Final draft released earlier today of PSD2 RTS on SCA and CSC. It is still a 'draft'
as it could yet be amended by the European Parliament, but failing that it will be transposed to national law late 2018 or possible early the following year. Notable amendments (including those flagged earlier in the week):
- SCA limit raised to 30 euro. Cumulative limit 100 euro or 5 consecutive payments
- new exemption for 'transaction risk analysis' - up to 500 euro if the merchants PSP meets stringent fraud rates (e.g. 0.01% for remote card transactions). A sliding scale applies below these levels
- unattended payment terminals also exempt to avoid unnecessary queues, amongst other things (think road tolls, tube, and parking meter payments)
- Following CMA example in explicitly stating that screen scraping is no longer permitted (good)
- AISP calls to access account information appear to have been increased from two to four per day maximum - but no max if account holder is actively requesting it (AISPs will need to think of smart ways of getting their users to actively request the data
if it is to be real time). Bilateral arrangements between AISPs and banks can increase that limit if they so desire (a further incentive for bank/fintech partnerships)
- PSPs to have same levels of availability to account that customers have via their online access
- Corporate payments subject to same rules and exemptions as retail payments - no special cases (as requested by some industry players)
- ISO20022 remains the standard for payment messaging under PSD2, although requirements for other security and communication standards (incl HTTPs) have been lifted to allow for technological and business model neutrality
- Authentication procedures remain within the realm of the account provider
So thats it. Some increase in flexibility versus the consultation paper released last August. Fintechs will still find it relatively restrictive and will need to find some innovative ways of invoking the exemptions. Banks probably relatively happy I suspect.
The industry can get on with implementing it now.
Initial thoughts and comments welcome.