The European Banking Authority (EBA) published today a Discussion Paper on strong customer authentication and secure communication. The revised Payment Services Directive (PSD2) will mandate the EBA to deliver Regulatory Technical Standards on this topic, which the EBA is required to deliver by January 2017. Prior to starting the development of these requirements, the EBA is issuing a Discussion Paper, with a view to obtaining early input into the development process. Responses can be submitted until 8 February 2016.
The revised Payment Services Directive (PSD2) is expected to enter into force in January 2016 and to apply from January 2018. The Directive will confer on the EBA the development of six technical standards and five sets of guidelines. The regulatory technical standards (RTS) on strong customer authentication and secure communication, on which the EBA has issued the DP today, is key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
The RTS, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify the requirements of the strong customer authentication; exemptions from the application of these requirements; requirements to protect the user’s security credentials; requirements for common and secure open standards of communication; and security measures between the various types of providers in the payments sector.
In so doing, the EBA and ECB will have to make difficult trade-offs between competing demands and would like to hear views from market participants on where the ideal balance should lie. The EBA and ECB have also identified various issues and suggest some clarifications that would similarly benefit from stakeholder feedback.
Next steps
Responses to this Discussion Paper can be sent to the EBA until 8 February 2016, by clicking on the “send your comments” button on the website. The EBA will assess the responses received, and use them as input for the development of the draft RTS, which it will publish in summer 2016, for a consultation period of three months.
Legal basis
The Directive of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, is expected to be published in the Official Journal in December 2015. It would then enter into force in January 2016, and would apply from January 2018.