European Commission Adopts EBA/RTS

The long-awaited Regulation on strong customer authentication (SCA) has finally been agreed at Commission level and published (see Commission press release).

The Delegated Regulation (full text) sets rules on how account servicing payment service providers (ASPSPs – who are mainly banks) must ensure the security of customer data which is released to third-party providers (TPPs) under the PSD2. It also aims to improve competition in the market.

The text has adopted a compromise position on the difficult issue of screen-scraping. This will be preserved as a ‘fall-back’ but national authorities will be able to exempt banks from maintaining the fall-back interface as long as performance criteria for a dedicated TPP interface are met.

The European Parliament and Council still have 3 months to examine the text before final approval and publication in the Official Journal. It will then become final.

Main provisions:

  • The RTS will apply from Sept 2019.
  • Banks will have to either adapt their existing customer interfaces to comply with the RTS rules or build a new interface (in the UK, this will be using APIs through Open Banking).
  • All interfaces will be subject to a 3-month 'prototype' test and a 3-month 'live' test in market conditions. The test will allow market players to assess the quality of the interfaces.
  • The dedicated interface should offer the same level of availability and performance as the interface used by customers directly.
  • The dedicated interface will also have to comply with key performance indicators and service level targets These standards should be at least as stringent as those set for the online platforms used by customers.
  • The Commission will set up an expert group to review the quality of dedicated communication interfaces.
  • National authorities (FCA in the UK) will be able to exempt individual banks from setting up a fall-back mechanism BUT:
    • They must consult with EBA
    • If the dedicated interface falls below standard for more than two consecutive weeks, the NCA can revoke the exemption. Then the NCA must require the bank to establishes an automated fall-back mechanism in the shortest time possible, and within 2 months at the latest.

Transition period: The PSD2 comes into effect on 13 Jan 2018 and the RTS in Sept 2019. In this period, banks must adapt their systems. The Commission is clear that TPPs will be able to continue to use screen-scraping during this time.

Share this

FROM SOCIAL MEDIA

All four providers have launched 5G in some form but what does this mean for consumers and enterprise? https://t.co/CjrqXUUY5r
techUK comments on the revised Withdrawal Agreement and Political Declaration here: https://t.co/tCRAwMvsoa https://t.co/CrCbI5AcQ1
Check out all the pics from the #techUKJES reception 2019 on our Flick account https://t.co/8yhFDeIV54 A big thank… https://t.co/Y2ScJVBuJg
@TheABB @ChannelSwimSue @TheABB There is a direct link to the report here: https://t.co/tQM0drjyuy. We are a member… https://t.co/Iz2DAxr9hO
Take part in the @DigiLeaders Insight Live Week from the 4-8 November featuring techUK's @ChannelSwimSue with a web… https://t.co/EQPbbZYD0N
Become a Member
×

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...