The EC’s PSD2 RTS: Winners & losers
While the industry continues its race against time to be PSD2-ready in January 2018, there still remains a number of unknowns and conflicting opinions on how the banking and payments landscape will be reshaped once the legislation comes into force. Of these areas of disagreement, the most hotly debated continues to be the EBA’s controversial RTS for SCA and Secure Communication report.
Background
The EBA published a consultation paper on the Draft RTS for SCA and Secure Communication issue last summer. This sparked a record number of comments, kick-starting debates around Europe on the best adoption route for the industry in the process.
Chief amongst the concerns for banks was the restrictive nature of the technical standards published, and their effect on customer services. The EBA was widely criticised for being overly descriptive (rather prescriptive) in areas such as SCA, and leaving Secure Communication too open-ended for any meaningful standards to be defined.
Whilst the final draft published by the EBA for submission to the EC did address some of the issues raised, that document still left much to be desired in many circles. In addition, further concern was raised around the subject of disallowing “screen scraping” once the RTS comes into effect.
The industry appears to have split into those in favour of screen scraping (mainly existing market players and prospective TPPs) and those averse to it (mainly banks, wary of uncontrolled sharing of customer data with the “new” TPPs). The focus of debates in most forums has moved from the initial issues regarding customer experience, barriers to entry, lack of standards, and market fragmentation, to whether existing players could continue their practice of screen scraping and whether this would be compliant not only with PSD2 but also with the fast approaching GDPR regulation as well.
The EC’s take on RTS
Against the backdrop of these discussions and lobbying from both sides, the EC has recently published its version of the RTS based on the final draft sent by EBA. As clarified in a letter written by EC Director General, Olivier Guersent, the commission has made some key changes to the draft:
Screen scraping continues to be disallowed The EPC has maintained the stand taken by the EBA to not allow screen scraping once the RTS comes into effect. The EPC has emphasised that the RTS is applicable only for access to payments accounts. Screen-scraping does not allow the ASPSP to restrict access to non-payment accounts, so the onus is on the TPP to work within the allowed constraints.
Contingency measures The RTS states that in case of unavailability of the ASPSP’s dedicated (API) interface, TPPs should be allowed to use the ASPSPs online interface. This is still screen-scraping, but with the added requirement that TPPs identify themselves to ASPSPs when using the interface. This means that banks providing a dedicated interface will still have to make changes to their online platform to allow TPPs to prove their identity.
Corporate exemptions A new Article has been introduced allowing exemption from SCA for some corporate payment channels. The competent authorities in the member states are authorised to validate that these channels offer at least same level of security as aimed for by PSD2.
Introduction of statutory auditors The TRA-based exemption requires complex risk models and fraud reporting to provide exemptions from SCA. Hence, there has been the introduction of statutory auditors to ensure objectivity and reporting standards.
Fraud reporting to the EBA The PSPs are required to provide their fraud rates and figures to both the competent authority in their member state but also to EBA. EBA has been empowered to conduct a review of the reference fraud rates within 18 months after the RTS comes in force.
Further changes with far reaching consequences
While some changes have been apparent, others appear to have been inserted into the text under the radar (intentionally or unintentionally). Some of these changes that might have major impacts on the parties involved include:
Mandatory use of a dedicated interface The RTS states that if the ASPSP provides a dedicated interface, TPPs are obligated to use this for access to customer accounts.
Reference to ISO20022 dropped While there was no direct reference to ISO20022 standards within the Articles of the final draft of RTS, Recital 16 did mention the use of ISO20022 for dedicated interface. This reference has now been removed.
The regulation applicability date Recital 24 states: “For reasons of legal certainty, it is appropriate that this Regulation be applicable from the same date as Articles 65, 66, 67 and 97 of Directive 2015/2366.” This would mean that banks do not have to offer AIS and PIS interfaces at all until the RTS comes into force – probably late 2018 or early 2019. The previous draft only delayed the application of RTS security measures until that date, implying that ASPSPs must make the (insecure?) interfaces available from January 2018, when the main PSD2 regulation takes effect.
Probably the omission of the words “security measures” is unintentional, as the Explanatory Memorandum that accompanies the RTS still says that the security measures should become applicable when the RTS comes into force. In this case, the security regime to be applied during the transitional period remains unclear.
Looking ahead
With this draft being published by the EC, it is unlikely that there will be further changes on the horizon (though there is still a possibility of push-back from the European Parliament). The debates and recommendations continue, but with so many parties involved with such divergent interests, a consensus remains a distant and seemingly unachievable dream.
It is becoming increasing clear that the PSD2 implementation and adoption will rely heavily on a competent local authority, and on the industry as a whole to fill in the gaps through self-regulation. There will not be a seamless EU-wide TPP experience on day one, though no doubt the rough edges will wear down eventually.
With the EBA having six weeks for to come back with any changes, there seems to finally be an end date to the RTS saga. The industry should finally be able to stop guessing and pre-empting and start developing, based on a truly “final” version of the RTS.
First published on Bobsguide