Payments Insights #3 – Existing and Upcoming Strong Customer Authentication Requirements for PSPs 

May, 2024 - Sarah Zerafa Lewis and Mario Mizzi

 

When the Second Payment Services Directive1 (‘PSD2’) replaced the First Payment Service Directive, the European Union (‘EU’) introduced the requirement of Strong Customer Authentication (‘SCA’). SCA enhances the security of electronic payments through additional layers of authentication with the aim to mitigate payment fraud.

As we noted in the previous Payment Insight, the European Banking Authority (the ‘EBA’) opines that SCA requirements have been successful in preventing payments fraud resulting from the theft of customers’ credentials. In view of this, the upcoming amendments to the payment services regime will see the SCA requirements being enhanced in the proposed Payment Services Regulation2 (the ‘proposed PSR’) rather than remaining in a directive, which would require transposition by each EU Member State.

In this article, we will first provide a general overview of the current requirements on SCA as set out in the PSD2 and how these were implemented in Malta. Subsequently, we will discuss the proposed amendments in the proposed Third Payment Services Directive3 (the ‘proposed PSD3’) and the proposed PSR.

General Overview of SCA Requirements under the Current Regime

In practice, SCA is an authentication method which is based on the use of two or more of the following:

1 – Knowledge (something only the user knows – usually a password or PIN number); and/or

2 – Possession (something only the user possesses – e.g. an authenticator on a phone or the phone’s SIM card which receives the authenticating SMS); and/or

3- Inherence (something the user is – e.g. a fingerprint or facial recognition).

SCA requirements under EU law mandates that these elements should be independent and that the breach of one element does not compromise the reliability of the others. The authentication should be designed in such a way as to protect the confidentiality of the authentication of data. In fact, the term ‘authentication’ is also defined in the PSD2 as a “procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials.”

Malta’s Central Bank Directive no. 1 on ‘Provision and Use of Payment Services’ (the ‘CBM Directive 1’), which transposes parts of the PSD2, provides in paragraph 72 that a payment service provider (a ‘PSP’) is required to apply SCA where the payer:

  • accesses its payment account online;
  • initiates an electronic payment transaction or;
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

The CBM Directive 1 also includes further provisions on SCA which also transpose the PSD2, including certain reporting requirements to Central Bank of Malta when SCA is not used pursuant to the applicable exemptions. It should also be noted that in terms of paragraph 50 of CBM Directive 1, where a payer’s PSP does not require SCA, the payer will not bear any financial losses unless the payer has acted fraudulently.

Detailed SCA requirements are also set out in the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the ‘Commission Delegated Regulation’) which is the main European legislative instrument for SCA requirements and is directly applicable.

The Commission Delegated Regulation requires that when PSPs apply SCA, an authentication code be generated and that such code be only accepted once by the PSP when the payer uses it to access its payment account online, to initiate an electronic payment transaction or to carry out any action through a remote channel which may imply a risk of payment fraud or other abuses.

The Commission Delegated Regulation also includes requirements related to ‘dynamic linking’ whereby an authentication code is to be unique to each payment transaction and to be transferred together with the amount and recipient of the payment through every step of the payment and authentication process. Furthermore, dynamic linking requires that both the amount and the recipient should be made clear to the payer when authenticating the payment and that if the code or any of details of the payment are amended, the transaction will fail. Additionally, dynamic linking requirements provide that the authentication code accepted by the PSP corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer.

The Commission Delegated Regulation also provides a set of exemptions4 applicable to PSPs, which include the following:

  • Low Risk Transactions or Transaction Risk Analysis Exemption: Applying risk-based factors, transactions are identified as low-risk transactions where the payer initiates a remote electronic payment transaction identified by the PSP as posing a low level of risk according to the transaction monitoring mechanisms referred to in the Commission Delegated Regulation. Certain conditions are to be met when applying this exemption, such as the requirement that the PSP’s overall fraud rates for that particular transaction do not exceed certain thresholds. Calculation of fraud rates and related requirements for the purpose of SCA and/or exemptions are also outlined in the Commission Delegated Regulation.
  • Low-Value Transactions Exemption: Article 16 of the Commission Delegated Regulation provides the threshold for payments with low amounts that may be exempt from SCA. Amounts under €30 are considered “low value” and may be exempted from SCA, but this exemption is only possible when:
    • the cumulative amount of previous remote payment transaction made by the payer since the last application of SCA does not exceed €100 or;
    • the number of previous remote payment transaction made by the payer since the last SCA does not exceed five consecutive individual remote payment transactions.
  • Recurring Transactions Exemption: This exemption from SCA is available when the payer when makes a series of recurring payments for the same amount to the same payee.
  • Accounts held by the Same Natural or Legal person Exemption: One of the main exemptions from SCA is the one pursuant to which the payer initiates a credit transfer where the payer and the payee are the same natural or legal person and both payment accounts are held by the same account servicing PSP.

