EBA publishes PSD2 authentication RTS

On 23 February, EBA published its final draft RTS on strong customer authentication and common and secure communication under PSD2. EBA heralded the publication as having had to address “difficult trade-offs between the various, at times competing, objectives of the PSD2”. It received a huge number of responses to its consultation, which identified around 300 separate issues. It has responded to each concern, explaining whether it has made changes from the draft RTS as a result. The key changes relate to:

  • exemptions from the need to apply strong customer authentication: EBA has introduced new exemptions based on (a) transaction risk analysis, linked to a pre-defined level of fraud and (b) payments at unattended terminals for transport or parking fares;
  • increasing the threshold for remote payment transactions from €10 to €30 and removing references to ISO 27001 and other specific characteristics of strong authentication. EBA says this is to make the RTS technology-neutral;
  • requiring ASPSPs that use a dedicated interface to provide the same level of availability and performance as they give to their own customers, and respond immediately to PISPs on whether a customer has the funds to make a payment. However, EBA has kept the obligation for ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information.

The Commission now needs to consider the RTS and, if it agrees with it, adopt it. The RTS will apply 18 months after adoption.