The struggle for strong authentication

The European Union's Payment Services Directive (PSD2) tightens the requirements for remote access to accounts and electronic transaction orders. Despite its adoption, the severity of these requirements still has not been determined.
FinTech kwadrat

(Tech in Asia,, CC BY)

(Tech in Asia,, CC BY)

In early October 2017 the Polish Ministry of Finance published the third version of the draft amendment to the act on payment services. The project contains many important provisions, which show that the implementation of the PSD2 Directive is not an easy task.

The topic generating the greatest controversy is no longer (as it was resolved in the directive) the issue of access of third-party service providers to payment accounts held in banks and payment institutions. The question now concerns the method of implementing this access. It was supposed to be specified in the Regulatory Technical Standards on Strong Customer Authentication (RTS SCA) complementing the Directive, which should be developed by the European Banking Authority (EBA).

The standard was supposed to be ready in January 2017. It was expected to be adopted by the European Commission after about three months, which would mean that it would be published in April and become effective after 20 days. That moment would begin a period of 18 months before the RTS SCA becomes effective in the member states. This would mean that the standard would be in force from October next year, which would give around 9 months of a transitional period between the date of the expected transposition of the PSD2 Directive (January 2018) and the entry into force of the RTS SCA, which details the implementation of selected articles of the directive.

However, at the end of October 2017 there was still no final version of the document drawn up by the EBA which could be approved by the European Commission. We only have the Commission’s declaration promising the publication of its position on this issue „at the beginning of November 2017”. Will this be the final position? We cannot be certain of that, considering the previous statements of the EBA and the reactions of the European Commission.

A source of problems

What is the most sensitive issue which prevents the European Commission from adopting the position of the EBA? It’s about the method in which third parties access the payment account in order to obtain information about the account data or the initiation of a payment (on behalf of the account holder). Among the recommendations for developing PSD2 declared by the European Commission was the desire to increase competition from non-banking entities in the area of payment services. However, the institutions running the payment accounts would like the operations concerning the accounts to always be carried out on the basis of a separate action carried out by the customer (account holder), with the full identification of the entity that is intermediating in its execution. This is a problem for some non-bank entities that wish to fulfil the role of so-called Account Information Service Providers (AISP) or Payment Initiation Service Providers (PISP). This applies in particular to those that already have experience in conducting business in conditions of relative freedom in this field (lack of regulation, or possibly lack of clear recommendations of the supervisory bodies).

Banks are concerned about the safety of access to the accounts, the secrecy of confidential information, clarity regarding the actions of the account holder, a clear division of responsibility between the user, the bank and the third party. Especially since they operate in a world in which banks are supposed to – in the first instance, and almost immediately – refund the transaction amount declared by the user as a non-authorized.

Meanwhile, the non-bank providers of payment services, whose competition with banks the European Commission wanted to facilitate, would like to access the holder’s account, possibly along with the possibility to make operations on the account, in the name of and on behalf of the user, but not necessarily requiring the user’s activity each time. They would also like to get almost unlimited (in terms of scope) access to account information.

By regulating this issue PSD2 suggests the standardization of the understanding of „account information”. After all the provisions of PSD2 and RTS finally become effective it may turn out, however, that the banks should distinguish between information they are allowed to share with third parties and other information associated with the account.

Two-factor authentication

In accordance with PSD2 strong customer authentication should primarily be a two-factor authentication (2FA). In accordance with the draft law, it is supposed to ensure the protection of data confidentiality „on the basis of the use of at least two independent elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and user’s inherent characteristics (something that is specific to the user and which is an integral part of them), that are mutually independent in that the breach of one does not compromise the reliability of the others”.

For example, if the authentication is done on a mobile phone, which only we should possess (we have registered this telephone for this purpose at our bank), then we need to complement it with either entering a code that only we should know, or, for example, confirm the operation with a scan of our fingerprint. Many banks already apply similar requirements especially to confirm operations. However, this is not necessarily required in order to access the account online.

