Latest PSR and EBA Papers on Access and Security Requirements

Overview

The UK Payment Systems Regulator (PSR) has launched a discussion paper on the use of data in the payments industry. As non-cash methods of payments increase, the amount of payments data being generated is also increasing. Who has access to that data has considerable implications on the development of the payments market, whether for customer security or on the system innovation side of the payment transaction.

In the same week, the European Banking Authority (EBA) published papers proposing standards for strong customer authentication and common and secure communication (SCA and CSC). These standards are intended to regulate the access to customer payment account data under the second Payment Services Directive (PSD2).

PSR on Data in the Payments Industry

In its discussion paper (DP18/1) launched on 12 June 2018, the PSR explains that payments-related data is becoming increasingly important and its use is growing fast. The PSR wants to better understand what role it might play to make sure new uses of data work well for those who use payment systems. The paper follows research completed during the PSR’s scoping exercise and information presented by the Payments Strategy Forum.

The PSR particularly wants to hear about how changes in data use could have an impact on its objectives and where it could develop policies or take action to unlock benefits for end users or reduce risks where appropriate. The discussion paper closes on 3 September 2018.

What is the PSR looking at?

The PSR has identified three key areas that could directly affect its objectives:

  • Concerns about sharing data: Some people may have concerns about sharing with third party companies the data attached to their payments. This could slow the development of innovative products and services, meaning those using payment systems may be less likely to see the benefits.
  • Limited access to data: Potential providers of new services may have limited access to data about transactions across a whole payment system, including data needed to develop new industry anti-money laundering and anti-fraud measures.
  • Barriers to enhanced data: There are potential barriers stopping customers and businesses getting the benefits from additional enhanced data attached to transactions. This data could make processing payments cheaper and more efficient, leading to cheaper services.

The PSR has also identified issues that could affect its objectives indirectly such as market competition and technological change.

Data protection provisions under GDPR and PSD2 are changing the existing landscape and giving customers greater control over how their data is processed and shared. These, along with new requirements on access to account data, are increasingly levelling the playing field within the payments sector, creating the opportunity for innovative new payment methods and players.

EBA Views on SCA and CSC

On 13 June 2018, the EBA published an opinion (EBA-Op-2018-04) and a consultation paper (EBA/CP/2018/09). These papers are intended to clarify issues in relation to the PSD2 regulatory technical standards (RTS) on SCA and CSC which will apply from 14 September 2019.

Opinion on the implementation of the technical standards

The Opinion sets out the EBA’s views in key areas including

  • exemptions to SCA,
  • consent,
  • the scope of data sharing, and
  • requirements for Application Programming Interfaces (APIs) and dedicated interfaces.
  • It comes at a time when industry participants are having to develop or amend systems, hardware and software – including, in the case of account services payment service providers (ASPSPs), building interfaces and infrastructures – to be compliant with the RTS by 14 September 2019.

The Opinion:

  • explains that the ASPSP should not check the consent of the payment service user who has contracted with an account information service provider, payment initiation service provider or card-based payment instrument issuer and that it is the ASPSP that applies SCA and decides whether to apply an exemption;
  • clarifies that when determining which method(s) to use for carrying out the authentication procedure, the ASPSP needs to ensure that all methods of SCA offered to its customers can be supported when using the API; and
  • provides a practical table specifying the exemptions available to payment service providers according to the payment instrument being used to execute the transaction.

The EBA explains that it will provide further clarification on interpretation of the technical standards by the end of June 2018.

Consultation on draft guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) RTS

Article 33(6) of the RTS provides an exemption from the requirement to have contingency measures. To the extent that ASPSPs wish to benefit from this exemption, they are required to provide a dedicated interface that meets four specified conditions.

The consultation paper proposes a pragmatic and consistent approach to these conditions that are required to benefit from the exemption. In particular, the draft guidelines aim to provide clarity for all parties involved (ASPSPs, national competent authorities and the EBA) in a practical way and allow competent authorities to carry out a speedy assessment, especially during the time when the bulk of the exemption requests will be received (i.e. in the period leading up to September 2019).

The consultation closes on 13 August 2018.