The European Banking Authority (EBA) has published a letter from the European Parliament’s PSD2 negotiating team. The team describes itself as “concerned” about the risk that the EBA’s draft Regulatory Technical Standards (RTS) on “strong customer authentication and … secure communications” will allow the banks to “exclude or limit direct access” by account information and payment initiation service providers (AI&PISPs) to customer payment accounts, using existing online banking facilities.
The negotiating team also criticizes the draft RTS for being “unclear” and “inconsistent with the Level 1 legislation“, before noting that “with regard to contactless payments … a future proof solution is necessary“, and “when defining the thresholds for an exemption, any negative impact on firms should be duly taken into account“.
Recital 93 to PSD2 describes a world in which AI&PISPs can provide their services “with the consent of the account holder“, “without being required by [his bank] to use a particular business model” to do so.
Article 98 of PSD2 requires the EBA to prepare RTS on “the requirements of … strong customer authentication … and secure open standards of communication” between AI&PISPs and banks. It also requires the EBA to develop its RTS “in order to … secure and maintain fair competition among all payment service providers“, and “ensure technology and business model neutrality“.
However, in its Consultation Paper on the draft RTS, the EBA explains that the banks “generally favour communication via a dedicated interface, i.e. not via the online banking interface made available to the account holder“; and the AI&PISPs “are generally not against [this]“.
So, article 19 of the draft RTS only requires banks offering online payment accounts to offer “at least one communication interface” as well, but that’s all.
The European Parliament’s negotiating team argues that:
- this “so-called mandatory ‘dedicated interface’ … bears the risk of giving [the banks] the possibility to exclude or limit direct access to the payer’s account via existing online-banking facilities”;
- “a mandatory ‘dedicated interface’ would be against the principle set out in Art. 98 … which mandates [the] EBA to develop RTS in order to secure and maintain fair competition … and to ensure technology and business-model neutrality“; and
- the RTS “will have to ensure that [AI&PISPs] can use at all times direct access via all the customer-facing interfaces’ of the [bank]“.
Separately, the negotiating team argues that:
- the strong customer authentication exemptions in the draft RTS need to be clearer – for example, “it should be clarified whether such exemptions should be regarded as optional or mandatory“;
- “when defining the thresholds for an exemption, any negative impact on firms should be duly taken into account“;
- “according to the draft RTS no risk-based analysis would be possible outside of the very narrow set of exemptions listed by [the] EBA. The [EP] judges this approach as inconsistent with the Level 1 legislation, where such restriction is not foreseen“; and
- the maximum limits for contactless payments should be increased, to introduce at least a degree of future proofing.
More to follow …