The long-awaited Regulation on strong customer authentication (SCA) has finally been agreed at Commission level and published (see Commission press release).
The Delegated Regulation (full text) sets rules on how account servicing payment service providers (ASPSPs – who are mainly banks) must ensure the security of customer data which is released to third-party providers (TPPs) under the PSD2. It also aims to improve competition in the market.
The text has adopted a compromise position on the difficult issue of screen-scraping. This will be preserved as a ‘fall-back’ but national authorities will be able to exempt banks from maintaining the fall-back interface as long as performance criteria for a dedicated TPP interface are met.
The European Parliament and Council still have 3 months to examine the text before final approval and publication in the Official Journal. It will then become final.
- The RTS will apply from Sept 2019.
- Banks will have to either adapt their existing customer interfaces to comply with the RTS rules or build a new interface (in the UK, this will be using APIs through Open Banking).
- All interfaces will be subject to a 3-month 'prototype' test and a 3-month 'live' test in market conditions. The test will allow market players to assess the quality of the interfaces.
- The dedicated interface should offer the same level of availability and performance as the interface used by customers directly.
- The dedicated interface will also have to comply with key performance indicators and service level targets These standards should be at least as stringent as those set for the online platforms used by customers.
- The Commission will set up an expert group to review the quality of dedicated communication interfaces.
- National authorities (FCA in the UK) will be able to exempt individual banks from setting up a fall-back mechanism BUT:
- They must consult with EBA
- If the dedicated interface falls below standard for more than two consecutive weeks, the NCA can revoke the exemption. Then the NCA must require the bank to establishes an automated fall-back mechanism in the shortest time possible, and within 2 months at the latest.
Transition period: The PSD2 comes into effect on 13 Jan 2018 and the RTS in Sept 2019. In this period, banks must adapt their systems. The Commission is clear that TPPs will be able to continue to use screen-scraping during this time.