EBA To Keep Strict PSD2 Authentication Rules For B2B Payments

Shutterstock

As the European Banking Authority (EBA) prepares for the Revised Payments Systems Directive (PSD2) to come into effect next year, it has reportedly changed its tune on one aspect of the rules that led to widespread criticism among online merchants.

Reports Tuesday (Feb. 21) said the EBA has agreed to relax proposed rules that would require more stringent customer authentication measures for online sellers after industry players raised concerns that the rules would lead to abandoned checkouts and higher rates of declined transactions. According to reports, EBA Chairman Andrea Enria delivered a speech in London on PSD2 and said the proposed authentication requirements would be modified.

The original proposals applied to all transactions under €10 (about $10.50), but that threshold will increase to €30 (about $32). But the revisions will only apply to remote consumer transactions, not corporate payments, reports said. Businesses would have to meet “strong customer authentication” requirements in the form of confirmation steps, like entering in passwords or providing a one-time authentication code. While safer for consumers, the process could lead to fewer online sales, critics said.

Companies deploying “transaction risk analysis” to reduce fraud and transactions at unattended terminals like parking meters will have a “get-out clause,” however.

The EBA’s decision to modify its proposal comes after receiving a record 224 responses to its first four consultation papers on how it will roll out the new Regulatory Technical Standards (RTS) for PSD2, reports said.

“The EBA identified 300 distinct concerns and clarification requests by respondents,” Enria said. “Each of these concerns will be listed in a 100-page feedback table that we will publish as part of the final draft.”

Enria added that so-called “screen-scraping,” which automates the copying of data from a website, will be banned under PSD2 despite calls for open communication between banks and financial services providers for the purpose of customer data sharing.

“In order to address the concerns raised by some respondents on the smooth and continued access to the dedicated interface, a requirement has been added in the draft RTS requiring banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers, as well as to provide the same level of contingency measures in case of unplanned unavailability,” Enria stated.