Below the main highlights of the EBA final draft on the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication published on February 23th, 2017.
1) Screen scrapping is no longer allowed
The EBA interprets the security requirements under PSD2 as meaning that the TPPs will no longer be able to screen scrape. The EBA understands screen scraping as a way for the PISP to access the customer’s online account by pretending to be that customer, often using advanced robot technology. The EBA disagrees with the suggestion of some of the respondents that not allowing screen scraping would be against the principle of non-discrimination.
2) Cards on file is out of scope of PSD2
It is the EBA’s understanding that card-on-file solutions and their providers are not within the scope of PSD2 and therefore not within the scope of these RTS. Providers of card-on-file solutions are not PSPs in the sense of PSD2 unless of course the PSP conducts other activities that are within the scope of PSD2 and would therefore be regulated for that purpose.
3) Transactional risk-based exemption from SCA is now allowed (up to a maximum value of EUR 500)
The EBA agrees with the view expressed by the respondents that a risk-based approach, including the ability to conduct detailed TRA and fraud monitoring, is essential to achieve the objective under PSD2 of reducing overall fraud. Consequently, the EBA arrived at the view that, in accordance with Article 98(2)(a) PSD2, an exemption based on such an analysis should be added in a new Article 16 of the RTS. The RTS also reiterate the importance of risk and fraud monitoring in general as a necessary complement to the principle of SCA laid out in PSD2 as stated in a new Article 2 RTS
4) Merchants cannot apply transactional risk-base exemption from SCA
The EBA also explains in rationale 24 that its interpretation of PSD2 suggests that the transaction-risk analysis (TRA) exemption from SCA can be applied by the payee’s and payer’s PSPs, but not by the payer or the payee themselves. The liability rules also suggest that the payer’s PSP should have the last say on whether or not the TRA exemption is used for a specific transaction.
5) PSPs that want to apply TRA exemption from SCA will have to track fraud rates and being audited
RTS now require PSPs to monitor all of their fraud rates as well as the performance of the TRA method used, which must additionally be independently assessed by qualified auditors. Furthermore, the PSP must report any change related to the use of this exemption to the national authorities