What has happened?
The European Commission has revealed its eagerly awaited regulatory technical standards (RTS) on strong customer authentication.
What does this mean?
The final position will have substantive effects on banks (and other account servicing payment service providers (ASPSPs)) and third-party providers (TPPs).
"The many months that it has taken to reach this point are testament to how difficult it has been for the European Banking Authority and the Commission to try to balance the competing interests of the banks (preoccupied with the security of their customers' data) and the TPPs (looking to protect the viability of their business models)," Jon Chertkow, Partner in Hogan Lovells' Payments Team, said.
The Commission has now ended months of uncertainty and confirmed that traditional screen scraping (where TPPs impersonate the customer) is banned.
However, screen scraping+ (where the TPPs can identify themselves to the banks as acting as TPPs) is allowed.
Banks will also be able to offer a dedicated interface of their choice, but with certain conditions applying.
The Commission developed a compromise solution, where TPPs will be allowed to use screen scraping+ as part of a contingency mechanism if the banks' dedicated interfaces do not perform as required. Where five consecutive TPP access requests are not responded to within 30 seconds, the contingency mechanism will have to be activated.
Various restrictions will apply to the use by TPPs of the contingency mechanism, for example around accessing, storing and processing data.
Exemption from screen scraping+ but conditions apply
National regulators can exempt banks from having to set up a contingency mechanism where their dedicated interface meets strict conditions.
Banks with dedicated interfaces will have to ensure that these function properly and do not unfairly restrict TPP access.
Technical specification for a bank’s dedicated interface must be made available at least six months before the RTS take effect (or before the interface launch date if later) to TPPs that have applied for authorisation and a testing facility must be available six months before the interface launch date.
Banks must also ensure that their dedicated interfaces do not create obstacles to the provision of payment initiation and account information services.
In particular, the RTS specify that such obstacles “may include, among others”:
- preventing TPPs using customers’ security credentials;
- imposing redirection to the ASPSP’s authentication or other functions;
- requiring additional authorisations and registrations beyond those required by PSD2; and
- requiring additional checks of the consent given by payment service users.
However, from the drafting, the position is not clear: if dedicated interfaces feature one of the examples above, will this immediately be considered as an obstacle?
John Salmon, partner in Hogan Lovells' FinTech Team, said:
"While it has been understood that the banks should not provide obstacles to the proper function of the TPPs and that the proviso for the dedicated interface makes sense, the purpose of the examples used is very unclear."
Remit of national regulators
The national regulators will revoke the exemption from screen scraping+ where the above conditions are not met for more than two consecutive calendar weeks. Banks then have two months to establish a contingency mechanism.
In reality, all banks that have put in place a dedicated interface (irrespective of whether an exemption applies) will have to have a contingency measure in place.
Those within the exemption will just benefit from a longer period before the contingency measure comes into play. A two-month wait for TPPs before they can use a contingency mechanism may severely threaten the viability of their business models.
The competent authorities now also have to ensure "that the provision of payment initiation services and account information services is not prevented or disrupted". However, it is not clear how regulators could ensure this and how this will work in practice.
John Salmon said:
"I think that the banks will welcome the ability to choose their own dedicated interface, which will enable them to implement the API infrastructure of Open Banking. It also seems a good result from the banks' perspective of not having to provide a contingency where the Financial Conduct Authority has agreed to exempt them from doing so. However, from a practical perspective, they are likely to be concerned about having to provide the contingency within two months of a problem occurring. From a TPP perspective there are likely to be concerns in relation to the two-month period."
What happens now?
The EU Council and Parliament have three months to object to the RTS (unless they have both informed the Commission of their intention not to raise objections).
If neither institution objects, the RTS will be published in the Official Journal of the EU and will enter into force on the following day.
It will apply 18 months after that date, so this is likely to be September 2019 at the earliest.
For more news and analysis that is tailored to you, as well as access to Hogan Lovells' cutting-edge interactive Lawtech tools, register for free on Engage.