On 13 June 2018, the European Banking Authority (EBA) published an important Opinion and a Consultation Paper arising from the far-reaching consequence of the second Payment Services Directive (EU) 2015/2366 (PSD 2).
The Opinion and Consultation Paper aims to clarify a number of issues identified by market participants in respect of the PSD 2 implementing Regulation (EU) 2018/389) focusing on strong customer authentication issues (SCA) (the SCA-RTS) which will come into force on 14 September 2019.
One of the key issues is providing adequate guidance on the four conditions required for an Account Servicing Payment Service Provider (ASPSP) not to have to provide contingency measures (the so called ‘fall-back’ solution) to continue permitting Third Party Payment Service Providers (TPSPs) access to ASPSP systems and data. One of the objectives of PSD 2 is to open up ASPSP systems and customer data to third party payment service providers to facilitate innovation and competition in the banking sector. ASPSP typically include major retail banks.
The RTS requires competent authorities (CAs) ‘after consultation with the EBA’, to exempt ASPSPs from the requirement to implement the ‘fall-back’ solution if the ASPSP can show that it and its dedicated interface meets the four conditions under Article 33(6) of the SCA-RTS.
The Consultation paper contains draft Guidelines on these four conditions which permit use of the exemption where the dedicated interface of the ASPSP meets the following:
- it complies with all the obligations for dedicated interfaces as set out in Article 32 of the RTS;
- it has been designed and tested in accordance with Article 30(5) to the satisfaction of the payment service providers referred to therein;
- it has been widely used for at least 3 months by payment service providers to offer account information services, payment initiation services and to provide confirmation on the availability of funds for card-based payments;
- any problem related to the dedicated interface has been resolved without undue delay.
As well as the draft Guidelines, the EBA Consultation Paper contains questions the EBA is seeking comments on and the cost-benefit impact assessment. The EBA addresses every component of each of the four conditions in turn, giving guidance on how they should be interpreted. The EBA emphasised that its approach to implementation of the RTS is “pragmatic in nature“.
The consultation will run until 13 August 2018, and the final Guidelines will be published after it is concluded.
The EBA Opinion, addressed to the CAs of the member states, is issued in response to the “numerous queries” received by the EBA and CAs.
As a general comment, the EBA noted that in order for Payment Service Providers (PSPs) to comply with the RTS, “industry participants will now need to develop or amend the necessary systems, hardware and software, including, in the case of ASPSPs, building interfaces and infrastructures“. The EBA urged the CAs to “remind the ASPSPs that they are required to change and adapt their systems in response to the RTS, regardless of whether ASPSPs choose to modify the customer interface or to develop a dedicated interface“.
It also stated its view that where account information or payment initiation services are provided to a Payment Service User (PSU) following a contract that has been signed by both parties, ASPSPs do not have to check consent. It suffices that Account Information Service Providers (AISPs) and Payment Initiation Service providers (PISPs) can rely on the authentication procedures provided by the ASPSPs to the PSU.
The EBA also made a number of specific comments about the following issues:
- The scope of data AISPs and PISPs can access and four-times-daily limit;
- The application of strong customer authentication;
- Exemptions from the strong customer authentication requirement; and
- Method(s) of carrying out strong customer authentication.
The EBA announced that in the future it will provide further clarification on the interpretation of the SCA-RTS through its online Interactive Single Rulebook and Q&A tool and advised the CAs to encourage market participants to use the EBA Q&A tool as soon as it becomes available to submit any query they may have in relation to the SCA-RTS.
Separately, in a speech on 22 February 2018, Yves Mersch, Member of the Executive Board of the ECB, urged speedy compliance with all relevant PSD2 requirements. In particular, Mr Mersch said:
“I would strongly encourage European payment service providers to embrace the opportunities the PSD 2 provides for competition and innovation, to cooperate in the standardisation of APIs that should preferably result in a single API, and to implement all the security requirements of the new directive and its RTS as soon as possible, even before they become mandatory“.
In a press release published on 22 June 2018, the FCA supported the views expressed in the EBA Opinion and stated that, if the “final version of the Guidelines is the same as the published draft“, the FCA would expect to comply with them. The FCA is the CA for the UK under PSD 2.
The FCA further announced that it plans to consult on the changes to its guidance and rules to reflect the RTS as well as the EBA Opinion and the Guidelines.
In advance of the consultation, the FCA expects ASPSPs and TPSPs to be aware that:
- the FCA encourages ASPSPs to provide dedicated access to TPSPs using secure application programming interfaces (APIs);
- where ASPSPs do not opt to implement the dedicated interface, their interface must still meet various requirements under the RTS;
- all ASPSPs will also need to make available technical specifications, and provide support and a testing facility by 14 March 2019; and
- the RTS does not allow the FCA to grant a partial exemption. The FCA will provide opportunities for ASPSPs to engage with it before submission of the exemption request, and encourages timely requests for exemption.
ASPSPs and TPSPs should also note that the Guidelines and Opinion set out:
- that some ASPSPs will only be able to demonstrate that their interface is available to be widely used, rather than show it is widely in use;
- that the use of redirection by an ASPSP is not automatically an obstacle; nor is there a requirement in PSD2 or the RTS for an ASPSP to provide more than one method of access;
- that ASPSPs must avoid imposing unnecessary requirements (such as additional consent checks) when designing and implementing their dedicated interfaces; and
- that the FCA would not be able to exempt ASPSPs whose implementation creates obstacles to the provision of account information and payment initiation services.