European Commission Adopts EBA/RTS

The long-awaited Regulation on strong customer authentication (SCA) has finally been agreed at Commission level and published (see Commission press release).

The Delegated Regulation (full text) sets rules on how account servicing payment service providers (ASPSPs – who are mainly banks) must ensure the security of customer data which is released to third-party providers (TPPs) under the PSD2. It also aims to improve competition in the market.

The text has adopted a compromise position on the difficult issue of screen-scraping. This will be preserved as a ‘fall-back’ but national authorities will be able to exempt banks from maintaining the fall-back interface as long as performance criteria for a dedicated TPP interface are met.

The European Parliament and Council still have 3 months to examine the text before final approval and publication in the Official Journal. It will then become final.

Main provisions:

  • The RTS will apply from Sept 2019.
  • Banks will have to either adapt their existing customer interfaces to comply with the RTS rules or build a new interface (in the UK, this will be using APIs through Open Banking).
  • All interfaces will be subject to a 3-month 'prototype' test and a 3-month 'live' test in market conditions. The test will allow market players to assess the quality of the interfaces.
  • The dedicated interface should offer the same level of availability and performance as the interface used by customers directly.
  • The dedicated interface will also have to comply with key performance indicators and service level targets These standards should be at least as stringent as those set for the online platforms used by customers.
  • The Commission will set up an expert group to review the quality of dedicated communication interfaces.
  • National authorities (FCA in the UK) will be able to exempt individual banks from setting up a fall-back mechanism BUT:
    • They must consult with EBA
    • If the dedicated interface falls below standard for more than two consecutive weeks, the NCA can revoke the exemption. Then the NCA must require the bank to establishes an automated fall-back mechanism in the shortest time possible, and within 2 months at the latest.

Transition period: The PSD2 comes into effect on 13 Jan 2018 and the RTS in Sept 2019. In this period, banks must adapt their systems. The Commission is clear that TPPs will be able to continue to use screen-scraping during this time.

Share this

FROM SOCIAL MEDIA

Don't miss our flagship public services conference #techUKSmarterState 2019 on 18 September! Learn about the future… https://t.co/TPKdKkTc2V
Sabina Ciofu (@SabinaCiofu), techUK's Head of EU Policy, looks at what new European Commission President Ursula von… https://t.co/gUGsMN8MR2
Bookings are now open for #Supercharging 2019! Join us on 06 November in Manchester where we'll be looking at the i… https://t.co/XZzMPEexQn
@craigmelson Programme Manager for Digital Devices, Environment and Compliance and Consumer Electronics, discusses… https://t.co/dptyFfIATo
@coada Managing Director UK & Ireland @googlecloud discusses how a multi-cloud approach can help businesses to capt… https://t.co/RsvG7tKgbi
Guest blog: Sundip Bhatnagara from @AccentureUK discusses how to unlock the trapped value in cloud. Take a read her… https://t.co/JMzoFQjVcA
Guest blog: Chris Cook at @Garnet8Ltd discusses how cloud computing can act as an enabler to maximise the value of… https://t.co/XYdcO1SHGN
techUK's Associate Director of Policy, Giles Derrington (@G_Derrington), looks at the new report into the impacts o… https://t.co/dLpIsfYXQn
As we prepare to leave the EU, we must ensure that the future immigration system reflects the needs of UK businesse… https://t.co/nn0l710zWp
Become a Member
×

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...