On 14 September 2019 new requirements for authenticating online payments will be introduced in Europe as part of the Directive EU 2015/2366 on payment services in the internal market (Payment Services Directive, “PSD2”).
PSD2 contributed to the growth of open banking in the European Union. Open banking is generally defined as a system of technologies that allows consumers to access traditional banking or financial services and products through the use of digital means and tools (e.g. payment services may be provided by Facebook or Amazon).
The provisions of PSD2 entered into force on 13 January 2018, however, the detailed provisions concerning strong client authentication will be applicable from 14 September 2019. As of this date, payment service providers must apply additional authentication to “customer-initiated” online payments within Europe. Strong customer authentication, or two-factor authentication, uses two of three types of the following identifications: “something you know” (password, PIN), “something you own” (computer, mobile) and “something you are” (digital fingerprint, voice). This would mean that the current practice of the banks (e.g. one-time code sent to the client’s phone or fingerprint authentication through the client’s mobile banking app) will no longer comply with the new requirements. Banks will need to start declining payments that require two factor authentication and do not meet the aforementioned criteria.
With these changes, the European Union Commission aims at creating a more unified and well-organised European payments market and ensuring safer and more secure payments, as such, safeguards for consumers.
By Rita Parkanyi, Partner, KCG Partners Law Firm