EMA response to EBA Discussion Paper on security requirements of PSD2

The EMA has responded to the EBA’s discussion paper on strong customer authentication and secure communication under PSD2. This discussion paper asks for views from stakeholders regarding a number of topics that the EBA proposes to address in the regulatory technical standards it will develop to support compliance with the PSD2 security requirements (including the practicalities around strong customer authentication, dynamic linking of customer authentication with individual transaction information and secure intra-PSP communication).

The EMA’s response:
– raises concerns regarding the minimum 10-month time gap between the time PSD2 comes into force and the earliest date that the EBA RTS may be implemented;
– calls for a risk- and principles-based approach rather than delving into prescriptive detail or producing exhaustive lists of security controls/transaction types;
– expresses concern about the negative consequences of an EU standard that is overly prescriptive or diverges significantly from global standards, as many EMA members operate outside the EU;
– calls for the definition of a governance framework (used to assess compliance of individual solutions/products) with the RTS.

The EMA response also requests:
– further clarification around the category of payment activities that might benefit from the ‘risk-based’ exemption frjaneom the requirement to complete strong customer authentication (SCA): Many online account access interactions (i) do not expose sensitive payment data or payment user credentials and (ii) cannot be used to alter existing account settings; thus, they do not give rise to payment fraud risks.
– a flexible approach with regards to the requirements to ‘dynamically link’ each payment with information about the payee and payment amount, as this will introduce significant friction to the user experience with little benefit in terms of security of payment transaction.

Read the EMA response here.