This is linked to the PSD2 no longer allowing the existing practice of third party access without identification (at times referred to as ‘screen scraping' or, mistakenly, as ‘direct access') once the transition period provided for in PSD2 has elapsed and the RTS applies. The draft RTS have been developed according to Article 98 of the revised Payment Services Directive (EU) 2015/2366 (PSD2), which mandates the EBA, in close cooperation with the ECB, to draft Regulatory Technical Standards (RTS) specifying the requirements of the strong customer authentication (SCA), the exemptions from the application of SCA, the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users' personalised security credentials, and the requirements for common and secure open standards of communication (CSC) between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers (PSPs). Now it is up to Parliament and the Council to accept or refuse it during three months of scrutiny, if nothing changes we can expect it to go fully live in September 2019. Federation of German Consumer Organisations, Związek Banków Polskich (Polish Bank Association), bevh - German Distance Sellers Association, Discussion on RTS on strong customer authentication and secure communication under PSD2, AIS European players : Bankin (FR), Eurobits (ES), Fdata (UK), Linxo (FR), SPIIR (DK), TINK (SE), Fintonik (ES), Ocu (ES), FIGO (DE), FranceFintech (FR), Association of Foreign Exchange and Payment Companies, Bitkom - Germany's association of digital transformation, Bundesverband der Zahlungsinstitute - Federal Association of Payment Institutions. The revised Payment Services Directive (PSD2) will mandate the EBA to deliver Regulatory Technical Standards on this topic, which the EBA is required to deliver by January 2017. 2 0 obj
After the amendments suggested by the commission, the EBA reflected that according to their professional opinion most of the changes are not to be implemented in the RTS. Responses to this Discussion Paper can be sent to the EBA until 8 February 2016, by clicking on the "send your comments" button on the website. In case the number of attendees exceeds capacity, the EBA may impose a restriction on the number of individuals that can attend from each organisation. Last week the Fast IDentity Online Alliance (FIDO), an international industry consortium for online authentication, published their letter to the European Council opposing the inclusion of a fall-back option for TPP access in the EBA RTS on strong customer authentication under … Originally, the creation of the RTS was mandated to the EBA and due to the large interest of the public, following lengthy consultations it was published in February 2017. On November 27 the European Commission published the final version of the PSD2 RTS on SCA and CSC (Regulatory Technical Standard on Strong Customer Authentication and Common and Secure open standards of Communication), the most crucial element ASPSPs and fintechs. This means several things: a)If an ASPSP doesn’t have a dedicated interface, it shall allow the TPPs to use the customer facing interface with the additional feature of TPP identification and the restrictions to data access mandated by PSD2 (Article 31 – Access interface options), b)If an ASPSP decides to make a dedicated interface they have to make the above changes as well as a fallback option to TPPs (Article 33 – Contingency measures for a dedicated interface). +33 1 86 52 7052 | Whilst the Final RTS was published by the EBA on 23 Feb 2017, in a controversial move, the European Commission disagreed with parts of it and announced its intention to amend the text. Unplanned unavailability or a systems breakdown may be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services are not replied to within 30 seconds.”, TPPs will be “allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment service provider, until the dedicated interface is restored”. What is sure that the publication of the final RTS is definitely not the end of the discussions on RTS of SCA and CSC. the lengthy consultations they ended up publicating it February 2017. Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (SCA-RTS) (Text with EEA relevance) With today's Opinion, the EBA exercise its competence under Article 10 of the EBA Founding Regulation (Regulation (EU) No 1093/2010), which mandates the EBA to deliver an Opinion on the Commission's proposed amendments to the RTS as well as revised RTS within six weeks of receiving the EC's letter. Even more contentious is the option for national competent authorities to exempt ASPSPs from ‘setting up’ this backup measure. In particular, one of the key concerns addressed by these final draft RTS relates to the exemptions from the application of strong customer authentication on the basis of the level of risk involved in the service provided; the amount and recurrence of the transaction; and the payment channel used for the execution of the transaction. The EBA issued the Opinion in accordance with Article 29(1)(a) of its Founding Regulation, which mandates the Authority to play an active role in building a common Union supervisory culture and consistent supervisory practices, as well as in ensuring uniform procedures and consistent approaches throughout the Union. More specifically, the Opinion clarifies that ASPSPs are the party that should choose whether to use a QSealC or a QWAC for identification purposes, because they are providing the interface and ensuring the security of the communication. The RTS, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify the requirements of the strong customer authentication; exemptions from the application of these requirements; requirements to protect the user's security credentials; requirements for common and secure open standards of communication; and security measures between the various types of providers in the payments sector. are based on the OAuth standard, which is based on the concept of redirection. This brief note provides a summary of the last remaining points that were so actively debated during the course of the summer. In particular, whether screen scraping should be permitted in addition to or as an alternative to APIs. Not unsolvable, but not too clear and obvious. Article 33 says: ASPSPs must ensure that TPPs “can be identified and can rely on the authentication procedures provided by the account servicing payment service provider to the payment service user.”. Connecting buyers and sellers of financial technology globally. $)����iȤhunT�ŉ�m�H�k���P�������O�DKtf��9��i9ˀ�a'�8\��.��R-� 6�����1)J- Dutch Payments Association / Currence iDEAL B.V. European Association of Payment Service Providers for Merchants, EPSM, European Payment Institutions Federation (EPIF), FNTC - Fédération des Tiers de Confiance / Federation of Trusted Third Parties, Interessengemeinschaft Kreditkartengeschäft (IK), Payments UK, FFA UK, UK Cards Association, Univ. Finally, in order for all payment service providers (PSPs) to be in a position to rely on the eIDAS certificates, the Opinion identifies a few measures that competent authorities may apply, including by requesting the revocation of certificates issued to a PSP that has had its authorisation withdrawn. The RTS set out the SCA requirements and exemptions. This contingency measure is basically access to accounts using customer credentials (which is screen scraping). When publishing the Opinion in June, the EBA announced that, in order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, it would communicate later in 2019 the deadlines for the completion of the SCA migration plans, which today's Opinion provides. 0. The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The exemption on transaction risk analysis is linked to a predefined level of fraud and is subject to an 18-month review clause after the application date of the RTS.