EBA guidelines on strong customer authentication
The European Banking Authority has published an opinion on how to implement technical standards on strong customer authentication and the FCA has responded.
The regulatory technical standards (RTS) on strong customer authentication (SCA) under the Payment Services Directive II (PSD2) have caused some uncertainty in the market. As a result, the EBA issued an opinion and draft guidleines on 13 June to clarify some issues.
- The fact that an account information provider (AISP) is able to access the maximum amount of data available on a customer's payment accounts irrespective of the channel (mobile or web)
- But a payment provider may only access the data necessary to initiate the payment
- The account service provider (ASPSP - eg the bank) need not provide an data on the customer's identity, date of birth etc
- An account information providercan only access a customers account 4 times per day unless:
- the customer is actively requesting the info
- the AISP has contractual arrangements with the ASPSP
- A PISP may initiate al the same transactions the ASPSP offers its own customers - eg instant payments, international transfers, recurring and future-dated payments
- On two-factor authentication, the EBA states that the card number, CVV, expiry date does not count as 'something a user only knows' on its own -dynamic validation is required.
- While a customer can access a PISP or an AISP service using credentials from that service, the SCA must be applied at the ASPSP end - only the ASPSP can decide.
- On the mechanism of authentication, the EBA clarifies that redirection is not per se an obstacle to the provision of services under PSD2. THe RTS states that it 'may' be so, if it is implemented in an obstructive manner.
In reponse the FCA has published a statement saying that it will consult on changes to its own guidelines. It also notes that:
- ASPSPs should provide dedicated access to TPPs using secure application programming interfaces (APIs). The FCA encourages providers to use standardised APIs, such as those developed by the Open Banking Implementation Entity, where applicable.
- Where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS from 14 September 2019.
- All ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019. But the FCA encourages ASPSPs to do this as soon as possible before that date.
- The RTS does not allow us to grant a partial exemption. We will provide opportunities for ASPSPs to engage with us before submission of the exemption request. We also encourage timely requests for exemption as we will need time to make an exemption assessment.
Latest News from
Collaboration like never before - a thank you to industry colleagues06/07/2020 16:25:00
A thank you note to techUK and industry partners, including many of our members, for their assistance during COVID-19.
DfE and Partners deliver unprecedented device Programme06/07/2020 11:25:00
techUK is delighted to share an early insider's glimpse of the DfE's ambitious new programme.
The Government's R&D roadmap sets high ambitions for UK science02/07/2020 14:25:00
The roadmap sets out the Government's vision to make the UK a global science and R&D superpower.
WITSA Awards | Extended Deadline & New COVID-related Award Categories02/07/2020 11:25:00
Applications are still open! Due to COVID-19 situation, the WITSA Global ICT Excellence Awards have now for the first time been moved into virtual space – with extended...
Data centres eligible for funding under IETF02/07/2020 09:33:00
Government explicitly includes data centres in the scope of the Industrial Energy Transformation Fund.
Matt Pullen from CyrusOne joins Data Centre Council01/07/2020 17:02:00
The UK Council of Data Centre Operators has recently appointed Matt Pullen to help the group in its work setting strategic direction for activity.
Tech Partnership Degrees to join forces with techUK01/07/2020 16:25:00
Tech Partnership Degrees is to join forces with techUK as part of a strategy to accelerate the impact of employers acting collaboratively on UK digital skills.
Prime Minister Boris Johnson makes speech on Economic Recovery01/07/2020 11:25:00
The Prime Minister in a speech in the West Midlands, yesterday set out a roadmap to economic recovery post-COVID.