On 21st February, Andrea Enria, the Chairperson of the EBA, presented at the Westminster Forum and provided some early insights into the progress of their PSD2 Regulatory Technical Framework (RTS) work. The publication of the PSD2 RTS has been delayed a
number of times, so Andrea's comments provide some useful previews of the draft RTS which should be published shortly.
There are two specific areas within the RTS that are addressed by Andrea:
Strong Customer Authentication
Andrea outlined that the EBA is willing to accept three main changes to exemptions to the principle of Strong Customer Authentication (SCA):
- To allow “transaction risk analysis” to determine when SCA is applied. This will be linked to predefined levels of fraud rates, so as to provide incentives to strengthen the protection of customers.
- To exempt “unattended terminals” for transport or parking fares.
- To increase from €10 to €30 the threshold for remote payment transactions.
The acceptance of a risk based approach to SCA is a major step forward in the implementation of the RTS and has to be welcomed with open arms. It is not clear at this stage who determines the level of risk – the issuer or the merchant, however this proposed
approach is a significantly better outcome than a blanket introduction of SCA for all transactions over €10, which was initially feared.
The increase in transaction from €10 to €30 thresholds is also a positive outcome for those operating businesses with low average transaction values (such as digital subscription businesses) and will reduce the payment friction experienced by consumers when
buying lower value items.
The EBA have proposed a review clause 18 months after the application date of the RTS in order to ensure that the nature of the exemption is “sufficiently conservative”. This allows for a change in approach if the outcome of the RTS is not as expected.
Common & Secure Communication
The second substantive area addressed by Andrea is Common & Secure Communication (C&SC). This covers the communication between account servicing payment service providers (ASPSPs), account information service providers (AISPs) and payment initiation service
providers (PISPs).
Here the EBA wishes to maintain the obligation for the ASPSPs to offer at least one interface for AISPs and PISPs to access payment account information. However, the most important statement is that "the current practice of third party access without identification
… referred to as ‘screen scraping’ … will no longer be allowed once the transition period under the PSD2 has elapsed and the RTS applies".
This is a very substantial move and potentially places at risk business practices which are currently used in the Online Banking ePayments environment. There is a significant concern that removing current forms of access may stifle innovation in the European
payment market in the short term.
Despite an assurance that the RTS will require “banks to provide the same level of availability and performance as the interface offered to, and used by, their own customers” the opportunities for innovation before these new interfaces are ready are significantly
reduced.
Both these topics have been hotly debated in the payments business over the past 6 months. However, until the full draft RTS has been published we will not know what other significant changes may emerge. We await the publication of the full document with
bated breath.
The full text version of the presentation can be found here