The second Payment Services Directive (PSD2) is expected to come into force in January 2016, and to apply to payment services providers from January 2018. When it comes into force, PSD2 will give the European Banking Authority (EBA) the power to develop 6 technical standards and 5 sets of guidelines. The issues are complicated, and there’s a lot at stake, so the EBA has started work already: on 8 December 2015, it published a “Discussion Paper on future Draft Regulatory Technical Standards on strong customer authentication and secure communication under the revised [PSD2]” (the DP). The DP “identifies and characterizes the problems or issues [the EBA] is meant to mitigate, and asks respondents to express their views on the way the EBA has [done this]“. Responses must be submitted by clicking “on the ‘send your comments button’ on the consultation page by 08.02.2016“. Otherwise, your “comments … may not be processed“.
The DP falls into 5 substantive parts:
1) “Considerations prior to developing the requirements on strong customer authentication“
2) “The exemptions to the application of strong customer authentication“
3) “The protection of the payment services users’ personalised security credentials“
4) “Considerations prior to developing the requirements on common and secure open standards of communication“
5) “Possible synergies with the regulation on electronic identification and trust services for electronic transactions in the internal market (e-IDAS)“
Mark Taylor at PaymentsCompliance has published an article on the DP, which explains why it makes good sense for PSPs and others to respond to the EBA’s paper. That article is available here, with PaymentsCompliance’s kind permission.
For next steps: the EBA will publish a consultation paper and draft Regulatory Technical Standards on strong customer authentication and secure communication in the middle of 2016. However, PSPs are unlikely to have to comply with them until at least October 2018.