On 27 November, the EU Commission finally published the much anticipated RTS on Strong Customer Authentication & Secure Communications (SCA & SC). Whilst this text has now been adopted by the Commission, it still needs to be approved by the EU Council and Parliament before it is formally published in the Journal of the EU and will then take effect. This brief note provides a summary of the last remaining points that were so actively debated during the course of the summer.

The final adopted text can be downloaded here and the annexe here. The full set of documentation including press release and FAQs are available here.

Just to recap, the revised EU Directive on payment services, otherwise known as PSD2, entered into force on 12 January 2016 and will apply as of 13 January 2018. PSD2 conferred 11 mandates on the European Banking Authority (EBA). One of these relates to the development of draft Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure and common communications (Article 98 of the PSD2) which covers the introduction of tough new security standards for electronic payments.

Whilst the Final RTS was published by the EBA on 23 Feb 2017, in a controversial move, the European Commission disagreed with parts of it and announced its intention to amend the text. On the 29 June 2017, the EBA subsequently published a response to the EC.

The controversy surrounded the so-called interfaces that banks will be required to develop and support to allow PIS and AIS to access accounts. In particular, whether screen scraping should be permitted in addition to or as an alternative to APIs.

The final amended text which the EU has now published addressed this topic as follows:

Screen scraping will not be permitted after the 18 month transition period. The RTS introductory text says:

With regard to the communication between ASPSPs, AISPs and PISPs, accordingly, the existing practice of third-party access without identification referred to in market jargon as ‘screen scraping’ or, mistakenly, as ‘direct access’ will no longer be allowed once the transition period under Article 115(4) PSD2 has elapsed and the RTS apply.

However, ASPSPs have essentially 12 months to develop their interfaces. The RTS requires that full documentation, as well as a testing facility, are made available to authorised PSPs at least 6 months prior to the end of the 18 month transition period. Article 30 says:

Account servicing payment service providers shall ensure that the technical specification of any of the interfaces is documented .and make the documentation available, at no charge” and make available a testing facility, including support, for connection and functional testing to enable authorised PSPs to test their software and applications…

Article 33 of the RTS continues the controversy over screen scraping. It essentially says that ASPSPs are required to develop a back up in case their interfaces breakdown (defined as 5 consecutive failed calls to the banks API within 30 seconds). This contingency measure is basically access to accounts using customer credentials (which is screen scraping). Article 33 says:

ASPSPs need to develop “contingency measures for the event that the [dedicated] interface does not perform … unplanned unavailability of the interface and that there is a systems breakdown. Unplanned unavailability or a systems breakdown may be presumed to have arisen when five consecutive requests for access to information for the provision of payment initiation services or account information services are not replied to within 30 seconds.”

And also says that:

TPPs will be “allowed to make use of the interfaces made available to the payment service users for the authentication and communication with their account servicing payment service provider, until the dedicated interface is restored

However, to avoid the anonymous nature of screen scraping, the RTS requires that ASPSPs develop a method to identify when TPPs are accessing customer accounts in this fashion. Article 33 says:

ASPSPs must ensure that TPPs “can be identified and can rely on the authentication procedures provided by the account servicing payment service provider to the payment service user.

Even more contentious is the option for national competent authorities to exempt ASPSPs from ‘setting up’ this backup measure. Article 33 says:

“Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism where the dedicated interface meets [certain] conditions.  

These conditions boil down to banks demonstrating to their national competent authority that their interface works to the extent that it has been successfully tested over a 3 month period. Article 33 says: 

The interface has been “widely used for at least three months by payment service providers”.

Many commentators have already pointed out that “ensuring consistent application” of the exemption conditions across all markets in the EEA is going to be challenging. It could arguable result in some multi-market banks being exempted in one market but not in others for exactly the same interface.

Conclusion

As mentioned in the introduction, the text still requires approval from the EU Council and Parliament and will then be formally published in the EU Journal. The 18 month transition period will only start at this point.  The EU fact sheet provides guidance that

Subject to the agreement of the Council and the European Parliament the RTS is due to become applicable around September 2019.”

During the transition phase, screen scraping will still be permitted – as mentioned in the RTS introductory text:

‘screen scraping’ or, mistakenly, as ‘direct access’ will no longer be allowed once the transition period under Article 115(4) PSD2 has elapsed and the RTS apply.

It is likely however that national authorities will develop further rules to be applied during the transition period. As I wrote in a previous post, the UK provides an example.