European Banking Authority Publishes Opinion on Strong Customer Authentication Under Payment Services Directive
06/21/2019The European Banking Authority has published an Opinion on market approaches to payment authentication that will be deemed compliant with the new rules on strong customer authentication coming into force later this year.
The rules relate to the revised Payment Services Directive that has applied across the EU since January 13, 2018. The Payment Services Directive implements changes to EU payments markets with the aim of enhancing competition, facilitating innovation, protecting consumers, increasing security and contributing to a single payments market in the EU. Under the Payment Services Directive, the EBA was granted authority to establish Regulatory Technical Standards for "strong customer authentication" requirements for payments services providers, governing the process by which service providers authenticate the identity of customers. The RTS will apply across the EU from September 14, 2019.
The EBA has issued its Opinion in the wake of concerns about the readiness of payment services providers for compliance with the incoming RTS. The Opinion clarifies how existing authentication approaches satisfy the three limbs of strong customer authentication laid out in the RTS, which require customers to prove at least two out of three of the following: (i) knowledge (something only the user knows); (ii) possession (something only the user possesses); and (iii) inherence (something only the user is). Examples of strong authentication for each limb include:
- Knowledge: a password, PIN or knowledge-based response to challenges or questions; card details, a user ID or an email address would not constitute compliant knowledge elements;
- Possession: a device with means of confirmation of possession through receipt of a validation code or mobile apps and web browsers that require a unique connection between the customer's app or browser and the relevant device (for instance hardware crypto-security or registration);
- Inherence: behavioral biometrics relating to body parts and physiological characteristics, for instance retina and fingerprint scanning, face and hand geometry and voice recognition.
The EBA Opinion also grants some leeway for service providers that are not prepared for the September 14 implementation date, by allowing national authorities to grant a limited additional time period for migration to strong customer authentication approaches. This additional time period comes with the conditions that the relevant payment services providers have: (i) established a migration plan, (ii) agreed that plan with their national authority; and (iii) execute the plan on an expedited basis.
View the EBA's Opinion.
View details of the EBA's RTS.
Return to main website.