DiPP - E-payment: bringing the EU to the next level

Following rules adopted by the Commission on 27 November 2017 to afford consumers more choice to use innovative services offered by third party providers (TPPs) the European Banking Authority and the European Central Bank have been busy developing regulatory technical standards (RTS) aimed to inform the security measures and communication tools banks and other payment services providers (PSPs) will have to put in place in due time.

Against this background, DIGITALEUROPE convened on 26 April 2018 a ‘Digital in Practice Programme’ workshop and enlisted the help of these distinguished experts to take stock of the latest developments:

Steady, impressive progress

In order to allow businesses and consumers alike to make the most of continuing progress in digital technology, the EU has developed a coherent set of legislation that is being implemented according to plans and with due respect to Member States’ sovereignty. This regulatory framework allows whatever improvement technology has made possible to be readily enforceable. Continuing efforts that started in 2004 resulted in the eIDAS Regulation, the undercarriage of this legislative construct and the key enabler of e-trust whereby the legal risk associated with online services – whether public or business – is successfully minimized. eIDAS is rightly seen as the accelerator of the digital transformation of trust-based business. Trusted authentication processes enforceable cross-border are indeed instrumental to delivering on the original vision. They afford both the reliability of a passport for identity checks and the digital versatility that allows for displaying strictly the credentials needed at one particular point, in the spirit of GDPR-style minimization. Critically to their effectiveness, they are enforceable in Courts throughout the EU.

Challenges ahead

However, not all is perfect yet. National digital ID schemes deployed so far in 24 Member States are of no use for cross-border and interconnected transactions unless thorough interoperability is secured. Provisioning another single ID for e-payment isn’t going to create a European level playing field.

In France, the security side of PSD2 will kick in only in September 2019. APIs will not be certified by the Banque de France until then, which could be read by TPPs as an invitation to do without APIs for the sake of risk-avoidance: a core tool to build trust in the whole system will be missing as a result.

Sharing incumbents’ infrastructures has always been a major step when it comes to fostering more competition. In this instance, affording basic access to data related to their customers’ accounts free-of-charge does not come easy on banks. More generally, investment is a major issue. Assuming that ‘Know Your Customer’ (KYC) will cost €20 per user, the overall investment needed across the EU may reach €14bn by some reckonings: that’s €3,5m on average per bank operating in Europe. PSPs may think of mutualizing these costs, or to become part of a broader game by widening the scope of eID-assisted operations. For eID to take on massively, customers have indeed to get into the habit: the more actively used, the more effective eID is felt and the faster its uptake. Banks are therefore challenged to propose a variety of cases where eID can help. Asking how to multiply the use of eID and turn it into a catalyst for e-commerce is begging the question of how to have public and private sectors join forces on this front.

This is where standards come into play. Attribute Based Credentials (ABC) technologies apply to everyday life transactions: in instant payments, the transmission of ABC-based, tokenized IBAN ensures secure transactions and preserve customers’ privacy ‘by-design’; but they also suit eCommerce payment, cashless and checkless shopping, secure physical access to concert halls, sharing medical files for confidential online or on-site consultation, etc. FranceConnect https://franceconnect.gouv.fr/ provides an interesting platform in this respect.

Technology to the rescue…

On the bright side, technology has been going the extra-mile to build on the secure-ID legal framework made available by the EU and to reconcile transaction convenience and security, on one hand, with the protection of personal data, on the other hand. There is no dearth of products and services that suit not only RTS but pass the ultimate test, that of markets increasingly driven by the much-vaunted ‘user experience’ (UX).

These three building blocks are worth considering on designing workable solutions:

– Embedded standard-compliant security and privacy technologies such as ISO-certified ABC. Such technologies, originating in the FP7-funded project ABC4Trust, paved the way for technology-driven law enforcement, earning kudos from CNIL or ANSSI for minimizing the exposure of personal data and avoiding possible leak of re-identified information.

– Mainstream mobile UX application interfaces: ID security and data privacy systems and services must fit the craze for 24/7 mobile applications like Instant Messaging or chatbots which are great at “gamifying” KYC.

– Robust business models. Those behind KYC and SCA are in scarce supply. Combining PSD2 requirements with eIDAS regulatory certainty sounds like an invitation to adjust the suite of business offerings. Today, thanks to eIDAS, PSPs can indeed extend the consolidation of their KYC and SCA requirements to the whole of Europe, if not the world. This strategic move requires to think “out of the box” and abandon legacy models designed for small scale user populations and silo-driven market segments.

In short, leading-edge digital technology supported by a robust EU-wide regulatory framework have set the appropriate scene to bring e-payments to the next level in our region of the world. It will take further fine-tuning through a collective effort by stakeholders in various Member States to implement the harmonized environment likely to enhance consumers’ trust and to boost e-payment-driven business throughout the EU. The Commission keeps improving their act: DG CONNECT, JUST and FISMA have convened an expert group to give a further hand to the process.