PSD2 RTS on authentication and communication – EU Commission proposes amendments


PSD2 RTS on authentication and communication – EU Commission proposes amendments

14 June 2017

Regulatory News Alert

EU Commission proposes amendments

The EBA has now published the EU Commission’s proposed amendments to its draft RTS on Strong Customer Authentication (SCA) and common and secure communication under the revised Payment Services Directive (PSD2), as well as the Commission’s accompanying letter setting out the main changes introduced. Both documents were submitted to the EBA on Wednesday 24 May, but were not made public until Friday 1 June.

As per the Commission’s letter, the main amendments are:

1. Independent auditing of the security measures in cases where the transaction risk analysis exemption is applied. (Ref. Chapter 1, Article 3(2) of the EBA draft and of the Commission’s amended RTS)

Payment Service Providers (PSPs) making use of the SCA “Transaction risk analysis” exemption (as per Article 18) shall have a statutory audit performed for the methodology, the model and the reported fraud rates at a minimum on a yearly basis. The Commission has introduced this to ensure that the risk analysis methodology employed is objective and consistent.

2. Introduction of a new exemption to SCA for certain corporate payment processes. (Ref. Chapter III, NEW Article 17)

PSPs shall be allowed not to apply SCA in respect of legal persons initiating electronic payment transactions through the use of dedicated corporate payment processes or protocols, provided the relevant competent authority confirms ex-ante, that they are satisfied that those processes or protocols guarantee at least equivalent levels of security to those aimed for by PSD2.

3. Fraud reporting by PSPs directly to the EBA. (Ref. Chapter III, Articles 16(2) and 17(2) of the EBA draft - Article 18 and 19 of the Commission’s amended RTS)

The Commission added more details to the way that PSPs need to calculate the risk score of each payment transaction. In addition, the methodology and any model used by the PSP to calculate the fraud rates, as well as the fraud rates themselves, shall be documented and made fully available to competent authorities as well as to EBA. This means that the EBA will have access to individual fraud data from PSPs rather than relying on high-level, aggregated data reported by competent authorities.

4. Contingency measures in case of unavailability or inadequate performance of the dedicated communication interface. (Ref. Chapter 5, Article 28 of the EBA draft – Article 33 of the Commission’s amended RTS)

As expected, the Commission introduced an amendment to the RTS stating that, if the dedicated interface is unavailable for more than 30 seconds during a communication session between PSPs, or where it does not operate in compliance with the requirements under Articles 30 and 32 (General obligations for a dedicated interface), Payment Initiation Services Providers (PISPs) and account information services providers (AISPs) should be allowed access to the interfaces made available to the payment service users for directly accessing their payment account online, until the dedicated interface has resumed functioning. Several conditions apply (see Article 33 (3) for more details), including identification and authentication procedures, but effectively this provision reintroduces an element of screen scraping as a contingency measure.

The Commission made this change to ensure that unavailability or inadequate performance of the dedicated interface does not prevent PISPs and AISPs from offering their services to their users. Otherwise a bank would be able to offer its own payment services through the user-facing interfaces, which operate without any difficulties, while PISPs and AISPs would not be able to do so and would therefore be at a disadvantage.

Next steps

  • The EBA has until 5 July to give its opinion on the amended RTS
  • After this period, the Commission can adopt the RTS taking into account the EBA’s opinion or disregarding it
  • Once the Commission has officially adopted the RTS, the three months scrutiny period of the Parliament and Council will start
    For further reading on this topic please visit:


For further reading on this topic please visit:

Authors: Stephen Ley, Partner Risk Advisory at Deloitte LLP, Steven Bailey, Director Risk Advisory at Deloitte LLP, and Valeria Gallo, Manager EMEA Centre for Regulatory Strategy at Deloitte LLP. 

Did you find this useful?