PSD2 - The SPA Position - January 2016
The PDS2 constitutes the core of the regulatory framework that is intended to re-shape the EEA retail payments market according to the SEPA objectives. The SPA views the publication of PSD2 as an inevitable next step forward, following the introduction of PSD1 to facilitate the entry of non-banks into the retail payments market. Expanding the scope of PSD1, PSD2 includes new categories of regulated Payment Service Providers, or so called Third Party Payment Providers. The adoption of innovative payment instruments is also encouraged by enhancing consumer protection provisions.
With that regard, the publication of PSD2 reinforces the recent market trend of technology providers offering emerging payment services. Moreover, the Interchange Fee Regulation, which completes the PSD2 for card payments, may substantially change card payment market structures, promoting the use of debit cards and incentivizing the deployment of instant payment instruments and systems.
This document is not intended to provide a comprehensive assessment of all the remits and chapters contained in PSD2, but focuses on aspects of PSD2 that have an impact on the security of transactions and provides a brief overview of certain competition issues.
Competition issues for new financial intermediators
Fair competition requires effective access by new non-bank players to systems and platforms controlled by the bank sector. These infrastructures are necessary to transfer funds in an efficient and safe way. But if these existing infrastructures are to be shared, then a higher level of collaboration between banks and non-banks will be needed to identify sustainable business models, increase revenue for banks, and enable non-banks to get some market share. This issue was recently highlighted by the SPA during the Green Paper public consultation and we understand that this challenge may represent a source for innovation.
If banks and non-banks fail to share trusted infrastructures, then there is a risk that these new players might well use the communication capabilities of open networks to design their own payment circuits. Should this happen, parts of the transaction processing are likely to be outsourced to agents and other intermediaries, whose activity will be difficult to monitor and control. Whatever the market evolution, the bank sector will have to react to maintain their dominant position as financial intermediaries for payments. Both defensive and active strategies were debated at the conference held by the European Central Bank in Helsinki in last June.
On the other hand, the development of a market for Third Party Payment service providers (TPPs), requires an interoperability framework for communication between a regulated TPP and any Account Servicing Payment Service Provider (ASPSP). This interoperable framework will require the development of new standards, including the specification of an API of TPP services. And, because interoperability drives security, a security architecture is also needed. This security architecture should pay critical attention to the authentication of entities participating in the transaction using specific credentials. That means ensuring that authentication credentials are exclusively used for the purpose they were issued for.
Is security properly addressed by the PSD2?
The PSD2 provides a legal definition for strong customer authentication. Unfortunately this definition represents a step back, compared to the more rigorous version proposed in the guidelines on security of internet payments issued by the European Banking Authority. The SPA considers that the requirement to make it impossible to replicate one of the factors involved in the strong authentication process was an important one, which has been removed in the PSD2.
From a security engineering perspective, the problem of securing the communication channels established between the customer, the TPP and the ASPSP is challenging. In particular, the TPP should not be authorized to use the authentication credentials issued by the ASPSP to impersonate the customer. But the formulation of remit (30) is somehow ambiguous with this regard and should be further clarified.
The SPA believes it should be clearly set out that (1) the TPP must authenticate the customer, using the credential issued by the TTP to the customer for that purpose or redirecting him/her to the ASPSP; (2) the TPP must provide the customer with a mechanism to ensure that he/she effectively connects to the intended TPP; (3) the TPP must authenticate to the ASPSP using its own credentials recognized by the ASPSP; and (4) the TPP must submit the authorization credential from the customer, proving that the customer effectively initiated the transaction. The basic principle enshrined here is that the customer should never have to share personal security credentials with third parties, includes the TPP. This is a key requirement, as it ensures the security of the customer in the e-banking environment by mitigating the risk of customer impersonation.
Article 66 of the PSD2 authorizes the TPP to convey the customer authentication credentials issued by the ASPSP. But the text should be more precise on this point, making it clear that a dynamic proof of the authorization of the customer is required at the time a TPP connects to the ASPSP on behalf of the customer. Furthermore, access to authentication credentials issued by the ASPSP should not be possible for the TPP. This condition should apply both for payment initiation services and account information services offered by the TPP.
Despite the above observations, the SPA believes that globally the PSD2 incentivizes the use of security standards; but currently, the level of security achieved will rely on the appropriate implementation and certification of specific solutions that have been ruled out. With this respect, the SPA considers that implementation should rely on a standard authentication framework, where a new role such as global certification authority could be regulated. This framework should be based on open standards, already developed by ISO. Finally, account consultation services should be closely monitored and the risk of leakage of personal financial information, such as the payment account balance, should be strictly controlled. The information provided by the ASPSP should therefore be encrypted in a way that only the customer may access to.
On the European Banking Authority Regulatory Technical Standards
The SPA welcomes the decision by the EU regulatory authorities to complete, according to Article 98, the legal provisions set out by the PSD2 with regulatory technical standards to clarify key technical aspects. This approach enables the participation of vendors in the current regulatory developments. In that respect, the SPA confirms its commitment to contribute to the public consultations launched by the European Banking Authority and to facilitate the harmonization of implementations compliant with the PSD2.
The entry of new actors in the retail payments market is facilitated by the increasing use of public networks to process transactions and new payment instruments. The SPA has systematically outlined that the well-established practices, in terms of security by the financial sector, should not been undermined by the openness of the retail payments market to new actors. The impact of the PSD2 evolution on the payment market structure remains at present largely uncertain and may also depend in the specific ways that member states transpose the PSD2 into national law.
With this respect, the PSD2 focus on three types of complementary provisions to minimize risks that, in our opinion, go in the right direction:
1. It extends the scope of the directive to entities which at present remain unregulated, achieving legal certainty;
2. It provides a first legal definition for strong customer authentication and announces a regulatory technical standard for the implementation of strong authentication mechanisms; and
3. Promotes the adoption of new payment methods by enhancing protection of the consumer. If a payment service providers fails to strongly authenticate the customer, the PSD2 states that it will bear the financial losses due to fraud.
The “technological neutrality” principle of the PSD2 does not mean that all technologies are equivalent to mitigate well-known threats. With that regard, the Smart Payment Association reminds all stakeholders that the security concepts implemented for card payment systems have systematically proven their ability for almost zeroing fraud. The regulatory technical standard on strong authentication represents an opportunity to clarify some of the above aspects, so that security practices are harmonized across EU.