Does PSD2 require Strong Customer Authentication for telephone banking?

And what if it doesn’t?

The issue of where and when PSD2’s Strong Customer Authentication is mandatory is still in debate between the European Banking Authority (EBA), the European Commission and card schemes, amongst others. While the question of how it applies to card not present payments online is debated endlessly, the issue of the other type of remote transaction, by telephone, seems to have been overlooked. Given that many fraudulent compromises involve both fixed-line and mobile telephones, is this an oversight? This article looks at what the legal text really says, what the interpretations have been and what might be the consequences.

 

What does the law say?

I have heard many defences for why telephone as a channel is out of scope. Let’s start by going back to the source, the adopted text of second Payment Services Directive. This states in Article 97.1 that member states must ensure that

 

“a payment service provider applies strong customer authentication where the payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”

PSD2, Article 97.1

The first of the three cases is to do with protection of online banking and the second covers any electronic payment, including purchase at a point of sale, mobile banking, payment via a third party provider and a batch of corporate payments, but oddly not setup of a direct debit, as these are “in theory” initiated by the payee. In the original legal text, I think it’s clear that case c) is designed to secure payment accounts from attacks outside payment initiation, such as account takeover. Attempts to compromise accounts online are covered by case a) so what is additional in c)?

My view is that c) applies to any remote action – not just a payment initiation – which could be abused and therefore should definitely cover telephone and ATM but arguably also physical post and e-mail. Financial criminals use these channels to change the address on the account, update a mobile telephone number, request a re-issue of a bank card or authentication token, or amend any personal details. In arguably the most dangerous case, a request under GDPR to provide all information on the data subject surely represents a risk of “other abuse” and consequently may attract a fine of up to 4% of global turnover for large businesses.

I think it’s clear that the original PSD2 text covered a number of remote channels which are being ruled “out of scope” for Strong Customer Authentication, so from where does this opinion arise? The answer is with the European Banking Authority (EBA) and the Regulatory Technical Standard (RTS) on Strong Customer Authentication (SCA).

As I’ve stated before, the EBA was left with both a difficult task and a number of very motivated stakeholder groups to liaise; in those circumstances I think the job it has done is good, but there are points of interpretation which I think could be further clarified.

Whilst we are expecting a new version of the RTS on SCA, the published “final draft” from February 2017 takes a line on the application of Strong Customer Authentication directly from PSD2. The legal text  – “The (European) Commission Delegated Regulation“ – does not make any mention of an exemption or application to telephone or other remote channels. However in the accompanying documents, the comments by the EBA on questions raised in the consultation, the issue is raised a number of times, for example, comment [46]:

 

“Some respondents asked the EBA to clarify whether or not mail and telephone orders were exempted from the principle of SCA. “

European Banking Authority “final draft” report on the RTS for Strong Customer Authentication, February 2017

to which the answer

 

“In the EBA’s view, mail and telephone orders are out of the scope of the principle of SCA under PSD2 and therefore not subject to the RTS requirements.”

I am not clear that the principle of SCA, which the EBA says is laid out in PSD2, implies this scope as the EBA claims. Since it’s not clearly stated, I would summarise the principle of SCA as “the PSP must protect the account of its PSU from access, misuse or financial crime by third parties by using strong, customer authentication”.

The EBA is certainly the appropriate and competent authority in this matter and the Commission did not think it unclear enough to put into the delegated regulation; although I am no legal expert, it seems clear to me that a view expressed as a response to a consultation question does not make the legal position clear, especially as these “accompanying documents” are unlikely to be presented to the Commission in the final version.

Finally, this view relates to “mail and telephone orders” which appears to relate to payment initiation, not non-payment transactions, for example change of address. It is therefore not clear whether telephone or other channels are “out of scope” for “remote actions” as defined in PSD2 Article 97.

 

Reasons for differing interpretations

Given the Regulatory Technical Standard seems to be open to interpretation, how are payment service providers implementing it? My understanding is that PSPs are keen to minimise the scope of PSD2, given the other regulatory distractions including GDPR, the fourth Money Laundering Directive and national interpretations of what those might mean: JMLSG guidance and the proposed personal data bill in the UK. It’s understandable that restricting the scope will assist some compliance projects deliver, but what are the arguments behind exempting some remote channels?

 

1. SCA applies only to “remote payments” which means “online” The word “remote” is used once in PSD2, beyond the section on Authentication, in the definition of the term “remote payment transaction’ which defines them as “initiated via internet or through a device that can be used for distance communication”. It’s not clear that this constitutes a definition of “remote” but surely a telephone is “a device that can be used for distance communication”
2. Article 97 Case c) applies only to online and mobile banking, therefore the RTS applies only to online and mobile banking In which case, why does Article 97.1 case c) exist as this seems to be covered more than adequately by case a)?
3. Article 97.1 case c) applies only to authenticating a payer; if you’re changing your address you’re not a “payer” Arguably the PSD2 text could say “payment service user” rather than payer. This seems a particularly pedantic interpretation of the PSD2 text and out of keeping with the general principles. Conversely, does this mean the “payer” must be initiating a payment in all cases? If so then the “access to account online” in case a) must be “for the purpose of making a payment” and no strong customer authentication is therefore necessary for AISPs. If we take “payer” as an intentional wording, then Article 97.1 c) overlaps with b), so again, why have c)?

So there are some arguments that support the view of the EBA, but I’m not clear that these meet the principle of Strong Customer Authentication in PSD2.

 

Unintended consequences?

Assuming that the implementers are correct and non-payment transactions across all channels, other than mobile and online banking, are out of scope for PSD2, can we foresee the outcome?

One thing we have learnt from years of monitoring financial crime statistics is that fraud evolves at a much faster rate than the industry as a whole can respond. This has led to types of attack becoming popular, exploiting some weakness in a system which may not be within the financial realm.

There are many examples including:

 

• SIM swap; where a criminal takes over a mobile ‘phone account and issues a new SIM, undermining voice- or SMS-based authentication
• direct debit fraud; where a fraudster uses a third-party account to gain access to goods or services
• supplier fraud; where a criminal changes invoice payment details to redirect supplier payments
• account takeover; where a fraudster changes account and/or personal details to make payments or apply for further accounts or loans
• data breach; where a criminal uses account and personal information to set up accounts or facilities at a third-party institution or business

One thing is clear: criminals will take the shortest, easiest route to steal goods or money with the least risk, and making those attacks online or over the telephone significantly reduces their chance of being caught.

Applying Strong Customer Authentication to some channels and not others is likely to encourage fraudsters to attack those exempted from SCA. If we make it difficult to make fraudulent card-not-present transactions – whatever the impact on customer experience – will the fraudsters just give up? Surely not; they will target those channels which are less well protected. Put simply: if you commanded a medieval army attacking a castle which was defended strongly on three sides but had a damaged, unsupervised wall with an open gate, where would you attack?

 

Conclusion

There are a number of different interpretations of the EU law and it may be that national competent authorities and case law is the way we find which one is correct. But the consequence of not protecting all of our payment channels at the same time to the same degree is clear: movement, not reduction of fraud. Whatever the Regulatory Technical Standard says about telephone banking, surely payment service providers who learn from the history of fraud prevention will go beyond what the RTS requires?