04 May 2017

Follow-up cross-industry letter to Commissioner Dombrovskis re EBA strong authentication standards (April 2017)

Follow-up cross-industry letter to Commissioner Dombrovskis re EBA strong authentication standards (April 2017)

Dear Vice-President Dombrovskis,

We are writing to you regarding the European Banking Authority’s (EBA’s) final draft Regulatory Technical Standards (‘draft standards’) on Strong Customer Authentication and Secure Communication, under the revised Payment Services Directive (PSD2). The draft standards are currently being examined by the European Commission.

Our coalition represents a range of sectors and key players in the payments value chain. We welcome the changes made by the EBA as a result of a constructive dialogue with the industry and MEPs to address their significant concerns. In order to promote secure payments in the EU, while safeguarding the growth of the e-commerce and the Digital Single Market, we call on the European Commission to accept the positive changes proposed by the EBA but also to work with the EBA to modify the draft standards to address the points outlined below.

Firstly, we commend that the EBA has now acknowledged a Transaction Risk Analysis (TRA) which reflects the industry’s existing best practice to effectively prevent fraud in online payments through a risk-based approach. This approach guarantees high levels of security, whilst allowing for a frictionless experience for customers shopping online. The draft standards allow banks and payment service providers (PSPs) to perform the TRA, while the role of merchants is not explicitly acknowledged. Merchants have unique data points which provide essential warning signs to prevent fraud, for example information on customer behaviours, browsing and purchasing patterns. Any omission of merchants from the TRA would be a missed opportunity to improve security and reduce fraud.

Secondly, we support the EBA’s move towards a results-oriented approach by allowing those with lower fraud rates to waive Strong Customer Authentication3 up to a certain transaction value. This approach may also be applied for consecutive contactless transactions. Nevertheless, the EBA’s approach raises several questions, for instance as to how the fraud thresholds for the transaction amounts are calculated or the evidential basis on which they were set. More consideration needs to be given to selecting appropriate reference fraud rate(s) which industry can support with useful data.

We appreciate that the EBA has had to develop a position on these complex issues to a very tight deadline that precluded a full consultation with impacted stakeholders on concrete technical details. While further modifications are necessary, we believe that seeking additional clarity on the EBA draft standards through industry bodies and industry guidance will be more effective than attempting to amend significant portions of the draft text. Industry players are ideally placed to assist in resolving these practical issues which are crucial for effective implementation and delivery of the key legislative objective – a reduction in fraud rates. We fear that a prolonged debate may only create further uncertainty and confusion for consumers and businesses.

We would therefore encourage the Commission to host a multi-stakeholder workshop to discuss in more detail how the current draft standards could be improved on Strong Customer Authentication. There is significant willingness across the industry to work collaboratively to develop the standards in a constructive way for the reduction of fraud and the best possible implementation of the PSD2.

In conclusion, while there are some areas that require clarification and change, we broadly support the key principles and aims of the draft Regulatory Technical Standards. We urge the European Banking Authority, the European Commission, the European Parliament and the Council of the EU to seek a conclusion that doesn’t materially change these principles, whilst working with the industry to ensure that the standards are workable, measurable and enforceable.

Back to Cybersecurity & Digital Resilience
View the complete Policy Paper
PDF
Our resources on Cybersecurity & Digital Resilience
14 Nov 2024 The Download
The Download - Taming the cyber storm whilst empowering European businesses to thrive
05 Sep 2024 Response to Public Consultation
The NIS2 Directive’s transposition: How do Member States make their critical infrastructure cybersecure?
04 Sep 2024 Policy Paper
Developing guidelines for the Cyber Resilience Act
Hit enter to search or ESC to close
This website uses cookies
We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
Decline
Accept