Two-factor authentication therefore requires the user’s attention and requires them to express their consent for the execution of specific activities (services) each time. This prevents the service provider from independent insight into the details of the operations on the account and from initiating orders in accordance with the client’s intention and in the client’s interests, but without their knowledge and their direct action exercised each time.

In addition, the two-factor authentication means that sharing, for example, a pair of currently used authentication codes will no longer be sufficient for the delivery of some services by fintech companies. That is because the codes are, in fact, two components from the same category – the user’s knowledge. For the implementation of 2FA the user’s „presence” is also required (both the condition of the user’s possession and the condition of the user’s inherent characteristic assume the user’s physical presence at some device), independently of the appropriate action.

Dynamic linking

As if these conditions were not enough, in the case of electronically initiated payments PSD2 requires the fulfilment of an additional condition: „dynamic linking” between the components of strong authentication and „a specific amount and a specific recipient” of a payment transaction. Moreover, as suggested by the wording of the existing versions of the RTS SCA, the entity through which a payment transaction is requested should provide to the payer the information on both the amount and the recipient of the transaction before the final decision on its execution.

This could mean that when we request a payment transaction the authorization code received, e.g. in a text message would not necessarily be the same for the transaction of EUR101 and not for the transaction, for instance, of EUR100. This code could also vary depending on the account to which the transfer is directed. It would seem that such conditions should not be difficult to meet.

Big changes

This is not the case, however. In the case of banks that do not solely operate consumer accounts, sending entire packages of bank transfers is a common practice. If we wanted to confirm such packages with a code from a text message, it would be impossible to include the information about the recipients of, e.g. 50 transfers in the text message. In order to fulfil this condition we would therefore need a complementary solution.

Corporate banks often issue tokens to their clients. They usually work offline, i.e. they do not use information about the details of the current transaction to generate an appropriate authorization code. A customer requesting a package of wage payments does not necessarily receive information on all the recipients along with the authorization code. Sometimes a company specifically does not want each of, for example, three people authorizing a package of wages to obtain knowledge about its content.

This means that authentication will undergo changes: the modification of the authentication schemes, the preparation of new systems, tools, deployments, appropriate distribution. At the same time this new world is not necessarily as convenient as the transactions carried out in the „one-click” or even „zero-click” mode, which we often see today. However, both the two-factor requirement and the dynamic linking contribute to improved security of payment-related processes and the authentication itself.

For the EBA the latter is of key importance. The security of accounts, information about them and performed transactions are the EBA’s priority. The security of the banking sector is the security of its customers.

The perspective of the European Commission is more complex. PSD2 was supposed to enable fintechs to compete with banks in the field of payment services, but with the requirements for authentication set so high not all the services already provided by fintechs in certain countries will be possible or equally convenient. The number of cases that require the use of strong authentication with the use of a scheme adopted by each bank individually will also not facilitate the activities of fintechs. There are many indications that in order to be able to compete with banks, fintech companies will require investments and changes or at least the services of external providers. But banks will also be affected by the tightening of the implemented requirements, especially those that do not currently require customers to enter a code each time they log on to their account from a mobile device.

What will the Regulatory Technical Standard bring

The RTS SCA is at the moment the only document in which one can still –decide – to a limited extent –  about the restrictions or the conditions for use of strong authentication. At the same time, the period remaining until its implementation (from the transposition of the Directive until the entry of the RTS SCA into force) provides an opportunity for confronting interpretations and practices enabling fintechs to operate according to the existing rules. What practices will be acceptable and what liability of the parties they will involve, are some of the questions that may be hard to answer. The risk of functioning in such a regime can be seen as elevated.

If particular banks want to cut this transition period short individually, they could implement strong 2FA on their own as soon as possible, even before the date the RTS SCA enters into force. However, in order to be able to do so, they should first learn about the Regulatory Technical Standard. Let us hope that this will take place soon.

Grzegorz Hansen is the Director for Strategy and Development in the Transactional Banking Department at Polish mBank (owned by Commerzbank).


Related articles