On November 27, 2017, the European Commission published its final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) under PSD2. With the release of the final PSD2 RTS requirements, banks of all sizes can now take action to develop a compliance strategy and implement effective security solutions for electronic remote payment transactions.
The Revised Payment Services Directive, known as PSD2, harmonizes security requirements for online banking and online payments, providing a common regulatory framework for the EU. The security requirements in the final RTS are driven by two core objectives of PSD2: protect consumers from fraud by increasing payments security, and enhance competition and innovation in the retail payments market.
Because the Directive mandates that banks give third party payment providers, or TPPs, consent-driven access to customer accounts, banks must open their APIs to TPPs and ensure strong access security. While the majority of changes to the final RTS relate to these API requirements, the Regulatory Technical Standards also set out customer authentication standards.
All banks operating in the EU, including retail and corporate entities, are subject to compliance. The RTS (including authentication requirements) will become applicable in August or September 2019.
How banks interpret the PSD2 RTS requirements
It’s important to recognize that the RTS are technology and business-model neutral. Because the RTS is a legal text and not technical or prescriptive, it can be interpreted in any number of ways by any number of institutions. With so much on the line legally and financially, the real question becomes how to build the most effective strategy for compliance.
Some of the top questions among financial services providers focus on how to interpret the final RTS and implement strong security technologies to comply with the authentication requirements. At VASCO, we frequently hear questions like:
- What are the best practices when performing strong 2FA for every customer logon attempt?
- How do we protect our mobile banking apps against reverse engineering?
- How do we meet the requirements for transaction risk analysis?
To help answer these, Frederik Mennes, PSD2 expert and Sr. Manager, Market & Security Strategy at VASCO, presented a webinar on December 5, 2017, entitled: PSD2: Are you ready for the long-awaited final RTS?
Article 97 of PSD2 requires Payment Service Providers to authenticate a user when they access an online payment account, initiate an electronic payment transaction, or carry out any action through a remote channel that may imply a risk of payment fraud. Join us on Dec. 5, 2017 to to learn which categories of authentication solutions meet these requirements.
If you are a line of business owner managing service and delivery channels in the bank, an IT leader responsible for implementing security in these channels, or an in-house legal expert, join us for insights on how to interpret the standards.
“At VASCO, we have spoken to most of the national banks that will have to enforce the PSD2 RTS requirements for Strong Customer Authentication, to understand how they interpret certain requirements. We’ve aggregated this information and will share it during the webinar,” Frederik Mennes says.
To that point, the latest bank to select VASCO solutions to meet the authentication requirements under PSD2 is the Bank of Cyprus. “With VASCO’s help, we are able to take steps toward meeting the EBA requirements while at the same time enhancing the security and improving the online and mobile banking experience for our customers,” says Bank of Cyprus Director Consumer & SME Banking, Charis Pouangare.
For more information on how to comply with the final PSD2 RTS requirements, watch the webinar.