The European Banking Authority (EBA) criticised proposals the Commission set out late last month which relate to new regulatory technical standards (RTS) envisaged under the EU's revised Payment Services Directive (PSD2).
The RTS on strong customer authentication and common and secure communication will, among other things, shape how banks and other payment service providers (PSPs) that hold accounts on behalf of customers give access to information from those accounts to other businesses in the market, specifically payment initiation service providers (PISPs) and account information service providers (AISPs), when customers request services from those businesses.
PISPs and AISPs, which are often third party financial technology (fintech) companies, have been offering new ways for consumers to make payments and review information from their payment accounts. PSD2, which will have application through national legislation across the EU from 13 January 2018, has been developed to enhance the rights of those businesses while at the same time maintaining standards on data security and integrity of systems.
In this regard, PSD2 specifically tasked the EBA with developing RTS on strong customer authentication and common and secure communication. In February, the EBA set out its final proposals on the issue, which included a recommendation to prohibit screen scraping on security grounds. Screen scraping has been relied upon as a means by which fintechs could gather the information they need to provide services to the customers of PSPs.
Under the EBA's plans, account servicing PSPs would be obliged to facilitate access to payment account information for PISPs and AISPs through either the same interfaces they use for engaging with customers, or through a separate "dedicated interface".
However, the Commission, which has the final say over the RTS and their implementation, put forward amendments to the EBA's proposals which, if introduced, would place additional obligations on account servicing PSPs in terms of the right to access customer account information they would need to provide to PISPs and AISPs.
The Commission said that, if planning to offer a 'dedicated interface' for PISPs and AISPs to use, account servicing PSPs would need to ensure that those businesses could use its own interface for servicing customers as a fall back in the event that the dedicated interface was unavailable for more than 30 seconds at any one time or otherwise underperforming.
The Commission's 'fall back' proposals were heavily criticised by industry bodies the European Savings and Retail Banking Group (ESBG) and the European Association of Co-operative Banks (EACB). Now, the EBA has published an opinion (12-page / 508KB PDF) in response to the Commission's proposed amendments to its RTS which also raised concerns with the plans.
According to the EBA, the Commission's 'fall back' requirements would go further than what it is required to provide for under PSD2, and said it is "also sceptical about the extent to which the proposed amendment would achieve the desired objectives and efficiently address market concerns".
The EBA said the measure would increase costs for businesses, fail to improve technical reliability and not accord to the "security requirements" set out in PSD2. In addition, the Commission's plans would be "extremely difficult to supervise", make it "very difficult for consumers to understand the multiplicity of ways in which they could access their account information … and therefore to understand the implications of giving consent", it said.
The Commission's proposals would also compromise the development of application programming interfaces (APIs), which are seen as the primary mechanism for helping to link systems operated by different businesses in the market, and put new entrants to the market at a competitive disadvantage, the EBA said.
The EBA set out new proposals (30-page / 440KB PDF) which would remove the requirement on account servicing PSPs to provide for a 'fall back' in the way envisaged by the Commission. It confirmed its view that screen scraping under PSD2 "would not be compliant".
Instead, the EBA said the final RTS should require account servicing PSPs to "define transparent key performance indicators" for the dedicated interface they provide. It said those PSPs should "abide by at least the same service level targets" as they set for their own customer interface in relation to "both the availability and the performance of the interface". The PSPs should also apply "qualitative measures to assess whether or not they are doing so".
The EBA said the PSPs should also "monitor and publish their availability and performance data on a quarterly basis", make their interfaces available for testing prior to the RTS taking effect and open the interfaces up for review 18 months after the RTS have been in operation.
If the Commission pushes through the changes it has suggested to the RTS on strong customer authentication and common and secure communication it might act beyond the powers given to it, the EBA suggested.
"The EBA notes that … it was the intention of the EU legislators that technical standards would be subject to amendment by the Commission if they were incompatible with Union law, did not respect the principle of proportionality or ran counter to the fundamental principles of the internal market for financial services as reflected in the acquis of Union financial services legislation," the EBA said. "The EBA is of the view that some of the suggested amendments as currently drafted are not prompted by one of those circumstances."
It is now up to the Commission to make a final decision on the substance of the new standards. The standards, once finalised, will be published in the Official Journal of the EU and enter into force the day after that happens. The standards will not, however, apply until 18 months after that date.