PSD2 – European Commission adopts Delegated Regulation regarding regulatory technical standards on strong customer authentication and on common and secure open standards of communication
What has happened? Firms who are within scope of the second Payment Services Directive ((EU) 2015/2366) (“PSD2”) now have – at long last – some… Read more
What has happened?
Firms who are within scope of the second Payment Services Directive ((EU) 2015/2366) (“PSD2”) now have – at long last – some clarity around PSD2’s strong customer authentication (“SCA”) requirements, following the European Commission’s adoption on 27 November 2017 of a Delegated Regulation and Annex with regard to the regulatory technical standards (“RTS”) on SCA and common and secure open standards of communication (“CSC”) (C(2017) 7782).
What are the key points?
The key points relate to continuing access by payment service providers to payment service users’ payment account information held by banks and an optional corporate exemption from certain SCA requirements.
The journey to this point has not been easy and it is not clear whether the final RTS will answer all outstanding questions around SCA. The RTS were drafted initially by the European Banking Authority (“EBA”) further to its mandate under PSD2 to specify the requirements for SCA (under Article 98) and related exemptions, security measures for payment service users’ credentials and CSC for payment service providers.
The RTS met with initial disapproval from the European Commission, which drafted a letter in May 2017 setting out its intention to make a number of amendments. The most controversial of these was the Commission’s proposed requirement that Account Servicing Payment Service Providers (“ASPSPs”) (banks typically) provide access to the customer interface for Account Information Service Providers (“AISPs”) and Payment Initiation Service Providers (“PISPs”) if the dedicated interface is not available. In other words, screen-scraping would still need to be provided even if a bank’s dedicated interface for AISPS and PISPs fails; this is in order to ensure continuity to payment service users (end customers) of the services provided by AISPs and PISPs. In June 2017, the EBA responded with an Opinion letter, setting out its objections, including its objection to permitting screen-scraping in this way.
The Commission’s adoption of the RTS includes some substantive amendments reflecting the Commission’s original position. The first is the addition of a further exemption from SCA to cover electronic payment transactions that are performed through dedicated payment processes used by corporates, where the appropriate level of security is achieved through other means than the authentication of a particular individual. This exemption would be subject to the approval of each national competent authority.
The Commission’s second amendment to the RTS relates to “screen-scraping”. Here, the Commission promotes a compromise position (or perhaps a punt). The Commission maintains that banks should permit a fall-back mechanism if the dedicated interface fails: “it is necessary to provide, subject to strict conditions, a fall-back mechanism that will allow such providers to use the interface that the account servicing payment service provider maintains for the identification of, and communication with, its own payment service users.” (C(2017) 7782 final (Recital 24))
Having said that, the Commission has also decided that national competent authorities may exempt banks from being required to provide such a fall-back mechanism, provided the dedicated interface meets certain criteria. In other words, it’s back to the FCA. This means that ASPSPs, AISPs and PISPs could face different SCA requirements depending upon which Member State they are operating in.
What happens next?
Although PSD2 applies from 13 January 2018, the RTS apply 18 months after the date that the Delegated Regulation enters into force, which will be the date of its publication in the Official Journal of the EU. This means that the RTS should apply from around Q3/Q4 2019, assuming the necessary approval by the European Parliament and the Council is granted.
The Commission’s adoption of the RTS has several implications for payment service providers. Payment service providers now know they have until around Q3/Q4 2019 to ensure that their systems comply with the security measures in Articles 65, 67 and 97 of PSD2 (transposed in the UK under Part 7 of the Payment Services Regulations 2017) concerning SCA, bearing in mind that those provisions in Articles 65, 67 and 97 that do not relate to SCA will apply from the implementation of PSD2 13 January 2018.