The regulatory technical standards (RTS) are designed to implement provisions contained in the EU's revised Payment Services Directive (PSD2) and govern the way in which traditional payment services, like bank account providers, interact with new third party financial technology (fintech) services – specifically payment initiation service providers (PISPs) and account information service providers (AISPs) – that make it easier for consumers to make payments and review information about their payment accounts.
The EBA is tasked, under PSD2, with developing the RTS on strong customer authentication and common and secure communication, but ultimately the Commission has the final say over them and their implementation.
In February, the EBA set out its final proposals on the issue, which included a recommendation to prohibit screen scraping on security grounds.
To enable PISPs and AISPs to exercise their rights, under PSD2, to access payment account information to service customers, the EBA said banks and other payment service providers (PSPs) should be obliged to facilitate their access to payment account information through either the same interfaces they use for engaging with customers, or through a separate "dedicated interface".
However, the European Commission wrote to the EBA in May (31-page / 280KB PDF) to inform it that it intended to amend the RTS that the EBA had recommended and to seek its further response.
The Commission's proposals, if adopted, would require any 'dedicated interface' to be offer "the same level of availability and performance, including support, as the interfaces made available to the payment service user for directly accessing its payment account online".
Its plans set out a range of further obligations on how to ensure this, including requirements for PSPs to monitor the availability and performance of the dedicated interface and to provide for a contingency whereby PISPs and AISPs would be able to get the information they require by using the PSPs' own customer interface as a fall back in the event that the dedicated interface was unavailable for more than 30 seconds at any one time or otherwise underperforming.
However, the Commission's proposals have been criticised by two banking industry bodies.
In a recent position paper (10-page / 306KB PDF) on the issue, the European Savings and Retail Banking Group (ESBG) and the European Association of Co-operative Banks (EACB) said they were "deeply concerned" about the Commission's 'fall back' proposals and called on the EBA to "reject" them.
The groups raised a number of concerns regarding the proposals, including that the fall back scheme would not work in practice due to the way "online banking architecture" works. It also said the proposals were "totally askew with the many resilience and business continuity obligations already placed on and observed" by account servicing PSPs, and further bemoaned the additional cost burdens that banks would face in providing for the fall back system. It also raised concerns relating to data security and privacy.
The ESBG and EACB said: "The fall back option can be considered the same as mandating that a secure vault needs to be equipped with an easy to open security door for cases that the secure front door is not working properly. In addition to this the easy access door is very expensive to install and maintain and will duplicate the access cost for the vault owner. It goes without saying that this is not acceptable and that this is in fact one step back."
The European Banking Federation (EBF) previously urged the European Commission to "fully endorse" the EBA's proposals.