Monday 25 Jun 2018 @ 08:05
techUK
Printable version

EBA guidelines on strong customer authentication

The European Banking Authority has published an opinion on how to implement technical standards on strong customer authentication and the FCA has responded.

The regulatory technical standards (RTS) on strong customer authentication (SCA) under the Payment Services Directive II (PSD2) have caused some uncertainty in the market. As a result, the EBA issued an opinion and draft guidleines on 13 June to clarify some issues.

These include:

  • The fact that an account information provider (AISP) is able to access the maximum amount of data available on a customer's payment accounts irrespective of the channel (mobile or web)
  • But a payment provider may only access the data necessary to initiate the payment
  • The account service provider (ASPSP - eg the bank) need not provide an data on the customer's identity, date of birth etc
  • An account information providercan only access a customers account 4 times per day unless:
    • the customer is actively requesting the info
    • the AISP has contractual arrangements with the ASPSP
  • A PISP may initiate al the same transactions the ASPSP offers its own customers - eg instant payments, international transfers, recurring and future-dated payments
  • On two-factor authentication, the EBA states that the card number, CVV, expiry date does not count as 'something a user only knows' on its own -dynamic validation is required.
  • While a customer can access a PISP or an AISP service using credentials from that service, the SCA must be applied at the ASPSP end - only the ASPSP can decide.
  • On the mechanism of authentication, the EBA clarifies that redirection is not per se an obstacle to the provision of services under PSD2. THe RTS states that it 'may' be so, if it is implemented in an obstructive manner.

FCA Response

In reponse the FCA has published a statement saying that it will consult on changes to its own guidelines. It also notes that:

  • ASPSPs should provide dedicated access to TPPs using secure application programming interfaces (APIs). The FCA encourages providers to use standardised APIs, such as those developed by the Open Banking Implementation Entity, where applicable.
  • Where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS from 14 September 2019. 
  • All ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019. But the FCA encourages ASPSPs to do this as soon as possible before that date. 
  • The RTS does not allow us to grant a partial exemption. We will provide opportunities for ASPSPs to engage with us before submission of the exemption request.  We also encourage timely requests for exemption as we will need time to make an exemption assessment.

 

Channel website: http://www.techuk.org/

Original article link: http://www.techuk.org/insights/news/item/13377-eba-guidelines-on-strong-customer-authentication

Share this article

Latest News from
techUK

techUK hosts RHC for the launch of ‘The Future Regulation of Space Technologies’ report

25/04/2024 16:05:00

Today the Regulatory Horizons Council (RHC) launches its report on the Future Regulation of Space Technologies. techUK will host the first presentation about the report during the Space Commercialisation and Tech Summit.

Cloud computing and the journey to net zero - why GreenOps is key to sustainable growth

25/04/2024 11:05:00

At a time when our commitment to mitigate the impact of climate change has never been more urgent, a sustainable approach to technology should be at the heart of any digital transformation strategy. 

techUK and TechWM strategic agreement announcement

25/04/2024 10:25:00

We are delighted to announce that techUK and TechWM have signed a new strategic agreement to accelerate regional tech economy! 

UK SPF commissions study to explore spectrum sharing with Defence

25/04/2024 09:20:00

In a recent development, management consultancy LS telcom has been appointed to produce an independent report addressing the complexities of sharing Defence spectrum. At the heart of this endeavour lies the need to reconcile the growing need for spectrum sharing with the stringent security requirements of the Ministry of Defence (MoD).

New CCS Chief Executive announced

24/04/2024 16:25:00

Last week, it was announced that the Crown Commercial Service had appointed it's new Chief Executive to replace Simon Tse when he retires this summer

Prime Minister announces significant increase in Defence spending

24/04/2024 13:20:00

Speaking yesterday at a NATO press conference in Poland, the Prime Minister committed to increase Defence spending to 2.5% of GDP by 2030, representing an additional £75bn in funding over the next 6 years.

Financial Conduct Authority publishes its response to work on big tech and data asymmetry in financial services

24/04/2024 11:20:00

Watch techUK’s Head of Financial Services, Andy Thornley, explain the FCA’s response to their work on big tech and data asymmetry in financial services!

Innovate to elevate: Can product design solve the UK's productivity paradox? (Guest blog from Exclaimer)

23/04/2024 11:25:00

Blog posted by: Vicky Wills, Chief Technology Officer, Exclaimer, 22 April 2024.

New National Cyber Security Centre CEO Announced

22/04/2024 11:25:00

Recently, Friday 19 April, the NCSC officially announced Richard Horne as the incoming Chief Executive Officer (CEO), succeeding Lindy Cameron who stepped down earlier this year.

NFCC Data, Digital and Technology Conference 2024

22/04/2024 10:25:00

The Digital, Data, and Technology (DDaT) Conference hosted by the National Fire Chiefs Council is a pivotal event designed to bring together senior leaders and practitioners in the fire service sector.

Derby City Council Showcase