The EBA is name checked quite frequently when it comes to PSD2 but what is the EBA, what does it do and why is it so important when it comes to PSD2?
The European Banking Authority (EBA) celebrated its 5th anniversary last week. Born out of the banking crisis it replaced the much derided former regulator, the Committee of European Banking Supervisors (CEBS). Officially a regulatory agency of the EU, the
EBA has oversight for the financial services sector, a FCA for the EU if you will. It is headquartered in London’s Canary Wharf (somewhat ironically, given the impending threat of Brexit).
Its first role was to rerun a series of contentious bank stress tests in 2011 that had been carried out by its predecessor the previous year. These original CEBS tests were criticised for not being stringent enough after a number of banks which had given
the all clear were subsequently
bailed out. The EBA’s own stress tests resulted in further bank recapitalisations (arguably not
enough), including, most notably, a number of German Landesbanken which resulted in a falling out with the German Bundesbank at the time. The EBA subsequently stood up to another central bank, the Bank of England, when it forced through a bonus cap for
bankers late last year. In its short life, this regulator not afraid to bare its teeth.
EBA and PSD2
All this is important for PSD2 because, as we published last week, the EU Commission has left the task of defining much of the detail in the directive to it. Specifically, the EBA has been mandated to develop 6 regulatory technical standards (RTSs – think
of these as EU law) and 5 sets of Guidelines (guidance for local regulators). The EBA has also been mandated to keep a register of licenced PSPs, which in turn will be compiled from registers across the EU of entities approved by national regulators.
The application date for the RTSs and GLs is the 13th Jan 2018 (the same as the application date of PSD2 itself) except, as reported
last week, the RTS on Strong Authentication and Secure Communication. This is the most politically charged of the RTSs and its earliest application date will be Sept 2018, some 18 months
after its adoption by the EU Commission. This application date could well extend into 2019 should there by any push back from the EU’s executive arm. This all suggests that some national regulators may not be in a position to licence or register PISs or AISs
before that application date and defensive banks could in turn refuse to open their APIs to these new entrants, essentially pushing the effective date for PSD2 a year out. For clarity of understanding, here you can find the EBA’s own timelines as an
To give an insight into which aspects of authentication and security are focusing the minds of the EBA the most, it is worth examining the five areas it recently consulted on:
- Requirements for ‘Strong Authentication’ (e.g. two-factor or multi-factor, should dynamic linking etc). Note that the onus will largely be on the ASPSPs (aka the banks) to comply with these;
- Exemptions to these strong authentication requirements (originally only intended to apply to telcos in PSD1, but subsequently taken advantage of by many industry players). The expectation is that these will be narrowed;
- Protection of personal security credentials;
- Requirements for common and secure open standards of communication; and
- Leveraging of existing EU electronic identification regulations (e-Idas) for possible authentication purposes.
To Innovate or Protect
When addressing these areas the EBA recognise they have to walk a fine line between tough security standards (implying a high degree of market prescription) and customer convenience and innovation (implying high level requirements). Incumbents (i.e. the
banks) will favour the former, and new fintech disruptors the latter. Where the EBA line falls will have knock-on implications for the very essence of PSD2. Will their thinking have been influenced by the loudest voices through the consultation process and,
if so, who has been most vocal during that consultation process? Our suspicion is that it has been the banking community.
A draft RTS based on this consultation is intended to be delivered by the end of Q2 this year, though given the slew of responses expected that may prove ambitious. Either way, the EBA has already proven itself a regulator not afraid to stand up to entrenched
positions. Expect more of that, and potential industry frustration, as the detail for PSD2 unfolds over this coming year.