time for the September deadline is proving challenging.

In the context of the UK, the FCA responded to the EBA’s opinion on 28 June 2019, confirming that it intends to quickly agree next steps with affected parties, including a plan and timetable to be ready to achieve compliance and setting milestones and targets to increase security and reduce fraud. The FCA expects all participants to meet the agreed milestones and targets in time for full compliance by the final delivery date, but has said that it will not take enforcement action against firms if they have not met this, as long as they can demonstrate they have taken the steps necessary to comply with the plan. Firms could expect questions from the FCA as to the genuine cause for delay if the deadline isn’t met.

Comparing the EBA opinion and the FCA’s June approach document, the FCA’s approach has focused on risk mitigation balanced with ensuring appropriate security measures for customers. The EBA is focussed on the precise quality of implementation in line with specific technical requirements. For example, on the use of a multi-purpose device that initiates the transaction and can play a role in the authentication process, the FCA had stated that PSPs must adopt mitigation measures against the risk of compromise of the device. The EBA has been more specific, and has clarified that approaches relying on devices need to ensure a unique connection with a device in order to be compliant.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.