EBA paves the way for open and secure electronic payments for consumers under the PSD2

23 February 2017

The European Banking Authority published its final draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS pave the way for an open and secure market in retail payments in the European Union.

The EBA received 224 responses to its Consultation Paper, in which more than 300 distinct concerns or requests for clarifications were raised. In the feedback table published as part of the RTS, the EBA has summarised each one of them and provided its assessment as to whether changes have been made to the RTS as a result of such concerns. 

In particular, one of the key concerns addressed by these final draft RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. In this respect, the EBA has introduced two new exemptions: one based on transaction-risk analysis based on defined fraud levels and the other for payments at so called ‘unattended terminals' for transport or parking fares. The exemption on transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS. 

In addition, the EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30, and has removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication, so as better to ensure the technological neutrality of the RTS and to facilitate future innovations.  

With regards to the communication between account servicing payment service providers (ASPSPs), account Information service providers (AISPs) and payment initiation service providers (PISPs), the EBA has decided to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. This is linked to the Payment Services Directive (PSD2) no longer allowing the existing practice of third party access without identification (at times referred to as ‘screen scraping' or, mistakenly, as ‘direct access') once the transition period provided for in PSD2 has elapsed and the RTS applies. 

Press release

Final draft RTS


© EBA