Controversial EU-wide regulatory technical standards on strong authentication and third-party account access have been formally approved and will take effect in September next year.
Sources from the European Parliament and European Council each confirmed to PaymentsCompliance that this week’s deadline for raising objections to the standards passed with neither protesting nor requesting an extension.
“The objection period expired [on Tuesday] with the Council raising no objections,” a European Council spokesperson said.
“As the regulatory technical standards have also been approved by the European Parliament, it will be published on March 7.”
A parliament spokesperson confirmed that no objections were raised by MEPs.
A March 7 publication date in the official journal of the EU would create an effective date of September 9, 2019, the first Monday after the 18-month window closes.
The final text will be that published by the European Commission in late November.
Despite the long lead-in period, however, there are certain provisions that will require attention from payment providers beforehand.
For instance, one of the most disputed aspects of the text has been the framework around dedicated interfaces, which are developed by banks to facilitate secure account access by authorised third-party providers.
The initial draft standards suggested that existing access models, which relied on consumers sharing their bank login credentials with third parties, would no longer be allowed and all access would have to be through a dedicated interface.
But after third parties complained that would give too much power to banks, giving them an opportunity to restrict their competitors’ activities, a compromise was proposed allowing credential sharing to continue if an interface failed to function adequately.
Eventually, after months of disputes between banks and third parties, the European Commission decided that the back-up access model would remain in place — unless a national authority assesses and approves a bank’s dedicated interface.
Part of that approval process involves a minimum of six months market testing, which includes three months of being “widely used” by third-party providers. That means to benefit from the back-up access model exemption, a bank would need to have its dedicated interface running by March 2019 at the latest.
Further unresolved issues, such as stopping credential sharing by redirecting a third party’s customer to their bank’s website, are to be addressed in the API Evaluation Group backed by the European Commission and European Central Bank.
The European Banking Authority has also said it will join that group as an observer once the standards are published in the journal, although two meetings have already taken place.
Another critical aspect of the technical standards is its introduction of tough authentication rules for remote transactions, such as e-commerce payments.
Two-factor authentication is required on all remote transactions of more than €30, unless the payment provider’s fraud rates are below certain thresholds.
Those thresholds become more challenging for higher value payments, with strong authentication ultimately required on all remote payments of more than €500.
A study by Accenture published last year concluded that very few existing models, such as Apple’s TouchID mechanism, would be compliant with the standards.
Some European authorities have suggested that two-factor authentication will essentially become the norm, forcing payment and technology firms to find ways of streamlining that process and ensuring a relatively straightforward customer journey.
However, other legal and technical issues remain, including questions about how issuers and acquirers will communicate and whether an exemption for trusted beneficiaries is available to all categories of payment provider.
|Rulebooks: PaymentsCompliance's new compliance management solution for tracking precise regulatory changes, understanding and interpreting rules, adding notes and managing workflows. The RTS Rulebook is now available.|