New EU Regulation for Electronic Payments and Online Banking

The existing legal framework

The European legislator has shaped and standardized payment transactions in the European Economic Area with two Payment Services Directives (2007/64/EC and (EU) 2015/2366). The main premises were the creation of a level playing field for payment service providers, consumer protection and an increase of payment services by non-banks.

The new regulation

The new Delegated Regulation on strong customer authentication (EU) 2018/389) which will enter into force on 14 September 2019 specifies how electronic payment transactions and online banking must be performed in future with the intention to make payment transactions and online banking more secure. The previous handling, such as registration for online banking with user name and password or online payment with credit card number, expiration date and verification number, will no longer be sufficient for authentication. From September 2019 on, payers must authenticate themselves by means of two elements from the categories “knowledge”, “possession” or “inherence”:

  • “Knowledge” (something only the payer knows): e.g. password or PIN
  • “Possession” (something only the payer possesses): e.g. token or smartphone
  • “Inherence” (something that identifies the payer): e.g. fingerprints, facial marks or voice.

The combination of these elements is intended to reduce the risk of fraud. The full text of the Regulation can be found here.

How companies should prepare for strong customer authentication

First of all, it is important to assess in which cases strong customer authentication is mandatory. Strong customer authentication is always required when the payer initiates an electronic payment transaction (so-called “push payment”) or when the payer ac-cesses his payment account online. An electronic payment is triggered, for example, when paying online with a credit card. There is no trigger if the payer pays by direct debit, as this payment is initiated by the money recipient (so-called “pull payment”). The Regulation also excludes the following cases from the authentication obligation due to the low level of misuse:

  • Contactless payments at point of sale up to 50 EUR
  • Unattended terminals for transport fees and parking fees, such as tolls
  • Beneficiaries classified as trustworthy by the payer
  • Recurring payment transactions
  • Transfers between accounts held by the same person
  • Low-value transactions up to 30 EUR
  • Payment methods with a high level of security, to which only companies are admitted
  • Transaction risk analysis of the payment service provider results in low risk
  • Retrieval of account balance and turnover via online banking

In a second step, companies must implement strong customer authentication until the Regulation comes into force. Various options are available to companies for this pur-pose, such as the use of biometric security in mobile wallets or the 3D secure process.

(10 April 2019)