As pointed out in a previous post earlier this month, the EBA published its final draft RTS on SCA on 22 Feb 2017. This followed a consultation period with industry to respond. The EBA received an unusually high volume of responses (more than 224) from stakeholders before the deadline in Oct 2016. In particular concerns were raised about the added check out friction that the SCA procedure would create for e-commerce merchants. In response, the final draft RTS (download the document here) includes key changes to the exemptions section which are explained in the previous post.
Based on the feedback from stakeholders, it also worth emphasising that the EBA took steps to ensure technical neutrality. Hence in the final RTS, the EBA has “removed previous references to ISO 27001 and to other specific characteristics of strong customer authentication, so as better to ensure the technological neutrality of the RTS and to facilitate future innovations.”
The EBA also previously decided against setting up a ‘governing entity’ that would “oversee the design, development and maintenance of a interface standard of communication” (i.e. a standard API to be used by banks to provide 3rd parties with access to customer accounts). The governing entity would have for example “determined the features of the interface, the interoperability of the interface with other interfaces, the information to be exchanged, and the minimum technical and message formats requirements.”
In both the above instances, the EBA retreated from the temptation to set rules and instead, like most regulators (including the UK’s FCA), followed a principles based regulatory approach. Principles-based regulation means, “where possible, moving away from dictating through detailed, prescriptive rules and supervisory actions how firms should operate their business”, and instead “placing greater reliance on principles and outcome-focused, high-level rules as a means to drive at the regulatory aims to be achieved, and less reliance on prescriptive rules.” This of course makes sense. However, there is a view that the EBA has gone too far and some rules around common standards are in fact necessary to make a transformative piece of legislation like the PSD2 work. Alternatively, setting up some kind of independent entity to make those decisions would under the circumstances also be a pragmatic move. As it is, it is left up to the stakeholder community (European banks and non-banks) to organise themselves to deliver the regulatory outcome PSD2 envisages including harmonisation and interoperability. This is fine and can be done but there is a risk now that without clear regulatory guidance any industry wide collaboration may turn out to be a protracted long term affair and in the end fail to deliver the outcome desired.
Meanwhile the UK took a slightly different approach. The Open Banking Working Group (OBWG) was set up directly by the UK government in 2015 with aim of developing “a framework for adopting an open API standard across banking”. The OBWG – a collective of banking, open data and FinTech professionals – published its framework in Jan 2016 and is now working towards an agreed timetable to implement it. It says that,
Implementing the Open Banking Standard framework could significantly accelerate the implementation of new EU regulations on banking data. It would also place the UK in a strong position to lead the development of a similar international standard.
Separately and in parallel, the UKs Competition and Markets Authority (CMA) has decided to set up an ‘Implementation Entity’ (IE) that will “undertake the work necessary for the adoption of common and open data, API and security standards.” The IE is made up of a formal Steering Group (or Board) with an Executive leader based on the 9 main retail banks. The CMA’s remedies build upon the OBWG framework so in effect the output from the OBWG will be an input into the CMA’s Implementation Entity. In contrast to the approach taken by the PSD2/EBA, this approach may in the end achieve the level of interoperability that in turn encourages competition, stimulates innovation and delivers customer choice. So in a slightly ironic Brexit twist then, in effort to achieve the aims of PSD2, the European banking community may resort to turing to the standard already nicely defined by the OBWG in the UK. Time will tell. CMA’s scope is however limited to bank accounts and doesn’t include card accounts. Below are some screen shots from the published Open Banking Standard framework including the target API release schedule .