In this blog, Greg James simplifies the questions and answers provided by the EBA in their seven new Q&As on strong customer authentication and helps you to understand the impact, starting with those he believes are most consequential.
The EBA has released seven new Q&As on strong customer authentication (“SCA”). For so many questions to be answered at once is fairly atypical for the EBA but points to the continued difficulties arising from implementation. And while no longer directly relevant to UK payment service providers, the answers provide a steer as to how the implementing legislation (the RTS) could be interpreted in the UK, as well as being of interest to all payment service providers (“PSPs”) who have sister entities serving the EEA market.
- Using Trusted Beneficiary Lists to Auto Reject PISP Transactions
This question centred around not just SCA but its application to common and secure communication (“CSC”), commonly referred to as open banking. The question was, in essence, can an Account Servicing Payment Service Provider (“ASPSP”) block a Payment Initiation Services Provider (“PISP”) from instructing a payment if the beneficiary of that payment was not on a ‘trusted beneficiary’ list? However, the scenario presented in the question was more complex, and the EBA was asked whether an ASPSP could reject that payment if they relied solely on the trusted beneficiary exemption and could not send a payment under a standard or ‘pure’ SCA flow.
This is one of those tricky questions requiring the EBA to pick a side: either the PISP or the ASPSP is correct. In this instance, the EBA has sided with the PISPs, by judging that an ASPSP cannot rely on the trusted beneficiary exemption to limit PISPs’ functionality. As PISPs do not have the authority to create or amend trusted beneficiaries’ lists, this means that ASPSPs must establish this flow and can’t reject PISP payments based on this. This will have a material effect on the industry as many ASPSPs rely on the trusted beneficiary exemption in order to provide all their payments, and, in fact, do not have a flow for standard or ‘pure’ SCA – complete with dynamic linking. With this judgement, the EBA has effectively ruled that ASPSPs, under the scope of CSC, must establish a pure flow and cannot rely on the trusted beneficiary exemption entirely.
- Strong Authentication and OTPs
This has been a common question, especially amongst PSPs who deal majorly with corporate entities: can a one-time passcode (“OTP”) delivered via email be considered a compliant possession element under SCA?
The EBA does not give a clear answer on this, due to its position as being technologically neutral, so I will give them a hand… No, you can’t rely on OTPs delivered via mainstream email as a possession element. The EBA states that:
‘(i) where the email with the OTP is received by the payment service users and (ii) which have a unique connection with the device, could evidence possession and thus be considered as a valid factor in a two-factor strong customer authentication under PSD2’.
Popular email services utilised in the market today do not do this, and even if they did, it is the PSPs’ role to ensure the unique connection which is very difficult to perform considering how email currently functions. It is not impossible, but it is very likely that current iterations are not compliant.
- Perform SCA by reusing an element used in an authentication exempted from SCA
This question to the EBA asks whether a PSP could ‘reuse’ the initial security element at the payment stage as one of the two elements required for SCA in the scenario where the 90-day account information exemption has been applied.
The EBA has confirmed that in such a scenario, the password could be considered the first element for the payment with another element being applied at the payment stage. Realistically, however, this is a fairly complex workflow, especially considering dynamic linking, and is unlikely to turn many heads. Importantly, it reaffirms the position by the EBA that an element can be ‘reused’ from the log in stage and reapplied at the payment or exemption creation stage – meaning only one element is requested at the payment or exemption creation stage. The FCA is currently consulting, as part of its changes to the approach document, to maintain this principle of reusing elements thereby creating a more user friendly experience. However, it should be noted that the current FCA guidance is only in relation to payments and is not explicitly extended to exemptions.
- Transport and parking exemption for parking and electric vehicle charging
A PSP asked the EBA whether it could rely on the transport fares and parking fees exemption for payments taken for electric vehicle charging.
The EBA responded that there is no flexibility on the application of this exemption and said it could not be extended to electric car charging but pointed to alternative exemptions, such as contactless payments, that could be used.
This is a good point to note that the contactless payments exemption will become much more versatile in the UK if the FCA consultation to increase the SCA limit follows through and raises the threshold to £100 or even £120 (from £45).
- Payment Initiation Scope and Trusted Beneficiaries
An anonymous respondent asked the EBA whether there was any limit on the type of account to which the trusted beneficiaries exemption could be applied: in other words, whether the fact that a trusted beneficiaries account may not be a payment account would discount it from the trusted beneficiary exemption.
The EBA clarified that there is no limit on the types of accounts that can be included in the trusted beneficiaries list and therefore non-payment accounts can be registered as trusted beneficiaries. This is not particularly surprising; however, it is worth highlighting that in order to set up a trusted beneficiary, SCA has to be applied at the creation point so doesn’t exclude the application of SCA completely.
- Ability of static card data to be considered a possession factor
It seems that the industry could not ignore the opportunity to question the EBA again on whether the static card elements printed on the debit card could be considered a possession or knowledge factor under SCA. This has been a sticking point for the industry as discounting the static card element as a compliant element has created issues in the e-commerce space.
I am admittedly surprised that the EBA answered this question, this has previously been answered back in 2019. The card details are not considered possession factors due to the fact they are not dynamic.
- SMS OTP and credit card as a two authentication factor
A slightly different question to that above, however the industry again explored the static elements of the card being considered a compliant element and sought clarification on the EBA’s position on OTPs sent via SMS. The question was, effectively, whether a PSP could consider a credit card and OTP sent via SMS as SCA.
As above, static credit card detail cannot be considered a possession element. However, this is not the only reason this flow fails to comply with SCA, but also the fact that a PSP must use two different types of element. In this scenario, the credit card would be possession and the SMS via OTP would be possession as well; this would not be acceptable even if the EBA accepted that static card elements are compliant. This determination has caused issues with SCA in the e-commerce space and the EBA shows no sign of backing down here.
If you require any advice or guidance on this topic, then please do not hesitate to contact me, or any of the team, at fscom.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.