Strong Customer Authentication (Commission Delegated Regulation (EU) 2018/389) – Regulatory Technical Standards for Strong Customer Authentication) is applicable from the 14th September 2019. Some Credit Unions are working with IT Providers and IT Users Groups in consideration of Strong Customer Authentication (SCA). You will also be familiar with the email that circulated from the Registry of Credit Unions attaching a letter from the Deputy Registrar, David Kielty, in relation to an exemption (under Article 17) and the relevant dates in which applications for the exemption should be made, etc.
The exemption under Article 17 relates to Secure Corporate Payment Processes and Protocols. Neither legal documents (PSD2 or the 2018 Regulations) provides a definition or clarification as to the interpretation of secure “Corporate Payment Processes and Protocols”. The application of the exemption and the wording of the email and letter from the Registry of Credit Unions is causing considerable confusion amongst Credit Unions. CUDA had carried out considerable research in determining the meaning of secure “Corporate Payment Processes and Protocols” and the types of arrangements with a member (i.e “non-consumer” member) that would likely fall within the exemption. It was apparent to us that despite the optimistic nature of the email and letter from the Registry, the exception would be applicable to a very minority of members, if any at all.
Credit Unions have taken different interpretations. CUDA has raised the matter in person with the Registrar and his team. It was agreed that it is very unlikely that Credit Unions would have processes or protocols in place with any of their non-consumers members – which would be corporate members transacting corporate payments that have no one-to-one relationship with an individual person (i.e payments initiated electronically through dedicated payment processes or protocols that are not available to consumers). The RCU added that it is not their expectation that they will receive applications as the exemption is simply not relevant to Credit Unions.
It is important that Credit Unions (and the User Groups) have the discussion relating to the content of the RCU email and letter from Dave Kielty, in order that IT Providers can be appropriately instructed. However, it would be our view that Credit Unions do not get side-tracked by the letter or deadline set out therein.
Please find attached PSD2 post from the 12th June 2019 Info Briefing:
Finally, on 21st June 2019, the EBA issued further direction on SCA (“Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2″). There are some points in the document that you may find helpful, especially the
examples around what are adequate security measures under the categorisations set out in the RTS (ie two of the following measures must be met – two factor authentication):
- Knowledge (something only the payer knows) – length and complexity required;
- Possession (something only the payer possesses) – such as algorithm specifications, key length and information entropy;
- Inherence (something the payer is) such as algorithm specifications biometric sensor.
The RTS takes effect on the 14th September 2019. PSD2, the RTS and the EBA Opinion can be found on CUSP. If you have any queries on this please do not hesitate to contact us (elainelarke@cuda.ie).