The PSD2 regulatory technical standards for strong customer authentication (SCA) and secure communication (SC) are proving difficult to finalize. Circulated in draft in 2016 for consultation, the EBA published its final draft in February 2017, followed by amendments requested by the European Commission, subsequently rejected by the EBA in June 2017.
The key sticking point is the use of screen scraping. Although PSD2 is technology-neutral, the EBA banned screen scraping in its final draft, whereas the EC wants to allow it (on a contingency basis).
As it stands, agreement on the final text for the RTS between the EBA, EC and European Parliament may extend into August or September 2017, and with RTS coming into effect 18 months later, now Q1 2019 is the earliest.
PSD2 itself comes into force on 13 January 2018, and while there has always been a well-flagged gap from this date to when the RTS for SCA/SC come into force, the confusion over finalizing the RTS has led some PSPs to question if PSD2 itself will be delayed.
However, PSD2 is still slated to become law across the EU in January 2018, and PSPs have to be compliant with it by then. In the EC’s amendments to the draft RTS, their accompanying explanatory notes state that the RTS and security aspects of PSD2 articles 65 (confirmation of funds), 66 (access for payment initiation), and 67 (access for account information) are applicable from the same date as the RTS, which may have led some to believe the EC wants these key articles on account access to be delayed.
However, the EBA’s rejection of the EC amendments notwithstanding, it is only the RTS and security aspects of these PSD2 articles that the EC wants to apply from 2019, not the whole of each article—the rest of the provisions in these articles would still be mandatory from 13 January 2018.
In fact, the reality is that the final draft of the RTS is not law until the EC, EBA and EP (parliament) are in agreement, so as it stands now, all provisions in all PSD2 articles are applicable from January 2018.
Banks and other PSPs therefore need to be PSD2-compliant from 13 January 2018, with the following implications:
- Effective January 2018, they need to allow TPPs (AISPs and PISPs) access to online accounts without any contractual agreements.
- The method of access is the bank’s decision—realistically, it can be either through open APIs or through allowing TPPs to screen scrape (up to the RTS implementation date, and beyond if screen scraping is allowed after that).
- The security, authentication, fraud monitoring and secure communication methods (covered in the RTS) are the bank/PSP’s choice, between January 2018 and the RTS date (in 2019).
Banks/PSPs may have bilateral agreements with TPPs after January 2018, but they must also allow access to TPPs without a contract as well.
Banks/PSPs therefore have two choices beginning January 2018:
- Do nothing, except allow screen scraping on their online accounts. If the final RTS text does eventually allow screen scraping from the RTS date, then they can choose to continue this method indefinitely.
- Implement an API management system and publish APIs. We encourage banks and PSPs to go this route if they are to be relevant and active in an API and Open Banking economy.
If a bank is not ready with APIs by January 2018, it’s OK—provided they allow screen scraping. But they risk being excluded from TPP services that only use APIs, giving an advantage to competitors who do provide APIs.
PSPs face further challenges:
- in developing automated mechanisms in their communities to validate authorized and regulated third parties who request access to their accounts;
- in authenticating customers and managing their consent, both with open APIs and with screen scraping (including long term solutions if screen scraping is allowed in the final RTS text); and
- in making TPPs accountable and liable for any breaches of consent or data access, or fraudulent payments that are the fault of the TPP.
However, PSD2 compliance is independent of these challenges, which do not impact the need to be compliant in January 2018.