Find Us

123 Main Street
New York, NY 10001

Monday—Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM


PSD2: EBA’s Opinion on SCA elements as of June 2019

Last Updated – 16 October 2019

Fraud has been on the rise and account protection in many European countries has relied solely on traditional, overly forgotten password. Some regulators with more visionary security strategies have already been enforcing 2FA (two-factor authentication) to avoid fraud and impersonation and account spoofing in the financial sector. The new Payment Services Directive – PSD2 is meant to better the current state of the European financial markets, adapt to the technological advancements of recent years, and propose up-to-date, common standards across the EU.

Keeping up with technology is vital and the new security requirements are focused on the new era of consumer-centric financial products.

PSD2 at a glance

The PSD2 includes 112 articles and 11 mandates that are examined by the European Banking Association. The regulation impacts all players in the financial sector from payment providers to banks and beyond. The regulations encourage competition, transparency, and innovation in payment services. PSD2 law affects EU consumer access to their banking data in many ways: the provision mandates an open banking approach and higher security through new authentication methods and dynamic linking.

SCA – The demand for increased payment protection

The latest opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 has brought forth much-needed clarifications to compliant authentication methods for both payment service providers (PSPs) and payment service users (PSUs) (including merchants). The EBA clarifies what constitutes a compliant element in each of the three possible categories of multi-factor authentication: inherence, possession, and knowledge.


The inherence element

Relates to something the user is. EBA explains that devices and software need to have ‘adequate security features’ in place that could, for example, be ‘algorithm specifications, a biometric sensor, or template protection features.’ The inherence factors can be both biological and behavioral biometrics, and the authority lists the following as acceptable:

  • keystroke dynamics (identifying a user by the way they type and swipe, sometimes referred to as typing and swiping patterns)
  • retina and iris scanning
  • fingerprint scanning
  • vein recognition
  • face and hand geometry
  • voice recognition
  • the angle at which the PSU holds the device and the PSU’s heart rate 

The factors must have a very low probability of an unauthorized party being authenticated as the payer. Few of the inherence elements listed above can be implemented on a large scale for day to day consumers due to hardware constraints (e.g. availability of high-quality fingerprint sensors, cameras or iris scanners). Another drawback to most of the factors is the lack of smooth, unobtrusive user experience.

One user-friendly inherence element is typing biometrics. Since the authentication is not out of band, users are not forced to switch devices or perform additional tasks in order to authenticate. Therefore, typing biometrics is a frictionless authentication method, compliant with SCA.

Companies should also consider an often overlooked argument: the technical gap with elderly users. In 2018, nearly one fifth (19%) of the EU population was aged 65 and above. Also in the EU mobile banking adoption is high, an average of 70% of European citizens use mobile apps for banking. Financial institutions must comprehend the age differences: millennials are comfortable with facial recognition while baby boomers will have difficulties adopting facial recognition and iris scans. Also, research has shown that people under the age of 25 prefer typing to voice calls.


The possession element

Refers to a device used as evidence of possession. There must be reliable means to confirm ownership through the receival of a dynamic validation element on the device. Evidence could be provided through the generation of a one-time password (OTP), whether generated by a piece of software or by hardware, such as a token, text message (SMS) or push notification. The SMS itself would not be the element but rather the SIM-card associated with the respective mobile number.

Tokens must be treated with care due to the quintessential consumer sensitivity to user-friendliness: enforcing old methods like tokens and out of band authentication factors has seen high numbers in terms of user drop off. Consumers not only long for accessibility to third-party applications but they also demand frictionless online banking experiences.


The knowledge element

Refers to PINs, passwords, passphrases or knowledge-based challenge questions. Unfortunately, this method provides the weakest security being often forgotten or easy to guess. The maiden name of someone is not a secret in Google’s era. A study by Baymard Institute in Frederiksberg, Denmark has shown that twenty-one percent of users forget passwords after two weeks. The reset password requests have a disastrous outcome for customer support departments of financial institutions worldwide.

The consumer in the focus

This isn’t the first time the consumer is the primary beneficiary of such a European regulation. Still, the outcomes are impacting the entire industry. The intense focus on democratizing banking services and allowing the entrance of new players in the closed markets of financial giants is one of the most significant outcomes. A new generation of financial companies will arise: PSD2 regulates Third Party Providers (TPPs) enabling:

Flexibility – Payment Initiation Service Providers (PISP) – Third-party companies will be able to initiate payments on behalf of a consumer without them having to visit their online bank’s portal. This results in more flexibility for the end-user.

Accessibility – Account Information Service Providers (AISP) – Third-party companies will be able to access a consumer’s bank account and the information related to their account. This empowers the consumers to aggregate details of their financial situation from multiple accounts in a single application.

Due date: 14th September 2019

The PSD2 will be enforced on the 14th of September 2019. One regulation specifies that Third-Party Providers (TPPs) are allowed to access or aggregate accounts and initiate payment services.  A study made by Finextra shows that close to half of banks (41%) failed to meet a recent deadline for the Payment Services Directive (PSD2) to provide a testing environment or ‘sandbox’ for any third-party service providers (TPPs).

To make sure you are PSD2 ready and meet the SCA regulation, contact our team and schedule an appointment and see how frictionless authentication can leverage more benefits than just being compliant.

In  October 2019, a later Opinion on the deadline for the migration to SCA under the revised Payment Services Directive (PSD2), EBA  has set the new deadline to 31 December 2020 and prescribed the expected actions to be taken during the migration period.