Strong Consumer Authentication - a project for the banks?

The Second Payments Services Directive (PSD2) is opening many doors for small companies in a bank-dominated industry. With the new rules some of the competences are transferred from the banks to the hands of the consumers. Consumers have the authority, through consent, to allow smaller companies to use consumers’ bank accounts to provide unique services. The two new categories of services, that were introduced by the PSD2, are account information services (AIS) and payment initiation services (PIS).

In addition to the unique services, the PSD2 has introduced a new security standard, for accessing payment accounts online and initiating electronic payment transactions, called Strong Consumer Authentication. The logic is clear - when you give more power to the consumers you must ensure those powers are going to be exercised in a secure manner.

However, as any other legislation the PSD2 leaves gaps in the governance principles between banks and payment initiation service providers (PISPs) like ‘Swiipe’ payments. The PSD2 and the RTS (supplementing document) do not explicitly mention whether the PISPs can have their own Strong Consumer Authentication procedures in place. The opportunity of developing and applying their own strong consumer authentication is significant to the PISPs. It would raise the PISPs to an equal footing with the banks in the market and give the creative freedom to develop independent procedures. Exactly what in theory EU is trying to accomplish with the PSD2.

Recital 30 of the PSD2 says that the personalised security credentials used for strong consumer authentication by the payment initiation service providers are usually those issued by the banks. Personalised security credentials are defined (in Article 4 subsection 31) as personalised features provided by the payment service provider to a payment service user for the purposes of authentication. The information that we get from this text is two-fold. On the one hand, it appears that the PISPs will be able to utilise their own strong consumer authentication, but the credentials they must use are issued by the banks. On the other hand, PISPs will have limited power in controlling with which information the consumer will be able to perform authentication.

The second part of the recital 30 states that the contractual relationship between banks and the PISPs is not necessary and that banks should allow payment initiation service providers to rely on the bank’s strong consumer authentication procedures to provide payment initiation services. This information adds contours to the relationship between banks and the PISPs. Surprisingly, the later statement from the second part of the recital has often been used by the commentators to deprive the payment initiation services providers of the right to use their own strong consumer authentication.

However, prima facie from examining the recital’s wording such a conclusion should not be made. The prohibition for the banks to exclude the PISPs from using the bank’s authentication procedure does not necessarily imply that the PISPs cannot have its own strong consumer authentication. This is where most of the commentators are mistaken.

Article 97 section 5 of the PSD2 states that the Member States shall ensure that the banks allow the PISPs to rely on the authentication procedures provided by the bank. This phrasing in one way mirrors the second part of recital 30, but consequently puts a positive obligation on the Member States. However, as explained in the previous paragraph, for a right-minded and reasonable reader this statement should not give the impression that PISPs are deprived of the right to provide authentication procedures.

Looking at the directives, my conclusion is that PISPs can have their own authentication mechanisms and the law permits it. However, my recent experience and the views shared by the market experts left me believing that this will remain in theory. In practice, PISPs will have to rely on the strong consumer authentication provided by the banks.

A senior officer, from the competent authority working with the fintech industry, has revealed that it is very unlikely that PISPs will be able to rely on their own authentication procedures. Firstly, because the cooperation between banks and PISPs on providing payment services is subject to negotiating and concluding contracts. Banks at the negotiation table are going to be extremely unwilling to accept PISP made authentication procedures for the consumers to access the bank’s account information. Even though the second part of the recital 30 states that the contractual relationship between banks and the PISPs are not necessary.

Secondly, as the recital 30 states personalised security credentials will usually be issued by the banks, there will be limitations on what type of authentication factors PISPs will be able to use. PISPs will not have the creative and innovative freedom to adopt unconventional personalised security credentials. The only way they would be granted the freedom is if they closely work with the banks. In that case, contracts will be a necessity for further progress. Other reasons include the heavy regulation of the banking sector and the fact that the banks are in the best position to develop strong consumer authentication and ensure its application and compliance.

To sum up, there is no one instance in the PSD2 where it would be explicitly stated that the PISPs are restricted from developing their own strong consumer authentication procedures. However, the directive and the EU consistently suggest and hint that PISPs should rely on the banks. That and the practical aspect of strong consumer authentication add to the conclusion that the first PISPs will have to work closely with the banks in order to develop unique approaches to authenticating the consumer. Interestingly, strong consumer authentication as a new concept and the gap in the PSD2 together create an opportunity for a breakthrough in the future. It should not stop new companies developing unique approaches to the strong consumer authentication and new ways to deliver payment initiation service. However, it will be on their shoulders to convince the banks to join them on that journey.