The payments industry is presently grappling with the EBA’s regulatory technical standards (RTS) on strong customer authentication (SCA) and common and secure communication (CSC) – understanding them, assessing their impact and working out how best to implement them. And the deadlines are now not far away, with the main deadline 14 September 2019, and certain provisions applying from 14 March 2019.
Helpfully, the EBA has recently (13 June 2018) published an Opinion on implementation of the RTS, which while addressed to competent authorities, is also useful for PSPs, as it sets out supervisory expectations. In addition, the FCA has publicly stated its support for the Opinion.
On the same day, the EBA also published for consultation Guidelines on the conditions to be met to benefit from an exemption from the contingency measures PSPs are required to put in place in relation to dedicated interfaces for third party access.
In the Opinion, the EBA seeks to clarify issues surrounding the RTS in relation to CSC (between TPPs (CBPIIs, AISPs and PISPs) and ASPSPs) and SCA. It contains both general and specific comments, but focusses on those where clarity is required sooner to facilitate early readiness to comply with the RTS.
The EBA implies that there may be further clarifications, but that the primary source for these will be its Single Rulebook Q&A tool.
Key points in relation to CSC include the following:
- The dedicated interface provided by ASPSPs should ensure that TPPs can comply with all their obligations under PSD2. PSPs should therefore ensure that their interfaces permit this.
- ASPSPs do not need to check a user’s consent to the provision of AIS or PIS. The Interface should not therefore include such a check.
- AISPs must be able to access the maximum amount of data available to PSUs.
- The data to be shared with an AISP/PISP must not include the PSU’s identity.
- A PISP has the right to initiate the same transactions that the ASPSP offers to its own PSUs, such as instant payments, batch payments, international payments, recurring transactions, payments set by national schemes and future-dated payments.
Key points in relation to SCA include the following:
- The exemptions are separate and independent from one another, and only one exemption needs to be applied for any given transaction, even if it could qualify for more than one.
- SCA applies only on a ‘best-effort’ basis for cross-border OLO (non-EEA) transactions.
- The authentication method must use two elements from two different categories.
- For a device to be considered in possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.
- It is for the PSP that issues the personalised security credentials to determine whether or not to apply an exemption in the context of AIS or PIS.
- It is for an AISP or PISP to decide whether or not to perform authentication procedures for users to access their platforms (there is no SCA requirement otherwise).
The EBA published for consultation draft Guidelines on the conditions to be met under Article 33(6) of the RTS. This provision allows ASPSPs to be exempt from having contingency measures (a “fall-back”) in place in case their dedicated interface for TPP access (by PISPs, AISPs and CBPIIs) fails.
The consultation period runs until 13 August 2018. It is expected that the EBA will publish final form Guidelines in Autumn 2018. The draft Guidelines are focussed on these conditions, but also on the practical difficulty of ASPSPs seeking exemption prior to September 2019 ahead of the RTS themselves applying.
One area the draft Guidelines helpfully clarify is the ability of ASPSPs to show “wide usage” of the interface at a time when PSPs are only required to have specifications and testing facilities in place (as ASPSPs are effectively required to seek exemption at a time when the core requirements are not yet in place, i.e. pre-September 2019).
In this respect, the draft Guidelines effectively require the ASPSP to prove that it has taken all necessary steps for the interface to be made available and operationally used, with evidence to be provided to the FCA to include how it has communicated the availability of the testing facilities, via appropriate channels, including where appropriate “the website of the ASPSP, social media, industry trade bodies, conferences and direct engagement with known market actors“.
The draft Guidelines anticipate numerous reporting and notification obligations on ASPSPs. Compliance teams will therefore need to familiarise themselves with the draft Guidelines, and develop the necessary systems and controls in order to achieve compliance.
In addition, exemption from the fall-back obligation may be revoked if certain conditions are not met for more than two consecutive calendar weeks, which necessitates on-going monitoring.
FCA endorsement of the EBA Opinion and draft Guidelines
On 22 June 2018, the FCA published a short statement expressing support for the views contained in the Opinion and draft Guidelines, and encouraging firms and application programming interface (API) initiatives to consider these views.
Within this statement, the FCA confirmed that it plans to consult on changes to its guidance and rules to reflect the RTS, Opinion and draft Guidelines during the summer. This will clearly be key to firms’ implementation plans.