Follow-up cross-industry letter to Commissioner Dombrovskis re EBA strong authentication standards

Dear Vice-President Dombrovskis,

We are writing to you regarding the European Banking Authority’s (EBA’s) final draft Regulatory Technical Standards (‘draft standards’) on Strong Customer Authentication and Secure Communication, under the revised Payment Services Directive (PSD2). The draft standards are currently being examined by the European Commission.

Our coalition represents a range of sectors and key players in the payments value chain. We welcome the changes made by the EBA as a result of a constructive dialogue with the industry and MEPs to address their significant concerns. In order to promote secure payments in the EU, while safeguarding the growth of the e-commerce and the Digital Single Market, we call on the European Commission to accept the positive changes proposed by the EBA but also to work with the EBA to modify the draft standards to address the points outlined below.

Firstly, we commend that the EBA has now acknowledged a Transaction Risk Analysis (TRA) which reflects the industry’s existing best practice to effectively prevent fraud in online payments through a risk-based approach. This approach guarantees high levels of security, whilst allowing for a frictionless experience for customers shopping online. The draft standards allow banks and payment service providers (PSPs) to perform the TRA, while the role of merchants is not explicitly acknowledged. Merchants have unique data points which provide essential warning signs to prevent fraud, for example information on customer behaviours, browsing and purchasing patterns. Any omission of merchants from the TRA would be a missed opportunity to improve security and reduce fraud.

Secondly, we support the EBA’s move towards a results-oriented approach by allowing those with lower fraud rates to waive Strong Customer Authentication up to a certain transaction value. This approach may also be applied for consecutive contactless transactions. Nevertheless, the EBA’s approach raises several questions, for instance as to how the fraud thresholds for the transaction amounts are calculated or the evidential basis on which they were set. More consideration needs to be given to selecting appropriate reference fraud rate(s) which industry can support with useful data.

We appreciate that the EBA has had to develop a position on these complex issues to a very tight deadline that precluded a full consultation with impacted stakeholders on concrete technical details. While further modifications are necessary, we believe that seeking additional clarity on the EBA draft standards through industry bodies and industry guidance will be more effective than attempting to amend significant portions of the draft text. Industry players are ideally placed to assist in resolving these practical issues which are crucial for effective implementation and delivery of the key legislative objective – a reduction in fraud rates. We fear that a prolonged debate may only create further uncertainty and confusion for consumers and businesses.

We would therefore encourage the Commission to host a multi-stakeholder workshop to discuss in more detail how the current draft standards could be improved on Strong Customer Authentication. There is significant willingness across the industry to work collaboratively to develop the standards in a constructive way for the reduction of fraud and the best possible implementation of the PSD2.

In conclusion, while there are some areas that require clarification and change, we broadly support the key principles and aims of the draft Regulatory Technical Standards. We urge the European Banking Authority, the European Commission, the European Parliament and the Council of the EU to seek a conclusion that doesn’t materially change these principles, whilst working with the industry to ensure that the standards are workable, measurable and enforceable.

The undersigned 19 European and national organisations representing e-commerce, small merchants, start-ups, ICT and digital technology, payments and FinTech, cards, and leisure and travel industries.