Additional PSD2 Regulatory Requirements

Commission Delegated Regulation (EU) 2018/389) – Regulatory Technical Standards for Strong Customer Authentication and common and secure open standards of communications (the “RTS”) comes into effect from 14th September 2019. However, exemptions from the requirements to apply Strong Customer Authentication are available to Payment Service Providers (“PSP”) in certain circumstances. 

Article 97, PSD2 provides that a PSP will apply Strong Customer Authentication where the payer: 

  1. accesses its payment account online,
  2. initiates an electronic payment transaction or
  3. carries out any action through a remote channel which may imply a risk of payment fraud or other abuse.

The purpose of the RTS is to reduce the risk of fraud. It expands on the requirements that must be adhered to by Payment Service Providers (PSPs) for the purpose of implementing security measures which enable them to apply the procedure of Strong Customer Authentication in accordance with Article 97 of Directive (EU) 2015/2366 (i.e. PSD2).

Strong Customer Authentication means adequate security measures and features founded on the use of two to more of the following categorisations:

  • Knowledge (something only the payer knows) – length and complexity required;
  • Possession (something only the payer possesses) – such as algorithm specifications, key length and information entropy;
  • Inherence (something the payer is) such as algorithm specifications biometric sensor.

The RTS provides that the security features can be done through the generation of authentication codes which are subject to a set of strict security requirements. Examples of authentication codes include:

  • one-time passwords
  • digital signatures
  • other cryptographically underpinned validity assertions using keys or other cryptographic material stored in the authentication elements

The generation of an authentication code should be resistant against the risk of being forged in its entirety or by disclosure of any of the elements upon which the code was generated (Recital 1).

The authentication/security procedure ought to include transaction monitoring mechanisms to detect attempts to use a payment service user’s personalised security credentials that were lost, stolen, or misappropriated. It should also ensure that the payment service user is the legitimate user and therefore is giving consent for the transfer of funds and access to its account information through a normal use of the personalised security credentials.

Article 98, PSD2 (and Article 1(b), RTS) allows for exemptions to SCA based on the following:

  • Level of risk involved in the service provided
  • The amount, the recurrence of the transaction, or both
  • Payment channel used for the execution of the payment transaction

The RTS specify exemptions that fall under one or all of these three grounds in Articles 10-18.    

The Central Bank of Ireland invites Credit Unions to apply for an exemption to the application of the requirements under the RTS (letter to Primary Contact, dated 17th May 2019). The CBI further prompt that the exemption should be made under Article 17, RTS. Article 17 provides:

Secure Corporate Payment Processes and Protocols

Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by Directive (EU) 2015/2366.

In order to apply for the exemption, the Credit Union must be able to satisfy the following criteria:

  1. The processes/protocols identified are used in respect of payment transactions initiated by legal persons that are only made available to payers who are not consumers;
  2. A transaction monitoring mechanism must be in place. Credit Unions should also retain information on the fraud rate levels applying to the processes/protocol;
  3. A secure communication mechanism must be in place that complies with the RTS (including encryption and maintaining the confidentiality and integrity of the payment service users’ personalised credentials); and
  4. A secure authentication mechanism must be in place which guarantees at least equivalent levels of security to those provided for in the RTS, to ensure that the risk of authentication carried out by an unauthorised party is mitigated.

CUDA understands that gap analysis and/or enhancements are currently ongoing through T user groups and their respective IT providers. Credit Unions who wish to avail of the exemption under Article 17 are required to submit a list of processes/protocols what will be applied to the exemption, along with written confirmation, signed by the Chair, that those processes/protocols meet the above criteria.

The RTS takes effect on the 14th September 2019. In order to avail of the Article 17 exemption by this date, Credit Unions must simit the required information to their RCU supervisor via secured file upload by 14th August 2019.

Further information can be found in Article(s) 97-98, PSD2 and Article 17, RTS. Both documents can be found on CUSP. Alternatively, if you have any queries on this please do not hesitate to contact us (elainelarke@cuda.ie).