- Posted by Michael McKee
- On 12 December 18
- Open Banking, Payments, PSD2, Strong customer authentication
Article 98(1) of the Second Payments Services Directive (EU) 2015/2366 (PSD2) requires the European Banking Authority (EBA) to develop Regulatory Technical Standards (RTS) on Strong Customer Authentication and common and secure communications (SCA). The RTS for SCA was published on 13 March 2018 and will become applicable on 14 September 2019.
Article 33(4) of the SCA RTS requires an Account Servicing Payment Service Provider (ASPSP), such as a bank, to have a “contingency mechanism” in place in order to ensure continued availability of customer data to Third Party Providers of Payment Services (TPPs). However, Article 33(6) states that Competent Authorities (CAs) may exempt an ASPSP from the requirement to implement this fall back mechanism where an ASPSP can show it meets the following four conditions set out in Article 33(6) of the RTS:
- (i) compliance with the obligations for dedicated interfaces as set out in Article 32 of the RTS (these include ensuring the same level of availability and performance for all users, creating defined and transparent key performance indicators and service level targets and monitoring and publishing of statistics concerning availability and performance);
- (ii) design and testing in accordance with Article 30(5) to the satisfaction of the Payment Services Providers (PSPs);
- (iii) wide usage for at least three months by PSPs offering account information services, payment initiation services and providing confirmation on the availability of funds for cardbased payments; and
- (iv) ensuring any problem related to the dedicated interface has been resolved without undue delay.
The interpretation of these conditions has been the subject of much debate and negotiation during PSD2’s implementation, with ASPSPs citing the costs and technical challenges associated with implementing the fallback mechanism and TPPs emphasising the importance of uninterrupted access to information. It was in this context that the EBA published its final guidelines on 4 December 2018 setting out the conditions which ASPSPs are required to meet in order to benefit from the exemption to the contingency mechanism under Article 33(6).
This followed the draft guidelines issued by the EBA’s in its June 2018 Consultation Paper. The key requirements in the final EBA Guidelines are summarised below:
- ASPSPs will be required to provide the CA with feedback received from TPPs, along with an explanation of how the ASPSP has addressed any issues raised during its testing.
- CAs may take into account, when assessing an ASPSP’s compliance with the design condition in Article 33(6)(b) of the RTS, any problems reported by TPPs to the CA in relation to the elements to be tested.
- In assessing whether or not ASPSPs meet the “wide usage” condition, CAs should not only consider the number of TPPs that have used the ASPSP’s production interface, but also take into account the number of successful requests sent by TPPs via the dedicated interface, the number of TPPs available in their jurisdiction to use the interface, the steps that the ASPSP has taken to achieve “wide usage”, and the evidence submitted to the CA regarding the results of the testing and the resolution of issues raised by TPPs.
- ASPSPs will be required to publish data on the availability and performance of their dedicated interface, and do so in a way that enables TPPs and payment service users to compare the daily availability and performance of the dedicated interface with the availability and performance of each of the interfaces made available by the ASPSP to its own payment service users.
- ASPSPs are required to provide the CA with evidence that their dedicated interface does not give rise to unnecessary delay or friction for customers accessing their account via an Account Information Service Provider (AISP) or Payment Initiation Service Provider (PISP) in a manner that would directly or indirectly dissuade the customer from using the services of an AISP or PISP.
The deadline for CAs to report on whether or not they comply with the guidelines will be two months after the publication of the translations on the EBA’s website. They will apply from 1 January 2019.