Out-Law News 2 min. read
14 Nov 2016, 12:56 pm
In August the EBA proposed new regulatory technical standards (RTS) on strong customer authentication as part of its mandate to set such standards under the new Payment Services Directive (PSD2). PSD2 came into force earlier this year and will need to be implemented into national laws across the EU by 13 January 2018.
PSD2 generally requires PSPs to apply "strong customer authentication" where organisations or consumers try to access their payment accounts online, initiate an electronic payment transaction or "carries out any action through a remote channel which may imply a risk of payment fraud or other abuses".
Those provisions also apply to cases where payments are initiated through payment initiation service providers (PISPs) or where account holders request information about their accounts via an account information service provider (AISP). PSD2 imposes data security obligations on PSPs to account for such third party interactions with the accounts they manage and PSPs must also ensure that PISPs and AISPs can rely on the strong customer authentication measures deployed by a PSP to deliver their services.
In its proposed new standard, the EBA said PSPs should be free to decide whether to enable payments or account access via a "dedicated interface", which would be a common interface for the industry as a whole to use for that purpose, or via their own online banking interface. Whichever interface PSPs choose would have to be based on common and open standards and ensure "an appropriate level of interoperability of different technological communication solutions".
However, in a letter to the EBA on behalf of the European Parliament (4-page / 330KB PDF), MEPs Markus Ferber and Antonio Tajani said: "The EP negotiating team supports direct access by payment initiation service providers (PISPs) and account information service providers (AISPs) to the payer's account without being required by the account servicing payment service provider (ASPSP) to use a particular business model, whether based on direct or indirect access for the provision of their service."
Feber and Tajani expressed concern about the plans for a 'dedicated interface'. It "bears the risk of giving to ASPSPs the possibility to exclude or limit direct access to the payer's account via existing online-banking facilities", they said.
"A mandatory 'dedicated interface' would be against the principle set out in … PSD2, which mandates EBA to develop RTS in order to secure and maintain fair competition among all payment service providers and to ensure technology and business-model neutrality," the MEPs said in their letter.
Feber and Tajani said the Parliament wants the EBA to ensure that PISPs and AISPs can obtain direct access to accounts "via all the customer-facing interfaces" provided by ASPSPs "at all times".
The EBA must also ensure that ASPSPs adhere to the PSD2 rules regarding their engagement with PISPs and AISPs to enable their secure access to accounts when those firms use the ASPSPs' own interfaces, they said.
In addition, the EBA's final standard should require ASPSPs to make it "technically possible for PISPs and AISPs to rely on the authentication procedures" they themselves provide to account holders, the MEPs said.