Authentication and access under PSD2
EBA opinion and guidelines
29 June 2018
On 13 June 2018, the EBA exercised its own initiative powers to publish an opinion and draft guidelines on implementation of the RTS on SCA and CSC under PSD2, in response to queries and requests for clarity received from market participants.
The opinion and draft guidelines aim to ensure consistent application of these requirements across the EU. They focus on the most pressing issues where market participants need clarity now, to enable them to prepare for application of the RTS from September 2019 (or March 2019 in the case of TPP access interface testing requirements). Going forward, the EBA also intends to provide further clarifications via the EBA's Q&A tool.
EBA opinion on implementation of the RTS on SCA and CSC
The EBA opinion sets out the EBA's views on various aspects of the RTS, including that:
· Use of a redirection model is not itself an obstacle to TPP access. Instead, the RTS state that it "may" be so, if the ASPSP implements it in a restrictive or obstructive manner. This should alleviate industry concerns around the tension between the RTS and the fact that the UK Open Banking model is based on redirection.
· ASPSPs do not need to check the consent provided by a PSU to a TPP. The draft EBA guidelines also indicate that checking consent before allowing a TPP to access a PSU's account would be considered an obstacle to access.
· It is for ASPSPs to issue personalised security credentials to PSUs (although TPPs may wish to issue their own credentials for accessing their own platform). The draft EBA guidelines also indicate that preventing TPPs from relying on the security credentials issued by the ASPSP would be considered an obstacle to access.
· It is for ASPSPs to apply SCA or determine that an exemption to SCA applies, including in the context of AIS and PIS. However, the ASPSP may choose to contract with other providers such as wallet providers or TPPs "for them to conduct SCA on the ASPSP’s behalf and determine the liability between them".
· The scope of data to be shared with AISPs and PISPs by the ASPSP under PSD2 and the RTS on SCA and CSC does not include the PSU’s identity (e.g. address, date of birth, social security number) since these data are not necessary or requested to initiate a payment or access account information under PSD2.
Draft EBA guidelines on exemptions from fallback access
The draft guidelines provide further detail on when the EBA considers a dedicated TPP access interface will meet the conditions in Article 33(6) of the RTS, meaning that the ASPSP can benefit from an exemption from the requirement to have a contingency access option in place. They are open for comment until 13 August 2018 and will apply from 1 January 2019.
Obstacles to access
The EBA clarifies, both in these draft guidelines and in its opinion, that use of a redirection model is not itself an obstacle for these purposes. As noted above, this should alleviate industry concerns around the tension between Article 32(3) RTS and the fact that the UK Open Banking model is based on a redirection model.
Instead, the EBA indicates that any access model could be an "obstacle" depending on how it is implemented, for example if it does not accommodate all methods of authentication that the ASPSP has provided to its PSUs or it otherwise negatively impacts the user experience, for example by creating unnecessary delays and friction which could discourage PSUs from using a TPP.
The EBA provides other examples of what it considers would constitute an obstacle to access, including:
- prohibiting a TPP from using security credentials issued by the ASPSP, as TPPs are expressly permitted to rely on the ASPSP's authentication procedures under Article 97(5) PSD2
- discriminating against TPPs that are not credit institutions by imposing additional requirements on them that are not detailed in the legislation;
- requiring additional checks on consent for the provision of services.
On this last point, there had been some debate in the industry about whether ASPSPs should check that a PSU has provided the required consent to its TPP, before allowing the TPP access to the account. However, the EBA makes clear that this not only unnecessary, but that it would be considered an obstacle to TPP access.
Testing and wide usage requirements
The draft guidelines seek to address uncertainties around what it means for the dedicated TPP access interface to have been designed and tested "to the satisfaction" of PSPs and "widely used" by TPPs for at least three months. The EBA clarifies that:
- Competent authorities should consider whether different types of market participants have been involved in the design process and whether it is in line with legal requirements (but should not consider whether the interface has additional, potentially desirable features).
- The testing requirement is limited to 'connection and functional' testing.
- When considering wide usage, competent authorities may take into account the number of TPPs that have made use of the testing facility as well as live market use. They may also consider whether the ASPSP has made the interface public and available for wide usage by communicating its availability via appropriate channels.
Process for granting an exemption
Until 31 December, competent authorities merely need to notify the EBA of their intention to grant an exemption, using the Assessment Form set out in Annex 1 of the draft guidelines.
However, from 2020, the EBA will have a month's comment period from receipt of the Assessment Form, before a new exemption is granted. Competent authorities will also be required to submit an Assessment Form where they decide to refuse an application for an exemption, explaining their rationale.
The guidelines do not address the power of competent authorities to revoke an exemption if relevant conditions are not met for more than two consecutive calendar weeks but the EBA indicates it will provide further clarity on this at a later stage.
AIS – account information services
ASPSP – account servicing payment service provider
EBA – the European Banking Authority
PIS – payment initiation services
PSD2 – revised payment services directive (Directive (EU) 2015/2366)
PSU – payment service user
RTS on SCA and CSC – regulatory technical standards on strong customer authentication and common and secure communication (Regulation (EU) 2018/389)
TPP – third party payment service provider