EC’s PSD2 regulatory technical standards set for 2019
By way of recap, the security measures outlined in RTS stem from two key objectives of PSD2: “ensuring consumer protection and enhancing competition”.
RTS introduces requirements that payment service providers (PSPs) “must” observe when they process payments or provide payment-related services.
In the context of competition and innovation, RTS includes two new types of services, the “so-called payment initiation services” and the account information services.
The Commission says it made some “limited substantive amendments” to the draft RTS submitted by the European Banking Authority (EBA). This was done to “better reflect the mandate of PSD2 and to provide further clarity and certainty to all interested parties”.
Strong customer authentication
According to the EC, RTS makes strong customer authentication (SCA) the basis for accessing one’s account, as well as for making payments online.
This means that to prove their identity users will have to provide at least two separate elements out of these three: something they know (a password or PIN code); something they own (a card, a mobile phone); and something they are (biometrics, e.g. fingerprint or iris scan).
All PSPs will need to prove the implementation, testing and auditing of the security measures. In case of a fraudulent payment, consumers will be entitled to a full reimbursement.
In addition, the EC says PSD2 establishes a framework for new services linked to consumer accounts, such as initiation services and account information services. In this context, RTS specifies the requirements for common and secure standards of communication between banks and fintech firms.
Consumers and companies will be able to grant access to their data to third parties providing payments-related services (TPPs). These are, for example, payment initiation services providers (PISPs) and account information service providers (AISPs). TPPs are sometimes fintech companies, but could also be other banks, according to the EC.
As reported in May, a group of fintech companies and associations were asking for changes to PSD2 due to fears it will force them to become technologically dependent on banks.
Banks can be exempted from setting up a fall-back mechanism if they put in place a “fully functional dedicated communication interface responding to the quality criteria defined by RTS”. National authorities will grant the exemption to individual banks by national authorities, after having consulted the EBA.
In terms of the data TPPs can access and screen scraping, the EC explains that PSD2 prohibits TPPs from accessing any other data from the customer account beyond those explicitly authorised by the customer.
With these new rules, it will no longer be allowed to access the customer’s data through the use of the techniques of screen scraping. (Screen scraping means accessing the data through the customer interface with the use of the customer’s security credentials. Through this, TPPs can access customer data without any further identification vis-à-vis the banks.)
Banks will have to put in place a communication channel that allows TPPs to access the data that they need in accordance with PSD2. The channel will also be used to enable banks and TPPs to identify each other when accessing these data. It will also allow them to communicate through secure messaging.
The RTS specifies the contingency safeguards that banks shall put in place if they decide to develop a dedicated interface.
There will be transition period between the application date of PSD2 and the application date of the RTS. The EC says market players need this transition period to upgrade their security systems so that they meet the RTS requirements.
PSD2 will become applicable as of 13 January 2018, except for the security measures outlined in the RTS. These will become applicable 18 months after the date of entry into force of the RTS. Subject to the agreement of the Council and the European Parliament the RTS is due to become applicable around September 2019.