At the heart of these changes is the fact that, through PSD2, European lawmakers have decided to allow non-bank competitors to access the payment accounts of banks’ customers, for the purpose of retrieving account information and/or to initiate a payment transaction.
The release of the latest version of Regulatory Technical Standards (RTS) that will implement SCA comes hot on the heels of a consultation that broke all records. The EBA received a whopping 224 responses, raising 300 different issues or requests for clarification.
In response to this level of debate and controversy, the EBA has announced that it will relax some of the rules that have caused concerns. It said these decisions were the result of making:
"difficult trade-offs between the various, at times competing, objectives of the [new Payment Services Directive], including enhancing security, promoting competition, ensuring technology and business-model neutrality, contributing to the integration of European payments, protecting customers, facilitating innovation, and enhancing customer convenience."
The other point to note is that the EBA's final report suggests that the RTS will be applicable from November 2018 at the earliest.
The changes from the previous draft of the RTS have been trailed over the last few days, notably in a speech from EBA chairperson Andrea Enria on Tuesday, and should not come as a surprise to the industry. They will nevertheless require detailed consideration to determine both the impact and the intention behind them (including over 100 pages of the EBA's reaction to consultation responses). The key changes are:
Technology-neutrality of the RTS
One of the main criticisms of the previous RTS was that it was very high level in some areas but very detailed in others and in particular it had made reference to particular technologies in some cases. The EBA has agreed that it got this wrong in some areas and has attempted to adopt a more technology neutral stance in its drafting. This is helpful.
One of the helpful amendments made by the EBA to the RTS is clarity around the segregation of the channels for authentication. It has made clear that SCA does not require more than one device.
Exemptions to Secure Customer Authentication
- Two key new exemptions are to be introduced:
- One based on "transaction risk analysis" – this will be linked to pre-defined 'reference' fraud rates, thus providing incentives to improve customer protection
- One for so-called 'unattended terminals' for transport or parking fares
- The threshold for applying SCA to remote transactions will increase from €10 to €30
- There will be no exemption for corporate payments – something which had been requested by a number of respondents
The RTS has also been revised to make it clear that PSPs can use SCA even if an exemption from using SCA is present in the circumstances.
TPP access – screen scraping
The EBA has confirmed that the practice of 'screen scraping' - which automates the copying of data from a website – will no longer be allowed under PSD2 from the end of the transition period because it will not meet the requirements for secure communication, identification and authentication. Where PSPs provide a dedicated interface with TPPs, they will have to provide the same level of availability and performance as the interface offered to, and used by, their own customers.
What does this mean?
All of these changes seem to present "a pragmatic olive branch", with the EBA wrestling with an incredibly difficult task that pitted it against competing objectives under PSD2.
One of the biggest complaints about the legislation was its clunkiness, particularly around two-factor authentication. There were a lot of concerns from online merchants that transactions would not be completed so the extra flexibility, particularly around the new 'transaction risk analysis' exemption, should be welcomed. It remains to be seen whether this new exemption will prove as positive as it first appears. The analysis and decision-making is made at PSP level rather than by the payee/retailer. However, the RTS does now require that it meets the reference levels mandated by the RTS. The PSPs will have to monitor the relative fraud levels where the transaction risk analysis is used and must have it independently assessed by auditors.
Hopefully, both fintechs and banks will benefit from technological neutrality and principle-based regulation in the pursuit of innovation.
The same goes for the new clarity around interfaces – the banks will be happy they'll be able to choose the type of interface they use, while TPPs will take comfort from the fact that they shouldn’t lose out through using these systems because they will ensure an equally good service for their customers.
The final draft RTS will now be submitted to the European Commission for adoption, following which they will be subject to scrutiny by the European Parliament and the Council.
Under PSD2, the RTS will be applicable 18 months after its entry into force, which suggests November 2018 at the earliest. In its final report on the RTS, the EBA comments that the "intervening period provides the industry with time to develop industry standards and/or technological solutions that are compliant with the EBA’s RTS."
For further information on other PSD2 developments and the related Open Banking initiative, see our PSD2 and Open Banking Interactive Timeline.