Letter to Commissioner Dombrovskis on the European Banking Authority's strong authentication standards

Dear Vice-President Dombrovskis,

We are writing to you collectively from across various sectors and all players in the payments value chain with regard to the European Banking Authority’s (“EBA”) proposed draft Regulatory Technical Standards (“standards”) on Strong Customer Authentication (“strong authentication”) and secure communication, under the revised Payment Services Directive (PSD2). We fully support the aims of the PSD2 to ensure fair competition, innovation and security in the payment services sector. The PSD2 and the EBA standards are important steps towards a Digital Single Market (DSM) in Europe. We endorse the objectives of the standards and appreciate the difficulty the EBA has faced in trying to find the right balance between security and customer convenience. However, we have strong concerns that if the EBA’s standards were implemented in their current form, it would create unnecessary hurdles for a number of different industries, especially e-commerce.

We believe that the EBA diverges from its mandate under the PSD2 by not allowing for the risk-based approach to authenticate customers and authorize transactions to avoid fraud. The PSD2 under article 98 requires an exemption from strong authentication based “on the level of risk involved in the service provided”. We would encourage the EBA to introduce more flexibility within its standards to support the industry with all of the positive work that has been achieved in combatting fraud through risk-based approach. A reduction in fraud rates in the EU confirms that the industry has actively worked to manage fraud well through this approach as the move to digital commerce has massively expanded in the past few years. A recent study1 shows that in the UK and France combined, fraud rates for online transaction value of cards issued have declined at an average rate of 13.5% per year, an overall decline of 51%. Online fraud rates at single country level confirm this downward trend.

We are fully aligned with regulatory objectives to reduce fraud to the lowest possible level which is in the interest of all parties in the payments chain. Our concern is that by choosing a very blunt approach and disregarding some of the highly innovative approaches to authentication and risk management – which are already demonstrably working in the market – this goal will not be achieved and the consequences will be highly disruptive. Today, a riskbased approach enables the merchant and the Payment Service Provider (PSP) to combine consumer intelligence and security decisions by analysing dozens of elements. For example, if you enter a website to purchase a product, the merchant may recognise your transaction as low risk because you are a regular returning customer to whom they have previously and successfully provided a service or delivered a product, or a PSP may recognise that you have previously purchased from that site using that particular computer or mobile device. Whereas uncharacteristic or unusual behaviour – such as changes to the customer’s personal or security details in the online account – would trigger additional checks.

A risk-based approach also enables the appropriate party – be it the merchant, the card issuer or the PSP – to implement the right decision for their business and their customers. If it fails, the consumer is fully protected, unless proven to act fraudulently or with gross negligence. The industry has worked very hard to ensure that customers do not become the victim of fraud. Consumer confidence and payment security are an essential part of our businesses. Nevertheless, we must also keep the customer experience frictionless. A consumer survey by Populus found that 61% of consumers would abandon their purchases if supplementary steps were added to the checkout process. This would be particularly damaging for small merchants who need every sale they can get and who are key to the further growth of the e-commerce sector in Europe.

Currently, the EBA is taking a more prescriptive approach by mandating strong authentication for all remote payment transactions over 10 euros, regardless of their risk. Strong authentication is a process which typically requires the customer to authenticate a payment by using two elements, for instance by utilizing additional codes generated through their card reader or received on their mobile device. Strong authentication may make sense for some payments which have a higher transactional risk. However, for low-risk transactions (which are not necessarily low value), strong authentication introduces disproportionate and unnecessary friction to the customer shopping experience.

This will make online shopping much more onerous than it is today and have a wider and chilling effect on the DSM. It will have a negative impact upon a wide variety of industries, in particular SMEs, FinTech and other start-ups. At the same time, it will not improve overall security. Institutionalizing a single method of authentication over many different and innovative ways of authenticating the customer will potentially make transactions more prone to fraud as fraudsters are more likely to effectively target rigid rules that do not evolve quickly. Moreover, European PSPs may be forced to decline payments by European customers on foreign websites which do not offer strong authentication. This will result in an increase in consumer harm by reducing customer trust in their payment methods, the choices open to them and restricting competition.

We therefore urge the European Commission to work with the EBA to incorporate in their draft standards a resultsoriented and technology-neutral risk-based approach, as detailed in the Annex, rather than a threshold-based technology-specific approach. The risk-based approach will foster a continued decline in fraud for the benefit of all stakeholders and the European economy alike, without enforcing hard rules that would stifle sales and significantly impact the consumer shopping experience. We are committed to cooperating with the relevant authorities to demonstrate our effectiveness in preventing fraud.

The undersigned 39 European and national organisations representing e-commerce, small merchants, start-ups, ICT and digital technology, payments and FinTech, cards, telecoms, foreign trade, and leisure and travel industries