First, in the case of access by a client to his/her payment account online, the requirement of strong customer authentication does not apply where the client's online access is limited to either one or both of the following items, without disclosure of sensitive payment data: "Sensitive payment data" means "data, including personalised security credentials which can be used to carry out fraud […]" (Article 4(32) of PSD 2). trailer under the revised Payment Services Directive (PSD2) 1 Overview Introduction 1.1 The revised Payment Services Directive (PSD2) was implemented in the UK from 13 January 2018. 0 These provisions include regulatory technical standards (RTS) and guidelines. @�������` fr3l��o���?,�&v\�%g ������*��Y�� FSMA publishes basic principles on cybersecurity. Article 15(1) of the PSD2 requires the EBA to develop, operate and maintain an electronic central register that contains information as notified by competent authorities. On 27 November 2017, the European Commission adopted, on the basis of an amended draft from the European Banking Authority ("EBA"), regulatory technical standards on strong customer authentication and common and secure communication under Article 98 of Directive 2015/2366 of 25 November 2015 on payment services in the internal market ("PSD 2"). the client is accessing such information online for the first time; more than 90 days have elapsed since the last time the client accessed online its 90- day payment transactions history with strong customer authentication. They also specify the procedure for accessing the information in the EBA Register, which includes the functionality for downloading its content. Article 15(1) of the PSD2 requires the EBA to develop, operate and maintain an electronic central register that contains information as notified by competent authorities. 0000002051 00000 n Article 15(5) of the PSD2 mandates the EBA to develop draft ITS specifying the details and structure of the information to be contained in the register, including the common format and model in which this information is to be provided by competent authorities. the amount of the remote electronic payment transaction does not exceed EUR 30; and, the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or. The technical standards mandate the existence of at least one interface that financial institutions must provide to securely send and receive information from PISPs/ AISPs. This exemption is not applicable, however, when: Secondly, in the case of initiation of electronic payment transactions, several exemptions to the strong customer authentication requirements apply, two of which we will mention here: The strong customer authentication requirements do not apply where a client initiates a contactless electronic payment transaction, provided that the following conditions are met: The strong customer authentication requirements also do not apply where a client initiates a remote electronic payment transaction, provided that the following conditions are met: Implementation of provisions regarding strong customer authentication requirements. Strong customer authentication is defined as "an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data" (Article 4(30) of PSD 2). 0000001869 00000 n PSD2 Regulatory Technical Standards – A Practical Guide & Workshop A ½ Day Course The PSD2 Requirements for SCA from September 2019 onwards . 0000013518 00000 n The banking industry is currently working on how to standardise the way data is accessed through ‘ Open Banking ’ standards. We have been delivering training for over 20 years and this is one of our core competencies. The risk of fraud with electronic payments is significant and requires a high level of protection (Recital 95 of PSD 2). These requirements aim at ensuring the security of electronic payments. the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering contactless functionality since the last application of strong customer authentication does not exceed five. ��$N�����&��$��5(�3(t;H�+���(��=LX0�w�)I�f�3�A��q��� ��� �@�U�h���'�TB�"�2a�$� �`f:nO"����\t��l�;�L �� L����7��0!pk+���qG�`F���C� �?ӏ�b{"��� ���ߘ�YM �dtg�U1�-;`@3z0��~��;�⬠�5�A$���y"@� ۝*u 0001265212 00000 n The EBA's work in the area of payments and electronic money is aimed at ensuring that payments across the EU are secure, easy and efficient. 0001284204 00000 n Regulatory Technical Standards on Strong Customer Authentication (SCA) The deadline for compliance with the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the PSD2 Directive is 14 September 2019. The … Therefore, in principle, strong customer authentication requirements do not apply in the case of initiation of electronic payment transactions by a payee within the framework of direct debits. 3. 0001296501 00000 n h�b```b``�b`e`�fe@ Q�� $AF �H� Cu�ѽ�5�Amc�.��L���V-`�� !�hx�ۊ�I��@��X65H��]=�{���S����X�ȋsb3ϕ�].yK���&�I� 8331 0 obj <>/Filter/FlateDecode/ID[<3FD680F192411E479C1B0448A20B84B1><9D875645F2C7CD42AC9E0FF4A449D1EC>]/Index[8321 17]/Info 8320 0 R/Length 65/Prev 1332994/Root 8322 0 R/Size 8338/Type/XRef/W[1 2 1]>>stream The proposed ITS specify the type of information that will be contained in the register for: Responses to this consultation can be sent to the EBA by clicking on the ‘send your comments' button on the website. The length of the process and the number of iterations … *~ 0000003512 00000 n Twenty months after the European Banking Authority (EBA) issued the first draft, on 13 March the regulatory technical standard (RTS) on strong customer authentication (SCA) and Common Secure Communication (CSC) under revised Payment Services Directive (PSD2) was finally published in the Official Journal of the European Union.. 1117 0 obj <> endobj 1130 0 obj <>/Filter/FlateDecode/ID[<724D457932304BA29DC2E7E189FD6904><77E7505A235E4DA095C4ECCE8B73CC01>]/Index[1117 24]/Info 1116 0 R/Length 84/Prev 865089/Root 1118 0 R/Size 1141/Type/XRef/W[1 3 1]>>stream Feedback on the public consultation and on the opinion of the BSG 44 Additionally, the level of performance and availability of this inte… Exemptions to the strong customer authentication requirements. 0001292632 00000 n What Makes This Course Different? 0000006064 00000 n Our page, and the Money Advice Service provide more information. 0000004075 00000 n 0 h�b```�^fF``a`b�# � ����QP�U���AP�M�&7����&3Y\ܡ�@���ch566� 1�uC����`�IId�6��W����Pf*�� �5P�3T`���������Ġ���A��FP�їݚXr;x. %PDF-1.5 %���� %%EOF PSD2 has been designed to ensure a level playing field and encourage innovation in the payments industry. However, the Central Bank of Ireland recognises the difficulties with meeting this deadline. 0000000939 00000 n "��@�Q�ԟ$�L��_�f`bd`y6����?��� �! On 27 November 2017, Commission delegated Regulation (EU) 2018/389 supplemented PSD2 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication. The register ‎will include information about payment and electronic money institutions, account information service providers, their agents and branches, which are authorised or registered in the Member States. RTS on central contact points under PSD2; Regulatory Technical Standards on payment card schemes and processing entities under the IFR; Regulatory Technical Standards on strong customer authentication and secure communication under PSD2; Technical Standards on the EBA Register under PSD2; Recovery, resolution and DGS. The regulatory technical standards provide exemptions for two out of the three cases where strong customer authentication is required.