EBA guidelines on strong customer authentication
The European Banking Authority has published an opinion on how to implement technical standards on strong customer authentication and the FCA has responded.
The regulatory technical standards (RTS) on strong customer authentication (SCA) under the Payment Services Directive II (PSD2) have caused some uncertainty in the market. As a result, the EBA issued an opinion and draft guidleines on 13 June to clarify some issues.
- The fact that an account information provider (AISP) is able to access the maximum amount of data available on a customer's payment accounts irrespective of the channel (mobile or web)
- But a payment provider may only access the data necessary to initiate the payment
- The account service provider (ASPSP - eg the bank) need not provide an data on the customer's identity, date of birth etc
- An account information providercan only access a customers account 4 times per day unless:
- the customer is actively requesting the info
- the AISP has contractual arrangements with the ASPSP
- A PISP may initiate al the same transactions the ASPSP offers its own customers - eg instant payments, international transfers, recurring and future-dated payments
- On two-factor authentication, the EBA states that the card number, CVV, expiry date does not count as 'something a user only knows' on its own -dynamic validation is required.
- While a customer can access a PISP or an AISP service using credentials from that service, the SCA must be applied at the ASPSP end - only the ASPSP can decide.
- On the mechanism of authentication, the EBA clarifies that redirection is not per se an obstacle to the provision of services under PSD2. THe RTS states that it 'may' be so, if it is implemented in an obstructive manner.
In reponse the FCA has published a statement saying that it will consult on changes to its own guidelines. It also notes that:
- ASPSPs should provide dedicated access to TPPs using secure application programming interfaces (APIs). The FCA encourages providers to use standardised APIs, such as those developed by the Open Banking Implementation Entity, where applicable.
- Where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS from 14 September 2019.
- All ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019. But the FCA encourages ASPSPs to do this as soon as possible before that date.
- The RTS does not allow us to grant a partial exemption. We will provide opportunities for ASPSPs to engage with us before submission of the exemption request. We also encourage timely requests for exemption as we will need time to make an exemption assessment.
Latest News from
Greenhouse gas emissions on the rise from road transport in the UK20/09/2019 16:25:00
Road transport emissions are on the rise in the UK, despite heavy investment to reduce it.
BBC documentary: Wales - Digital Powerhouse20/09/2019 14:25:00
Emma Fryer shares the questions posed by the programme makers and the answers she gave during a preparatory conversation.
Coordinated strategies needed for UK to thrive with automation18/09/2019 14:05:00
A report from the Business, Energy and Industrial Strategy (BEIS) Committee asks Government to do more to support British businesses to innovate.
7 in 10 techUK members say no deal will negatively impact business16/09/2019 14:25:00
New techUK member survey reveals 7 in 10 respondents still believe a no deal exit on 31st October will have a negative impact on their business despite increased...
CDEI publishes snapshot papers on ethical issues in AI16/09/2019 09:05:00
The Centre for Data Ethics & Innovation (CDEI) has published its first series of snapshot papers on three emerging AI applications. These briefing papers seek to clarify the opportunities and ethical challenges presented by:
Two-year post-study work visa for international students16/09/2019 08:15:00
The Prime Minister has announced a two year post-study work visa for international students who graduate from UK universities.
UKRN publishes a report into Infrastructure Data Sharing13/09/2019 16:05:00
UKRN publishes a report into Infrastructure Data Sharing, with a series of short and long-term recommendations for key decision-makers.
techUK members survey: How prepared are members for a no deal Brexit?13/09/2019 15:05:00
techUK has surveyed its members to gather their views on a no deal exit on October 31 2019, how prepared our members are for no deal on this date and what steps they would like to see the Government take to support them through a no deal outcome.