Key Regulations in Payments

S. No. Region Regulation Description

1 Europe The Second PSD2 applies to payment services in the European Union and is framed by
Payment Services European Banking Association (EBA). The directive focuses on all electronic
Directive (PSD2) payments including card present and card not present transactions. PSD2 opens
the market to new payment actors and extends the scope of services. In doing so,
it increases competition with the aim of making payments more innovative,
efficient, swift and secure for consumers.

These new Third Party Players (TPP) can provide following key services
1. Payment Initiation Service Providers (PISP). PISPs may initiate a payment
transaction directly from the customers bank account
2. Account Information Service Providers (AISP). AISPs consolidate the customers
account and transaction details from multiple banks in one portal

In order to enable these services, EBA mandates the conventional banks to open
up their customer database and allow these new TPP to access these via APIs.

Major focus in the directive is for Improvement of payment processing security.

PSD2 has introduced clauses for Strong Customer Authentication (SCA). SCA is an
authentication process that shall include two or more authentication factors viz.
knowledge, possession, inheritance (biometrics). PSD2 mandates the use of SCA
whenever the customer initiates any electronic payment transaction, whether it is
to make a payment or access their bank/TPP services.

However, initiating 2 factor authentication (SCA) for every transaction has an

impact on the customer experience. Hence, PSD2 has provided cases where SCA
can be exempted. These include low value transactions, parking/toll charges,
payments to self, etc. But the majority focus is on Risk based authentication
which allows the banks to exempt a transaction from strong authentication in
case the transaction fraud risk rating is less than the published standards. As per
the ruling banks are mandated to implement transaction monitoring systems
which can perform real-time risk analysis of the payment transaction while taking
into account factors viz.
1. Lists of compromised or stolen authentication elements
2. Known payment fraud scenarios
3. Signs of session malware infection
4. Geolocation parameters
5. Behavior profile of the entity viz. customer, card, device etc.

EBA has also provided limited customer liability clause under the PSD2 directive
where-in the customer liability in case of the fraudulent transaction is limited to
only EUR 50.

EBA has presented draft directive to the European Commission (EC) for approval
in Jun, 2017. Once this is approved by EC, banks have 18 months to implement
the provisions of the directive most probably by Mar, 2019.
2 India Limited Customer In an effort to keep electronic payments safe from fraud, the Reserve Bank of
Liability India (RBI) has ushered in zero liability and limited liability concepts for the Indian
banking customers (Jul, 2017). Under this act, RBI has put the responsibility on
 the banks to put in place systems and procedures for reporting of unauthorized
transactions, identify customer liability, and monitor liabilities arising out of such
situations. As per this regulation, RBI has also advised the banks to set up real-
time fraud detection and prevention mechanisms for payment transactions.

RBI has brought various financial institutions under the ambit of this regulation
including commercial banks, small finance banks, and payments banks. This is
applicable for all electronic transactions viz. Remote transactions (online banking,
mobile banking), Face-to-face or proximity transactions like ATM, POS. Regulation
covers CASA, debit/credit cards, overdraft accounts and prepaid instruments.

Amount of customer liability for an unauthorized transaction shall be decided

based on 3 questions:
1. Where do the negligence/ deficiency lies?
2. When does the customer reports?
3. Which account/product the fraud is reported for?

As per the resolution Banks shall set in place processes to log customer disputes,
handle reversals, and resolve cases reported by the customers.
3 India Security and Risk In Feb, 2013, Reserve Bank of India (RBI) released guidelines to be followed by the
Mitigation banks in order to bring additional security measures in the card and electronic
Measures for payment ecosystem in India. These guidelines introduce certain minimum checks
Electronic and balances in order to minimize the impact of unpredictable cyber-attacks and
Payment to arrest/minimize the damage.
Transactions
The regulation covers two major tenets of the digital transactions at that time viz.
Card Transactions via ATM/POS and Internet Banking Transactions. All scheduled
commercial, co-operative, and card payment networks are part of this regulation.
Products covered under the ambit of regulation include debit/credit cards and
electronic payment services viz. RTGS, NEFT, and IMPS.

Guidelines regarding Card present transactions include providing EMV chip and
pin enabled cards, international usage threshold limits, PCI-DSS compliance for
the terminals etc. However, the emphasis was on framing rules/scenarios for
fraud prevention based on card usage patterns. RBI also advised the banks to
start moving towards real time fraud monitoring system.

Electronic payment transactions guidelines focused on checks on the value /

mode of transactions/beneficiaries. A comprehensive process was set to alert the
customer in case of any account activity. Again, from fraud management
perspective, banks are mandated to put in place mechanism for transaction
velocity check and raise incidents for any suspicious operations. Geo-location
based checks are also mandated to prevent fraudulent transactions.

RBI also nudged the banks to explore feasibility of implementing risk based
authentication technologies for advanced fraud prevention.
4 Europe Security of In Dec, 2014 European Banking Authority (EBA) published guidelines on the
Internet Payments security of internet payments, which set the minimum security requirements that
Payment Services Providers (PSPs) in EU will be expected to implement by Aug,
2015. With increasing fraud levels on card internet payments over the last years,
the EBA felt a regulatory response was necessary while waiting for the PSD2,
which aims at creating more secure and competitive rules for payments in the EU.
These EBA guidelines specifically require that Payment Service Providers carry out
Strong Customer Authentication (SCA) in order to verify the customer identity
before proceeding with an on-line payment. SCA is defined as a two factor
authentication based on the combination of elements of knowledge, possession
and/or inherence. They also require use of the onetime-passwords.

Guidelines also focused on the clear protection of customer data, risk assessment
documentation, risk mitigation policies, incident monitoring and reporting,
session security management etc.

Majority emphasis of the guidelines was also on the transaction monitoring.

Transaction monitoring mechanisms shall be designed to prevent, detect and
block fraudulent payment transactions before the PSPs final authorization.
There should be risk based approach in the transaction processing encompassing
the procedures as mentioned below
1. Parameterized fraud management rules/scenarios
2. Blacklist filtering of compromised card data
3. Behavior profiling e.g. merchant category anomalous to the customer behavior
4. IP-Geolocation checks
5. Malware infection checks

Guidelines also mandate acquiring PSPs to have fraud detection and prevention
systems in place to monitor merchant activities. Guidelines also focus on real-
time decisioning with stringent SLAs in order to prevent unduly delay in the
payment execution.