The European Banking Authority has published an Opinion on the implementation of the Regulatory Technical Standards on Strong Customer Authentication and common and secure communication.
It has also published a consultation paper on draft Guidelines on the conditions that an account servicing payment service provider (ASPSP) must meet if it wants to provide access via a dedicated interface and be exempt from the obligation to have a fall-back option in place.
PSD2 requires that Strong Customer Authentication is used for accessing a payment account online, initiating a payment transaction and carrying out a transaction through a remote channel. The RTS on SCA and CSC will apply directly across the EU partly from March 14, 2019 and predominantly from September 14, 2019.
To comply with PSD2 and the RTS, industry participants must develop or amend their systems and, where applicable, establish interfaces and other infrastructures. The Opinion is addressed to national regulators. Since the Opinion provides supervisory expectations, it will be of interest for payment services providers, payment schemes, technical service providers and industry initiatives. The Opinion contains general and specific comments, including on the scope of data and four-times daily limit and the application of and exemptions from Strong Customer Authentication requirements.
The RTS on Strong Customer Authentication and CSC regulate, among other things, the access by account information service providers and payment initiation service providers to customer payment account data held in ASPSPs.
The RTS require, among other things, ASPSPs with payment accounts that are accessible online to offer at least one access interface ensuring secure communication with account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments.
An ASPSP may choose between offering: (i) an interface that is dedicated to the communication with account information service providers, payment initiation service providers, and payment service providers issuing card-based payment instruments; or (ii) use of the interface for the identification and communication with the ASPSPs payment service users.
Where a dedicated interface is elected, ASPSPs must establish a contingency mechanism to ensure that payment service providers who rely on the dedicated interface can continue to provide their services in the event that the dedicated interface suffers from unavailability or inadequate performance. ASPSPs may apply for exemption from having to provide such a mechanism, demonstrating that the dedicated interface complies with certain other specific conditions.
In the consultation paper, the EBA proposes guidelines to clarify the requirements that ASPSPs must meet to obtain an exemption, in particular, the service level, availability and performance of the interface, the publication of performance indicators, stress testing, obstacles to accessing payment accounts and resolution of problems.
The draft Guidelines also clarify the information that national regulators should consider when determining whether an ASPSP qualifies for the exemption. In addition to providing clarification, the EBA is aiming to ensure consistent application of the rules across the EU.
Responses to the consultation should be provided by August 13, 2018. The final Guidelines will then be finalized and will apply from January 1, 2019. Going forward, the EBA will continue to provide clarifications but will use the Single Rulebook Q&A to do so. The Q&A function will be extended to PSD2 by the end of June 2018.