SCA mandates the use of two or more independent elements from the categories of knowledge, possession, and inherence to ensure the security of authentication data. Under the PSD2 and CBM Directive 1, PSPs must apply SCA in specified scenarios, with additional reporting and liability provisions. The Commission Delegated Regulation provides detailed standards, including dynamic linking and unique authentication codes, while also allowing exemptions such as low-risk, low-value, recurring transactions and intra-account transfers.

This regulatory framework robustly enhances payment security and fraud mitigation.

Proposed PSD3 and PSR Amendments to the SCA Requirements

Although the primary aim of the proposed PSR is to codify existing obligations from the PSD2 into a regulation, the proposed PSD3 seeks to bring electronic money institutions into the scope of payments regulation from a legislative instrument perspective, incorporating the current EMD25 (with no plan for EMD3). While the proposed PSR would be directly enforceable across the EU, the proposed PSD3 would need to be transposed into the laws of each Member State.

Article 85(1) of the proposed PSR requires that SCA be applied (applying a risk-based approach) when the payer accesses a payment account online, initiates an electronic payment transaction, or performs any action that may imply a risk of fraud or other abuses.

One significant proposed change is the regulation of SCA exemptions to prevent misuse. Article 85(11) of the proposed PSR details that exemptions must be applied in a manner compatible with the risk level involved, requiring PSPs to conduct initial fraud risk assessments and maintain up-to-date records of fraud rates whilst adding a further criterion related to transactions by consumers or corporate payers when PSPs apply the exemptions for SCA requirements. Article 85(12) of the proposed PSR also provides that the inherence element of SCA may include environmental and behavioural characteristics, such as those related to the location of the payment user, the time when the transaction occurs, or the device being used.

Article 88 of the proposed PSR also requires PSPs to offer multiple methods for performing SCA that do not rely on a single technology or device, making it accessible to persons with disabilities, older individuals, and those with limited digital skills. This is a pivotal step in ensuring that security measures do not exclude or disadvantage any segment of the population, thereby promoting digital financial inclusion.

In the context of cross-border transactions, Preamble 111 of the proposed PSR refers to the use of European Digital Identity Wallets to facilitate secure digital identification and authentication, thereby enhancing the security and efficiency of digital payments across the EU.

Insofar as the proposed PSD3 is concerned, Preamble 11 of the proposed PSD3 provides some technical perspectives of Near-Field Communication (‘NFC’) and stipulates that “NFCs which enable the initiation of a payment transaction, considering it as a fully-fledged ‘payment instrument’ would pose some challenges, including for the application of strong customer authentication for contactless payments at the point of sale and of the payment service provider’s liability regime. NFC should therefore rather be considered as a functionality of a payment instrument and not as a payment instrument as such”. Despite that stated in Preamble 11, the proposed PSD3 does not really include any requirements on SCA – probably because all proposed changes have been enshrined mainly in Articles 85 to 89 of the proposed PSR.

PSD2 primarily defined SCA and specified its application areas, delegating most details to the Commission Delegated Regulation. In contrast, the proposed PSR already encompasses a more comprehensive set of detailed rules. From a logistical perspective, Article 89 of the proposed PSR assigns the EBA with the responsibility for developing the new Regulatory Technical Standards on SCA.

Conclusion

Overall, the proposed changes in the proposed PSR continue building on the existing framework of the PSD2 by refining SCA requirements to balance security with user experience, encourage innovation and ensure inclusivity across the European payment landscape. These amendments reflect the dynamic nature of digital transactions and the need for adaptable, risk-based security protocols. By integrating rigorous risk assessments, preventing exemption abuses and ensuring accessibility, the proposed amendments aim to create a more secure and inclusive financial ecosystem in the digital age whilst giving more legal harmonisation across the EU single market.

 

Click here for the previous article in this series

 

Footnotes:

 

  1. Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
  2. Proposal for a Regulation of the European Parliament and of the Council on payment services in the internal market and amending Regulation (EU) No 1093/2010.
  3. Proposal for a Directive of the European Parliament and of the Council on payment services and electronic money services in the Internal Market amending Directive 98/26/EC and repealing Directives 2015/2366/EU and 2009/110/EC.
  4. For the detailed and exact conditions and requirements related to the exemptions from SCA requirements, reference is to the made to the Commission Delegated Regulation and, for the purpose of this insight, only some of the general principles related to exemptions will be outlined.
  5. Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC.

 

This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr. Sarah Zerafa Lewis from the Banking & Finance Team and Dr. Mario Mizzi from the Fintech Team.

The post Payments Insights #3 –
Existing and Upcoming Strong Customer Authentication Requirements for PSPs
appeared first on Mamo TCV.

 



Link to article

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots