Preparing for Strong Customer Authentication and Open Banking (with or without Brexit)
As the final pieces of the jigsaw under the Second Payment Services Directive (PSD2) and the UK Payment Services Regulations (PSR) are now falling into place, payment services players need to prepare for the regulatory technical standards for strong customer authentication (SCA) and secure open standards of communication (RTS).
Looking at the main implementation dates between January and September 2019, the UK Financial Conduct Authority (FCA) has issued a policy statement on its plans for bringing the RTS into force in the UK (PS 18/24) and its proposals on how to address RTS in case of a no-deal Brexit (CP 18/44).
Planning for RTS – third party providers and online payment accounts
As the RTS will affect banks, building societies and other payment service providers (PSPs), card schemes, retailers, consumers, micro-enterprises and credit unions, the impact of the RTS will be wide ranging. They will also impact those involved with "open banking", i.e. the newly regulated categories of account information services (AIS) and payment initiation services (PIS), collectively known as third party providers (TPPs). In addition, it will affect providers of online payment accounts, such as banks, who must provide TPPs with access to customer's payment accounts (with the customer's consent).
As a recap, under the RTS, PSPs will be required to use SCA for a wide range of online accounts and e-commerce payment transactions and for carrying out any action via a remote channel which may give rise to a risk of payment fraud or other abuse. So the net is spread widely.
In these cases, the PSP will have to apply SCA, typically in the form of two factor authentication (selecting from elements characterised as knowledge, possession and inherence). Many PSPs will be keen to use one of the range of exemptions from the SCA requirements, such as the corporate payments or transaction risk analysis categories. When merchants select their PSPs, we could expect a greater focus on how the PSP will deliver a compliant (or exempt) solution and how any non-compliance (or loss of exemption) will affect the risk balance between the parties under their payment services agreements.
Alongside SCA are the rules requiring TPPs to use common and open standards of communication when dealing with open banking activities. Here, customers first have to give their explicit consent to sharing account data or initiating a payment transaction. Secondly, the account servicing PSP must provide a secure communications channel.
Key dates to note include:
- 14 March 2019 – all account providers with payment accounts accessible online must meet the requirements to make available both technical specifications regarding their access interfaces, and testing facilities for TPPs
- 14 June 2019 – those seeking exemption from the requirements for a contingency mechanism (in case the dedicated access mechanism fails) should aim to submit their application for exemption
- 14 September 2019 – all PSPs must comply with SCA requirements
- 3 months ahead of using the corporate payments exemption – PSPs wishing to use this exemption should provide the FCA with the appropriate operation and security risk assessment information.
Clarifying the scope of RTS requirements
Following some feedback on its earlier consultation, the FCA has offered clarifications of certain important details of how it will apply the RTS.
Where SCA is required, the FCA will recognise that a combination of card details (evidencing possession) and another factor (such as knowledge or inherence) will amount to SCA. Equally, a one-time password will qualify to validate possession of the SIM card in a customer's mobile device.
Due to the new "dynamic linking" requirements for remote electronic payments, online retailers will no longer be able to charge an estimated amount to a customer's card where the final amount is yet to be confirmed. Instead, the retailer will need to look at alternative mechanisms, such as obtaining authorisation for a maximum amount, but charging the final amount when it is known.
Where continuous payment authorities (CPAs) are set up to support recurring payment streams, SCA will be required only if the payer initiates the first payment with its PSP directly or via a payee. Thereafter, SCA would not be required. Of course, merchants should ensure that the CPA agreement with the customer clearly sets out the basis of the recurring payment authorisation.
Clarification is provided for the exemption based on a transaction risk analysis. The reference fraud levels should be checked at least every 90 days. Some flexibility will be permitted about how the TRAs are calculated, especially with low risk brands or products.
Impact of no-deal Brexit
If the UK leaves the EU without a withdrawal agreement, the FCA has proposed that the RTS will apply to the UK businesses, with a few refinements. This would allow the PSR requirements to be applied effectively after leaving the EU and would lead to a relatively smooth transition, at least in this respect. Comments on this proposal should be submitted to the FCA by 19 February 2019.
Fieldfisher's Payments and Cards team has been advising clients on PSD2 issues across Europe, including the impact of the RTS requirements and Brexit