EUROPEAN UNION PAYMENT REGULATIONS – EBA AND PSD2
As the European Union seeks to regulate retail payment across member countries, initiatives developed by two different regulatory bodies have been developed to address the cross-EU payment market today and into the future.Download
EUROPEAN UNION PAYMENT REGULATIONS – EBA AND PSD2 DATA SHEET
As the European Union seeks to regulate retail payment across member countries, initiatives developed by two different regulatory bodies have been developed to address the cross-EU payment market today and into the future. These initiatives impact the banks, financial service providers and regulatory systems in countries in the EU, Eurozone and the European Economic Area countries.
INTERIM AND FINAL APPROACHES
The European Central Bank (ECB) is tasked with developing the regulations that govern payments across the EU and is in the process of developing the Directive on Payment Services II (PSD2). PSD2 is a revision of the first Directive on Payment Services, which created the legal foundation for a cross-EU payments market. PSD2 (along with companion the Regulation on Multilateral Interchange Fees) is designed to foster a market that “nurtures competition, innovation and security to the benefits of all stakeholders and consumers in particular.” PSD2 is expected to be finalized in 2017 or 2018.
However in response to rising fraud across the EU, the European Banking Authority (EBA) has released security guidelines (“Guidelines”) for internet payments. The Guidelines went into effect August 1, 2015 and are intended to help reduce fraud in advance of PSD2 taking effect in 2017 or 2018. Although not mandatory, the Guidelines are “comply or explain,” meaning member countries are required to provide justification if they opt not to implement them.
SECURITY IN EBA GUIDELINES AND PSD2
The EBA Guidelines recommend that payment service providers (PSPs) require multifactor authentication for authorization of online payments and implement transaction monitoring to identify fraudulent payments. The Guidelines advocate a risk-based approach by recommending “alternative customer authentication measures” for lowrisk transactions such as transfers between two accounts owned by the same customer or low-dollar transactions.
PSD2 in its draft format overtly embraces a risk-based approach and specifically calls out customer convenience as an end goal. It also requires multifactor authentication and unlike EBA Guidelines encompasses all remote access including from the mobile channel.
RSA SUPPORT FOR EBA GUIDELINES AND PSD2 COMPLIANCE
RSA introduced risk-based authentication well over a decade ago and can help financial institutions in the EU, Eurozone and European Economic Zone countries comply with all regulations requiring multifactor authentication. RSA’s Adaptive Authentication (AA) analyzes over 100 indicators in assessing the risk of a fraudulent log-in or transaction – only those transactions deemed risky require an end user response, allowing approximately 95% of users to be authenticated silently.
AA used in conjunction with RSA’s Web Threat Detection provides comprehensive, end to end monitoring of the entire online session. This enhances even further the ability to identify fraudulent transactions while balancing end user convenience and ease of access. RSA is a leader in the detection of online fraud and will continue to innovate to meet the evolving security needs of our customers.