The latest opinion published by the EBA on the revised Payments Services Directive (PSD2) raises questions on how some corporate payments will be exempt from Strong Customer Authentication.

PSD2 will usher in a new era in both transaction and consumer banking. The go-ahead for open application programming interfaces (APIs), allowing third-party payment service providers (TPPs) to provide client-facing services based on the client's bank account data, is set to change the client-bank relationship, possibly in quite a profound way. It's natural that banks may feel their position is threatened by this development – and the banking industry has been in discussion with the European Commission and the fintech community in a debate on security and access issues involved with 'access to account' under PSD2. CTMfile has been covering these issues steadily in recent months:

• Open APIs are six months away, what are the practical challenges?
• “EBA’s response undermines objectives of PSD2”, puts future of PSD2 in doubt?
• Payments industry must resolve differences over PSD2

This blog written by Frederik Mennes, of financial digital security firm Vasco Data Security, looks at some of the other issues relating to security under PSD2, which have been raised in the opinion published by the European Banking Authority (EBA), in response to the Commission’s proposed amendments to the PSD2 draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA)and Common and Secure Communication. In particular, Frederik picks up one interesting point that hasn't had a lot of coverage in financial media so far: exemption from SCA for corporate payments that use dedicated payment processes or protocols.

Exemption from Strong Customer Authentication

He writes: “The Commission proposed to add an exemption from SCA if corporate payments are performed using certain processes or protocols that achieve a high level of security. The EBA seems to agree with this principle, but suggests a different way to incorporate this exemption into the RTS. More specifically the RTS now suggests to add a new category under the already existing TRA exemption for payments whereby the payers are not consumers, providing that the payment fraud rate is equivalent to or below a certain threshold fraud rate.” This means that payment service providers (e.g., banks), will be allowed not to apply SCA (i.e., access to a client's bank account data) if the client initiates the payment through a dedicated corporate payment process or protocol.

In the EBA's published statement, it says: “The EBA understands the exemption as focusing on specific existing practices involving business-to-business and machine-to-machine payment transactions using specific protocols, rather than as an exemption for all corporate transactions. The EBA also understands that the motivation for the Commission’s proposal was the assumption that the specific types of corporate payments referred to in the suggested amendment were of a less risky nature.” The reason behind the exemption of certain types of corporate payments from SCA is that they can't comply because of how they are configured. There is also a suggestion that these payment protocols are less risky but the EBA states: “The EBA does not, however, have any evidence to suggest that the payment transactions conducted through the protocols specified in the new suggested amendment would be less risky.”

Questions raised by latest PSD2 position

While the exemptions for certain non-consumer payments sound justified on the grounds of risk, the situation does raise some questions. The fact that some corporate payments will be exempt from SCA presumably means that authorised TPPs will not be able to access complete corporate account data. Does this therefore imply that TPPs will be compromised in the services they are able to offer to corporate clients? If so, would this compromise the spirit of PSD2 and also weaken the value that corporates could potentially gain from services provided by TPPs based on open APIs? The discussion around the risk of certain corporate payments isn't all that clear and could do with some clarity to confirm exactly why corporate payments done through dedicated protocols should not be included in SCA.