Danish FSA issues statement addressing possible exemption for financial management systems, ERP systems and similar systems with an integrated payment function from the requirement of strong customer authentication under PSD2

By Shane Barber, Scott McInnes, Constance Eckhardt Descout, Ivan Sagál, Annette Printz Nielsen, Kristiina Lehvilä, Cathie-Rosalie Joly, Michael Jünemann, Michelle Chan, Konrád Siegler, Stefano Febbi, Karen Berg, Sławomir Szepietowski, Kim Kit Ow, Adrián Calvo, José Luis Lorente Howell, Hans Svensson, Trystan Tether, Guadalupe Sampedro

07-2019

On 12 June 2019, the Danish Financial Supervisory Authority (Danish FSA) published a statement regarding the exception to strong customer authentication (SCA) for payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers which is e.g. relevant in relation to financial management systems, ERP systems and similar systems with an integrated payment function.

A number of financial management systems, ERP systems and similar systems have an integrated payment function making it possible for users to initiate payments directly from these systems. Payments initiated from such systems may to some extent be exempted from the requirement of SCA.

Payment service providers are under the Danish Payments Act no. 652 of 8 June 2017 (Danish Payments Act) required to apply SCA when a payment service user initiates a payment transaction unless otherwise follows from regulation issued by the Commission under Directive (EU) 2015/2366 (PSD2) Article 98 including the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 on regulatory technical standards for strong customer authentication and common and secure open standards of communication (RTS).

According to RTS Article 17 payment service providers are allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided for by PSD2.

The Danish FSA considers dedicated payment processes or protocols that are only made available to payers who are not consumers having equivalent levels of security under RTS Article 17 provided that:

  1. The provider of the dedicated payment processes or protocols has implemented security measures equivalent to the levels of security that would have been achieved had the requirements in RTS Chapters 1, 2 and 4 applied.

  2. The levels of fraudulent and unauthorised payments transactions through the use of the dedicated payment processes or protocols are equivalent to or lower that the levels of fraud for payment transactions using SCA.

Re equivalent levels of security (no. 1)

RTS Chapter 1 sets out the general security requirements which include a requirement of transaction monitoring mechanisms for detecting unauthorised and fraudulent payment transactions and a requirement for ongoing review and update of security measures. The Danish FSA expects a provider of dedicated payment processes or protocols to take such measures for it to qualify as "equivalent levels of security".

RTS Chapter 2 sets out the detailed SCA requirements, hereunder requirements to the different elements of the authentication solution. The Danish FSA expects that a provider of dedicated payment processes or protocols has similar measures to protect confidentiality and integrity of the security elements used as alternative to SCA for it to qualify as "equivalent levels of security". Exchange of electronic certificates between the payer, the system provider and the payment system provider is mentioned as an example. Further, an authentication solution with elements based on knowledge, possession and inherence shall guarantee at least equivalent levels of security to those provided for by RTS Articles 6-9.

RTS Chapter 4 sets out requirements to confidentiality and integrity of the payment service users personalised security credentials including with respect to issuing, renewal and deactivation. Financial management systems, ERP systems and similar systems with integrated payment functions are typically installed, activated and used differently than traditional payment solutions. Providers of such systems shall apply measures adapted to the circumstances relevant for the end user of the system. The provider of dedicated payment processes or protocols needs as part of the agreement with the user of such system to ensure that the user has sufficient measures and procedures to be able to handle operational risks e.g. with respect to user and access rights.

Fraud level (no. 2)

It is a requirement for dedicated payment processes or protocols systems to be considered having equivalent levels of security that such systems do not have a higher fraud level than payment transactions using SCA and the provider needs to be able to document this based on the calculation mechanisms set out in RTS Article 19.

No pre-approval required

Finally, the Danish FSA emphasises that payment service providers shall not apply for an exception to the SCA requirement under RTS Article 17. On the contrary, the Danish FSA will as part of its ordinary supervision assess if the requirements under nos. 1 and 2 above are satisfied and the provider therefore can benefit from the exemption under RTS Article 17.

Consequently, it seems that the Danish FSA's approach is a bit different than e.g. the UK FCA's as the UK FCA requires a notification by submission of an operational and security risk assessment form at least three months before the date of intended use of the exemption as Policy Statement, PS18/24, sets out the following: "We remain of the view that there is no requirement for us formally to grant a firm permission to use the exemption. However, we have amended our guidance to require PSPs to complete a new field in the operational and security risk reporting form to make it easier to identify that the firm is operating under the exemption. Firms intending to operate under this exemption must submit, at least 3 months before the date of intended use of the exemption, an operational and security risk assessment form, which includes the necessary supporting information."


 

Authors