European Commission Adopts Draft Regulatory Technical Standards on Security Measures and Communication Tools for Payment Services

The European Commission has adopted a draft Delegated Regulation setting out Regulatory Technical Standards on the security measures for strong customer authentication along with common and secure open standards for the communication between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers in relation to the provision and use of payment services.

The RTS require that, for strong customer authentication, there should be a combination of at least two independent elements, which could be a physical item - a card or mobile phone - combined with a password or a biometric feature, such as fingerprints, before making a payment. The RTS contain a number of exemptions from the requirements for strong customer authentication. There are two exemptions for remote payments, one on transaction-risk analysis and the other on low value payments (below EUR 30). The RTS also contain exemptions for proximity payments and a further exemption covering electronic payment transactions that are performed through dedicated payment processes or protocols typically used by corporates and where security is achieved through other means than the authentication of a particular individual.

The Draft Delegated Regulation will be subject to a three-month scrutiny period by the European Parliament and the Council. Once adopted, it will be published in the Official Journal of the European Union. Banks and other payment service providers will then have 18 months to put the new security measures and communication tools in place. Subject to the agreement of the European Parliament and the Council, therefore, the RTS are expected to become applicable around September 2019.

View the Draft Delegated Regulation and Annex I.