The European Commission has finally adopted the RTS under PSD2 on strong customer authentication (SCA) and common and secure open standards of communication. The key purpose of the RTS is to create stringent security procedures to reduce payment fraud levels and protect confidential data. The key requirement is for at least two independent elements in order for any payment to be made. In some cases, a code unique to the transaction will also be required, while in others, there can be exemptions where the risk of fraud is low (such as for low value contactless payments, and payments at unattended machines for parking fees and similar). The RTS are not prescriptive as to what these elements must be, although the Commission suggests a physical idem and a password or biometric feature. The RTS also set out the standards for communication between banks and fintechs, to more closely regulate the provision of payment initiation and account information services, that fall to be regulated for the first time under PSD2. The Commission notes that “screen scraping” will no longer be possible, and that banks must put in place a communication channel that allows third party PSPs to access customer data.
These RTS have been controversial. The Commission has made what it called “limited substantive amendments” to the EBA’s draft.
The use of SCA will be mandatory 18 months after the RTS are published in the Official Journal, which the Commission says means will be September 2019.