EBA's plans for customer authentication under PSD2 receives further industry criticism

A letter (6-page / 631KB PDF) signed by 39 industry organisations, including bodies representing major banks, retailers, credit card providers and technology companies, said the EBA's proposals "would create unnecessary hurdles for a number of different industries, especially e-commerce". The letter was addressed to Valdis Dombrovskis, the EU's commissioner for financial services.

The letter follows on from a recent paper published by Visa which described the EBA's draft standards as "a significant threat to future innovation and Europe's future growth".

The EBA is responsible for defining the regulatory technical standards for strong customer authentication under the reformed Payment Services Directive (PSD2), which came into force earlier this year. The directive needs to be implemented into national laws across the EU by 13 January 2018. The EBA consulted on draft standards on strong customer authentication earlier this year. The final standard must be submitted to the European Commission by 13 January 2017. The Commission has the power to adopt those standards.

Like Visa, the signatories of the new letter, which include Payments UK, the British Retail Consortium, European Card Payment Association and techUK, stressed the need for a "risk-based approach" to authenticating customers and authorising transactions. They criticised the EBA for its "prescriptive approach" in "mandating strong authentication for all remote payment transactions over €10, regardless of their risk".

The plans fail to account for "some of the highly innovative approaches to authentication and risk management" in use in the market which are already "demonstrably working" to cut fraud levels, they said.

Payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "Strong customer authentication is there to help build trust in an online world as part of the European Commission’s digital strategy. There is little need for this in the UK given that it is a leader in online business across the EU. Other states do lag behind."

"From a legal perspective, strong customer authentication never needed to be mandated. The liability regime means that banks and other providers are held responsible – customers are not exposed to material risk. Given the push from the Commission it seems likely that many of the industry’s calls for more flexibility will fall on deaf ears," he said.

Under PSD2, strong customer authentication is a mechanism that requires payment account holders wishing to access their accounts or make a payment to provide information that allows their identity to be verified and which is built on two or more independent factors. Those elements are something the account holder knows, something they possess or something inherent in them.

The letter signatories said mandating strong customer authentication "may make sense for some payments which have a higher transactional risk", but that it would be "disproportionate" and introduce "unnecessary friction to the customer shopping experience" to force strong customer authentication standards to be adhered to for "low-risk transactions". They warned of the potential "chilling effect" the proposed new standards could have on the EU's digital single market.

The letter said: "It will have a negative impact upon a wide variety of industries, in particular SMEs, fintech and other start-ups. At the same time, it will not improve overall security. Institutionalising a single method of authentication over many different and innovative ways of authenticating the customer will potentially make transactions more prone to fraud as fraudsters are more likely to effectively target rigid rules that do not evolve quickly. Moreover, European [payment service providers] may be forced to decline payments by European customers on foreign websites which do not offer strong authentication."

"This will result in an increase in consumer harm by reducing customer trust in their payment methods, the choices open to them and restricting competition. We therefore urge the European Commission to work with the EBA to incorporate in their draft standards a results-oriented and technology-neutral risk-based approach … rather than a threshold-based technology-specific approach," it said.