A different perspective on the EBA PSD2 RTS

On Friday the 24th of Feb, the European Banking Authority (EBA) released the Regulatory Technical Standards (RTS) outlining the requirements for Strong Customer Authentication (SCA), in line with Article 98 of the PSD2.

So, what does the PSD2 SCA mean for PSPs and merchants?

• SCA must be mandated for ALL transactions over EUR 30.
• Cummulative limit EUR 100 or 5 consecutive payments per merchant (no time limit).
• New exemptions for ’transaction risk analysis’ – up to EUR 500 if the merchants PSP meets stringent fraud rates (e.g. 0.01% for remote card transactions). A sliding scale of fraud and value applies below these levels.
• eIDAS may be interoperable as an element of SCA. However, this raises some matters as to linkage between payment instrument and eIDAS to be resolved.

In practical terms, all merchants transacting online will be required to perform SCA on all transactions inside the EU. This means that payment instruments must be subject to Simplified Due Diligence (SDD) and two-factor authentication (2FA) from November 2018.

Transaction Risk Analysis

We believe that PSPs will mandate the requirement for SCA across all transactions greater than EUR 30, despite the EBA’s introduction of transaction risk analysis (TRA). As the TRA will be too much of an onerous requirement for merchants and their PSP’s to meet, given the requirement to demonstrate audited results.

The auditable requirements that a merchant’s PSP must able to demonstrate will be the following Reference Fraud Rate (%) for:

Exemption Threshold Value     Remote card-based payments    Credit transfers
EUR 500                                                          0.01%                                       0.005 %
EUR 250                                                          0.06 %                                      0.01 %
EUR 100                                                          0.13 %                                      0.015 %

The question is therefore, will PSPs even bother, once they see the 0.01% rate?

Real Time Analytics

PSPs will now also be obligated to operate systems that are in the 21st century, and ensure that they have systems in place that can monitor, report and alert against:

• any abnormal spending or behavioural pattern of the payer;
• any unusual information about the payer’s device/software access;
• any malware infection in any session of the authentication procedure;
• any known fraud scenario in the provision of payment services;
• if the location of the payer is not abnormal;
• if the location of the payee is not identified as high risk.
• the previous spending patterns of the individual payment service user;
• the payment transaction history of each of the payment service provider’s payment service user;
• in cases where the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.

Whilst many PSPs do this, the RTS may provide the catalyst for long overdue industry consolidation.

One Leg out is in

What is interesting, is the one leg out scenario.

This has been defined by the EBA as the case where the issuer of a payment instrument is outside the EU, whereas the acquirer is a PSP which is inside the EU and regulated by the EBA.

The EBA’s RTS at Rationale 16 states:

“….when the PSP of the acquirer is established in a jurisdiction where it is not legally required to support the strong customer authentication procedure designed by the European issuing PSP, the European PSPs shall make every reasonable effort to determine the legitimate use of the payment instrument. Those types of cross-border transactions are not included in the transactions for the purpose of the calculation of fraud rates under the new Article 16. “

So, from this, we can see that PSPs have a relaxation on the use of transactional risk analysis for transactions originating outside the EU.

So, it will be ok to use TRA, and accept a much higher level of fraud from outside the EU, provided that “the European PSPs shall make every reasonable effort to determine the legitimate use of the payment instrument.”

This ‘reasonable effort’ requirement is going to get very interesting, very quickly, given that methods to exist to determine legitimate use of a payment instrument do exist, but they are coveted by a small number of patent holders.

The catch is that the most widely known and popular approaches to verifying a payment instrument have recently been granted as patents by the EU appeals court to PayPal. PayPal now holds patents over a number of the most commonly used methods to verify payment instruments as used by PSPs across Europe.

PSPs should be aware that use of micro deposits, dynamically changing descriptors in statements and simply subtracting or adding a small fee to the Sales Amount (which is also inconsistent with card scheme rules), are all patented processes, and infringement may be an issue.

The risk of infringement alone should make the iSignthis Paydentity technology of interest to PSPs and merchants, especially as our services incorporate our patents, which can provide a ‘safe harbour’ against patent infringement, whilst providing compliance to the PSD2. For more information, please email sales@isignthis.com.

About John Karantzis

John is the founder and Managing Director/CEO of Australian Securities Exchange listed iSignthis Ltd (ASX : ISX). John holds qualifications in engineering (University of Western Australia), law, and business (University of Melbourne), with a broad understanding of international regulatory regimes as they relate to payments, money laundering and identity. John has over 20 years experience across a number of sectors including payments, online media, AML, defence and secure communications. In particular, John’s experience includes application of technology to assist with remote enhanced due diligence, across a number of FATF legislative model jurisdictions.
Areas of relevant expertise include the identity verification requirements for eIDAS, 3AMLD, 4AMLD, JMLSG and CySec.

About iSignthis

iSignthis Ltd (ASX : ISX) is the global leader in dynamic, digital AML/CFT KYC identity proofing. Our Paydentity® solution incorporates real time electronic verification which converges authenticated remote payments with Know Your Customer (KYC) verification. By converging payments and identity, iSignthis delivers regulatory compliance with automated customer on-boarding. We offer a global reach of any of the world’s 3.5Bn financially included or “banked” persons.
iSignthis’ unique solutions protect both online customers and merchants from fraud and identity theft, and thus increase confidence and trust by all parties involved in remote transactions.