As anyone who knows me can attest, I like looking for unintended consequences in legislation. Particularly so in the case of in the EU’s General Data Protection Regulation (GDPR) and second Payment Services Directive (PSD2). I was therefore surprised by an assumption which I, and I suspect many other practitioners in the field, had made about third-party providers. How can customers use account information or payment initiation services?
And what if it doesn’t?
The issue of where and when PSD2’s Strong Customer Authentication is mandatory is still in debate between the European Banking Authority (EBA), the European Commission. While the question of how it applies to card not present payments online is debated endlessly, the issue of the other type of remote transaction, by telephone, seems to have been overlooked. Given that many fraudulent compromises involve both fixed-line and mobile telephones, is this an oversight? This article looks at what the legal text really says, what the interpretations have been and what might be the consequences. Continue reading “Does PSD2 require Strong Customer Authentication for telephone banking?”